On Mon, Nov 9, 2015 at 7:37 PM, Andrew Ruef <mu...@mimisbrunnr.net> wrote:
> I liked your writeup! > > this seems to be a case of one party telling another party “hey take this > program from me and run it in the same security domain that you do, > thanks.” it’s “the same security domain” that’s the problem (along with the > lack of realization that this is what ObjectInputStream does). it’s also a > problem when the mechanism for enforcing the security domain, like the JVM > or a javascript interpreter, is busted. if the security boundary is good > though, then this isn’t a problem. when is the security boundary good > though? maybe seL4 is good enough, maybe quark. > I poked more at this whole "security domain" thing: * https://tersesystems.com/2015/12/22/an-easy-way-to-secure-java-applications/ * https://tersesystems.com/2015/12/29/sandbox-experiment/ Although as far as I can tell, you should be running the JVM inside of Docker, inside of a VM, inside of AppArmor and seccomp (whatever that is), with a patched grsecurity kernel. And CoreOS is involved somehow. The temptation to call it the Turducken Security Model is strong. Will.
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
