Hey Dianne, So If I understand you correctly the VM isn't the most secure barrier and it could be vulnerable?
The Kernel is another interesting subject to talk about because I think it's a very interesting architecture. Thanks & God Bless Eric On Aug 27, 12:50 pm, Dianne Hackborn <[email protected]> wrote: > Actually we don't consider the VM to be a security barrier, and the browser > is a good reason why this is the case -- the vast majority of the browser > (and the parts that tend to have security bugs) are in WebKit, which is a > native C++ library. Our platform's primary security barrier is through > process/uid separation, enforced by the kernel, so native code in an app is > no less secure than Java code. > > > > > > On Fri, Aug 27, 2010 at 8:32 AM, Tauren <[email protected]> wrote: > > So let me see if I understand this fully in regards to the android > > platform: > > > Browser Level Sandboxing - this is part of the implementation of any > > application and will attempt to use code correctly while not > > implementing bugs, pwning this gives you access to the browsers > > permissions. > > Application level Sandboxing - this is an implementation within the > > virtual machine running everything and is an attempt to stop escapes > > from the applications sandbox, contains permissions, finding a bug > > gives you access to the virtual machine and extended permissions? > > Virtual Machine Level - Escaping this gives you access to the kernel > > Kernel level - Pwn? > > > That sound correct? > > > On Aug 27, 8:43 am, Eric Dorman <[email protected]> wrote: > > > The SDK looks good and the documentation you guys have put out about > > > this really helps myself who just wants to really just tell you guys > > > of the possible bugs or holes I see in the software itself. > > > > Anyways Thanks again Dianne!!! :D > > > > God Bless & Thanks, > > > Eric > > > > On Aug 27, 3:45 am, Dianne Hackborn <[email protected]> wrote: > > > > > Btw hopefully there's nothing too proprietary I need to worry about... > > > > pretty much everything discussed on these groups is all in the open > > source > > > > code, there is just a lot we haven't had time to really document about > > the > > > > implementation. (Most of our effort is on the SDK level docs.) > > > > > On Fri, Aug 27, 2010 at 12:44 AM, Dianne Hackborn <[email protected] > > >wrote: > > > > > > Thanks, I'm glad I can help. > > > > > > On Thu, Aug 26, 2010 at 9:47 PM, Duane Blanchard < > > [email protected]>wrote: > > > > > >> Yes, thank you very much, Dianne, for this explanation. You've made > > > > >> several great posts, and I just wanted to reinforce that we do all > > > > >> appreciate your sharing a little insider knowledge with us. I don't > > > > >> think you're sharing anything that is truly proprietary, but it all > > > > >> seems hard to come by without your help. So, thanks. > > > > > >> D > > > > > >> -- > > > > >> You received this message because you are subscribed to the Google > > Groups > > > > >> "Android Security Discussions" group. > > > > >> To post to this group, send email to > > > > >> [email protected]. > > > > >> To unsubscribe from this group, send email to > > > > >> [email protected]<android-security-disc > > > > >> uss%[email protected]><android-security-disc > > uss%[email protected] <uss%[email protected]>> > > > > >> . > > > > >> For more options, visit this group at > > > > >>http://groups.google.com/group/android-security-discuss?hl=en. > > > > > > -- > > > > > Dianne Hackborn > > > > > Android framework engineer > > > > > [email protected] > > > > > > Note: please don't send private questions to me, as I don't have time > > to > > > > > provide private support, and so won't reply to such e-mails. All > > such > > > > > questions should be posted on public forums, where I and others can > > see and > > > > > answer them. > > > > > -- > > > > Dianne Hackborn > > > > Android framework engineer > > > > [email protected] > > > > > Note: please don't send private questions to me, as I don't have time > > to > > > > provide private support, and so won't reply to such e-mails. All such > > > > questions should be posted on public forums, where I and others can see > > and > > > > answer them. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<android-security-disc > > uss%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
