If you are able to make direct calls to unmanaged code, then yes you can jump out of the sandbox (assuming that you are in one in the first place)
The environment that I am talking about is one where you have managed and verifiable code which is not allowed to perform dangerous actions (such as making direct calls to unmanaged code) Of course that you would still be affected if there was a hole in Microsoft's .Net Sandboxes or in the used Microsoft COM components (for example the .Net Framework was vulnerable to the WMF exploit). Coming back to your question, Verifiable .Net code is not allowed to perform (amongst other things) direct pointer or stack manipulation, all type conversions much be valid, and you cannot control the execution flow the way you can in C++. So basically, Verifiable .Net code is not able to jump out of the sandbox. Dinis Cruz Owasp .Net Project www.owasp.net Michael S Hines wrote: > Isn't it possible to break out of the sandbox even with managed code? (That > is, can't > managed code call out to unmanaged code, i.e. Java call to C++)? I was > thinking this was > documented for Java - perhaps for various flavors of .Net too? > > ----------------------------------- > Michael S Hines > [EMAIL PROTECTED] > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php