Dinis Cruz wrote: > If you do accept that it is possible to build such sandboxes, then we > need to move to the next interesting discussion, which is the 'HOW' > > Namely, HOW can an environment be created where the development and > deployment of such Sandboxes makes business sense.
It's the "business sense" part of this that's really difficult. It wouldn't be *that* hard to put sandbox enforcement into all libraries. If you want to protect against XSS, put a validation and encoding sandbox into HttpServletRequest. If you want to stop SQL injection, get rid of non-PreparedStatement and build in some control for direct references. As long as there are no unmanaged calls (and assuming type-safety, etc...) then all calls can be mediated by a sandbox. But the complexity of configuring the sandbox is the hard part. You're trying to move the security enforcement out of the code and into something else. So you need a language that allows the developer to specify all those rules. And if the sandbox is powerful enough to only allow exactly what the developer specifically wants to allow (positive security model), the language will have to be just as complex as the code it's sandboxing. The Java sandbox is already too complex for most developers to use. I've tangled with it several times and come away only partially accomplishing what I wanted. (And uncovering a massive flaw in one vendor's custom sandbox implementation). This complexity is a general sandbox problem, not specific to Java or .NET or anything else. The most hopeless I've worked with is the Compartmented Mode Workstation (CMW) label encodings and permissions scheme. The web application firewall products also have this problem. Even .htaccess files are generally a mess. It's just a TON of work to move security rules out of the code and into something else. And developers don't want to learn some new language to do it. So while it might be possible to create sandboxes that are far more powerful, the complexity goes through the roof. And we can't even get developers to use the relatively simple policy file for the Java sandbox. If anything, I think we should focus on the big easy wins, like Microsoft did by adding (some) XSS protection for .NET apps. But the configuration has to be really easy -- like ON/OFF. --Jeff _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
