[owasp-intrinsic-security] Microsoft Web Sandbox

Robert Hansen robert at sectheory.com
Thu Jan 29 12:58:34 EST 2009


	When you're talking about logic and not functions within programming language, it doesn't matter that much what platform you start with given that his goal is to identify problems with his thinking.  No one within MS has sanctioned putting his code within the browser since it's totally untested.  He chose to start with that platform so that he could allow other people to test his ideas out without having to construct a new browser.  His thinking was that it could also be an opt in solution in the short term for people who want to try his ideas out on their own.  He's looking for feedback.  Don't ask me why he chose Silverlight instead of an .exe.

Robert Hansen, CISSP
CEO -- SecTheory LLC
Cell: (530) 521-2542
FAX: (512) 628-6299


-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com] 
Sent: Thursday, January 29, 2009 11:09 AM
To: Robert Hansen; me at alexsmolen.com; owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox

You're going to have to pony up an answer here. You're suggesting that
they're testing out how the practicality of doing something in a
platform that has X more features and Y more capabilities then the goal
platform. It's like saying, "I'm testing the effectiveness of killing a
deer with a sniper rifle", when in the real-life scenario all you're
going to have is your bare hands. No __defineSetter__ in WPF, am I
missing something?

Arshan

-----Original Message-----
From: Robert Hansen [mailto:robert at sectheory.com] 
Sent: Thursday, January 29, 2009 11:52 AM
To: Arshan Dabirsiaghi; me at alexsmolen.com;
owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox


	Again, think logic, don't think Silverlight.  This isn't about
Silverlight, they're just using that as a test platform.

Robert Hansen, CISSP
CEO -- SecTheory LLC
Cell: (530) 521-2542
FAX: (512) 628-6299

-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com] 
Sent: Thursday, January 29, 2009 7:27 AM
To: Robert Hansen; me at alexsmolen.com;
owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox

I doubt a Silverlight solution can reliably be translated to JavaScript.
There's a huge different between the capabilities of a Silverlight
client plugin and traditional ECMA, and we should be fighting against
proprietary solutions. And FTR, mashup security is the biggest picture,
at least IMO, but AFAIK IANAL BBQ.
 
Arshan
 
________________________________

From: Robert Hansen [mailto:robert at sectheory.com]
Sent: Wed 1/28/2009 11:57 PM
To: Arshan Dabirsiaghi; me at alexsmolen.com;
owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox


Not to speak on behalf of MS on this one but the whole point of this
project is to test the practicality of transporting the logic into a
future version of the browser.  I talked with the head developer for
this project (also one of the head devs for the original versions of all
the major scripting versions within IE - that's no coincidence).  He's a
smart dude.  This isn't at all about Silverlight or mashups, there's a
much bigger picture here - think content restrictions.

**sent from cell phone**

Robert Hansen, CISSP
CEO -- SecTheory LLC
Cell: (530) 521-2542
FAX: (512) 628-6299

-----Original Message-----
From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
Sent: Wednesday, January 28, 2009 8:13 PM
To: me at alexsmolen.com <me at alexsmolen.com>;
owasp-intrinsic-security at lists.owasp.org
<owasp-intrinsic-security at lists.owasp.org>
Subject: Re: [owasp-intrinsic-security] Microsoft Web Sandbox

I think this is a cool but wrong approach. I think we need to build a
sandbox policy for JavaScript and anything else is a hack, frankly.
Something standardized by ECMA.
 
Does anyone think a Silverlight plugin is going to solve mashup
security? Not to pooh pooh this, I'm sure this research is generating a
lot of awesome information, but we need a comprehensive solution.
 
Arshan

________________________________

From: owasp-intrinsic-security-bounces at lists.owasp.org on behalf of Alex
Smolen
Sent: Wed 1/28/2009 7:57 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Microsoft Web Sandbox


Did you all see this?

http://livelabs.com/web-sandbox/

It's an attempt to add a security layer onto the web platform and
support mashups. It looks like it's driven through Silverlight.

Alex



More information about the owasp-intrinsic-security mailing list