> of creating a
> full-featured
> browser, from scratch, with usability as good as IE
> and Firefox
> strikes me as a fairly tricky project.
I agree.
> What about
> using the
> facilities already provided by the OS to enforce the
> sandbox?
But then will it be possible to prevent buffer
overflows, still running on unmanaged code?
Very nice points by Dinis, esp. the one about the
"advantages" of using our boxes with less privileges
(for internet browsing).
-pilon
--- Brian Eaton <eaton.lists_at_gmail.com> wrote:
> On 3/25/06, Dinis Cruz <dinis_at_ddplus.net> wrote:
> > 4) Finally, isn't the solution for the creation of
> secure and
> > trustworthy Internet Browsing environments the
> development of browsers
> > written in 100% managed and verifiable code, which
> execute on a secure
> > and very restricted Partially Trusted
> Environments? (under .Net, Mono or
> > Java). This way, the risk of buffer overflows will
> be very limited, and
> > when logic or authorization vulnerabilities are
> discovered in this
> > 'Partially Trusted IE' the 'Secure Partially
> Trusted environment' will
> > limit what the malicious code (i.e. the exploit)
> can do.
>
> I am less than enthusiastic about most of the
> desktop java
> applications I use. They are, for the most part,
> sluggish, memory
> gobbling beasts, prone to disintegration if I look
> at them cross-eyed
> or click the mouse too frequently.
>
> Usability problems with java applications are not
> necessarily due to
> managed code, of course, but the idea of creating a
> full-featured
> browser, from scratch, with usability as good as IE
> and Firefox
> strikes me as a fairly tricky project. What about
> using the
> facilities already provided by the OS to enforce the
> sandbox? Rather
> than scrapping the existing codebases, start running
> them with
> restricted rights. Use mandatory access control
> systems to make sure
> the browser doesn't overstep its bounds.
>
> Regards,
> Brian
>
>
-------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application
> Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks
> with real-world
> examples of recent hacking methods such as: SQL
> Injection, Cross Site
> Scripting and Parameter Manipulation
>
>
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
>
--------------------------------------------------------------------------
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 27 2006
Intro
