[WEB SECURITY] On sandboxes, and why you should care

Ivan Ristic ivan.ristic at gmail.com
Fri Mar 31 11:01:19 EST 2006


On 3/31/06, Stephen de Vries <stephen at corsaire.com> wrote:
>
> Hi Dinis,
>
> I think you're overestimating the effectiveness of a sandbox in
> preventing common web app vulnerabilities, and you're instead
> focussing on the tiny fraction of specific attacks that can be
> stopped with sandboxes.  The fundamental point of departure between
> our points of view is that I would argue that, the crown jewels are
> already inside the sandbox!  So spending time and effort to
> strengthen the walls isn't going to do any real good in preventing an
> attacker from getting hold of them.

Hi Stephen,

I have to disagree. What you are saying may be true for one
application, but if you consider that large organisations typically
have many applications installed, each with its own set of crown
jewels, putting a sandbox around one of them makes much more sense.
Otherwise the attacker is just going to jump from one to another, then
to another, and so on, until all the jewels are gone.

I'd like to see all applications run in virtual environments by
default, sandboxed, with no access to outside resources, except when
access is explicitly granted.

On a similar point, the fact that most web applications require
unlimited access to the database is a fundamental weakness of our
current development model. We would be much better off if our
applications were compartmentalised with each compartment sandboxed
and given just enough privileges it needs to function. Of course, I
understand why this scenario is rarely, if ever, seen in real life -
it's damn hard and expensive to develop application this way.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list