On Wed, 14 Dec 2005 05:41:30 -0800, Bob Smith <[EMAIL PROTECTED]> wrote:
>vmware recently released a program which kind of >chroot jails the browser. >http://www.vmware.com/vmtn/vm/browserapp.html > >im not a programmer myself, but i was wondering >if perhaps using a similar technique we could lock >down the browsers in openbsd? > >seems to me that would increase security greatly >for us who surf the web on openbsd boxes? or >am i mistaking? You need to understand the tech being used a bit better. There's a big difference between a chroot/jail and a virtual machine. They both try to isolate an application from interacting with the rest of the system but the way the two go about it is vastly different. Obviously, isolation is a good thing but you need to understand that writing a complete virtual machine in C that works on all supported OpenBSD architectures is a *MASSIVE* amount of work. Even VMware supports only one architecture for their "player" (x86-32) and only two possible host operating systems on that architecture (linux and ms-windows). You may also want to realize that no attempted isolation is perfect. There are ways for attackers to break out of jails/chroots and similar is true for virtual machines. By using such methods you've only added a _layer_ of security which only stops _some_ (possibly many) attackers. It's not completely bullet proof (nothing is) but it does help. Kind Regards, JCR
