[Owasp-dotnet] Re: [OWASP-LEADERS] What are the 'Real World' security advantages of the .Net Framework and the JVM?
lists at dawes.za.net
Wed Nov 2 04:54:59 EST 2005
Dinis Cruz wrote:
> What are the 'Real World' security advantages of the .Net Framework and
> the JVM?
> The reason I am asking this question is because the way the .Net
> Framework and the JVM are used in the real world, I don't see any major
> advantages between them and C++, ASP Classic, PHP, ...(put your favorite
> language/development platform here)..., etc...
> The bottom line, is that in the 'Real Word', most .Net Applications
> execute with Full Trust and most Java based applications run with the
> Security Manager disabled. This means that the protections and security
> advantages provided by the Virtual Machine's Sandboxes (CLR and JVM) are
> close to useless since malicious code executed in those process can
> easily bypassed it.
There is of course, one classic example, where the Java sandboxing
actually DOES have an effect, and that is in the browser plugin.
> The reality is that 'Real World' .Net and Java applications are insecure
> by design, insecure by default and insecure in deployment, because their
> entire security model is based on the fact that no malicious code will
> be executed in its environment.
I do believe that it would not be that difficult to create a logging
SecurityManager that simply logs the security-relevant calls that are
made, with the parameters that are passed, and can be used to build up a
profile of the application during testing.
The results of such a logging security manager could then be fed into an
analysis tool, which would build up a profile of what the app is allowed
to do. This could then be reviewed by a competent human, and refined if
The app would then be run in production with the enforcing security
manager, using the calculated profile.
In a way, this is not very different to the learning mode of the current
web application firewalls, except it works on the backend, rather than
in front of the application. AND, you could potentially configure
different security managers for each application running on the server.
Could be an interesting project . . . .
More information about the Owasp-dotnet