At 7:19 AM -0800 12/17/96, Blake Coverett wrote:
I would be happier running an ActiveX control with Peter Trei's signature on it than I would an unsigned control in a sandbox. (This kind of a trust decision is probably the normal case in the intranet world. ActiveX as it sits is quite sufficient for rolling out internal intranet applications.)
While I might agree about Peter, I wouldn't agree if the signature was Microsoft's (or any other large software vendor). There is just too much room for bugs and or Trojan horses to enter via that route.
On the second point, I never suggested that a sandbox would require virtual CPU emulation. What I do find likely is that the overhead from the extended types of checking the kernel would need to do would probably outweight the performance advantage of native code over a JIT compiler.
Not necessarily true. See Goldberg, Wagner, Thomas, and Brewer, "A Secure Environment for Untrusted Helper Applications, Confining the Wily Hacker" from the 6th USENIX Security Symposium proceedings. (The paper won the "best paper" award too.)
This is scaremongering. No, I don't virus scan every new CD I get from Microsoft/Netscape/etc, do you?
No, but I would prefer to know what their applications are accessing and why. That's why current systems are not good from a security prospective. I would be a great advance in security if *everything* ran in a sandbox. A sandbox specially built for it where it had access to the things it customarily needed and all other access was mediated by the user. This kind of environment has its costs, not so much in performance as in changing the way people work with computers, but it would be a lot more secure. ------------------------------------------------------------------------- Bill Frantz | I still read when I should | Periwinkle -- Consulting (408)356-8506 | be doing something else. | 16345 Englewood Ave. frantz@netcom.com | It's a vice. - R. Heinlein | Los Gatos, CA 95032, USA