[Owasp-dotnet] Re: [OWASP-LEADERS] What are the 'Real World' security advantages of the .Net Framework and the JVM?

Rogan Dawes lists at dawes.za.net
Wed Nov 2 04:54:59 EST 2005 

Dinis Cruz wrote:
> 
> What are the 'Real World' security advantages of the .Net Framework and 
> the JVM?
> 
> The reason I am asking this question is because the way the .Net 
> Framework and the JVM are used in the real world, I don't see any major 
> advantages between them and C++, ASP Classic, PHP, ...(put your favorite 
> language/development platform here)..., etc...
> 
> The bottom line, is that in the 'Real Word', most .Net Applications 
> execute with Full Trust and most Java based applications run with the 
> Security Manager disabled. This means that the protections and security 
> advantages provided by the Virtual Machine's Sandboxes (CLR and JVM) are 
> close to useless since malicious code executed in those process can 
> easily bypassed it.
> 

There is of course, one classic example, where the Java sandboxing 
actually DOES have an effect, and that is in the browser plugin.

> The reality is that 'Real World' .Net and Java applications are insecure 
> by design, insecure by default and insecure in deployment, because their 
> entire security model is based on the fact that no malicious code will 
> be executed in its environment.
> 

Fair comment.

I do believe that it would not be that difficult to create a logging 
SecurityManager that simply logs the security-relevant calls that are 
made, with the parameters that are passed, and can be used to build up a 
profile of the application during testing.

The results of such a logging security manager could then be fed into an 
analysis tool, which would build up a profile of what the app is allowed 
to do. This could then be reviewed by a competent human, and refined if 
necessary.

The app would then be run in production with the enforcing security 
manager, using the calculated profile.

In a way, this is not very different to the learning mode of the current 
web application firewalls, except it works on the backend, rather than 
in front of the application. AND, you could potentially configure 
different security managers for each application running on the server.

Could be an interesting project . . . .

Rogan

More information about the Owasp-dotnet mailing list