1996-12-17 - RE: Securing ActiveX.

Header Data

From: Bill Frantz <frantz@netcom.com>
To: Blake Coverett <cypherpunks@toad.com>
Message Hash: 4ae10a93c18d41ee433047da8f87cf78479fa201ff384ec9cb8eeb7ea6c58e7f
Message ID: <v0300780eaedc992551bb@[]>
Reply To: <01BBEC03.C251AC10@bcdev.com>
UTC Datetime: 1996-12-17 18:45:18 UTC
Raw Date: Tue, 17 Dec 1996 10:45:18 -0800 (PST)

Raw message

From: Bill Frantz <frantz@netcom.com>
Date: Tue, 17 Dec 1996 10:45:18 -0800 (PST)
To: Blake Coverett <cypherpunks@toad.com>
Subject: RE: Securing ActiveX.
In-Reply-To: <01BBEC03.C251AC10@bcdev.com>
Message-ID: <v0300780eaedc992551bb@[]>
MIME-Version: 1.0
Content-Type: text/plain

At 7:19 AM -0800 12/17/96, Blake Coverett wrote:
>I would be happier running an ActiveX control with Peter Trei's signature
>on it
>than I would an unsigned control in a sandbox.  (This kind of a trust decision
>is probably the normal case in the intranet world.  ActiveX as it sits is
>sufficient for rolling out internal intranet applications.)

While I might agree about Peter, I wouldn't agree if the signature was
Microsoft's (or any other large software vendor).  There is just too much
room for bugs and or Trojan horses to enter via that route.

>On the second point, I never suggested that a sandbox would require
>virtual CPU
>emulation.  What I do find likely is that the overhead from the extended types
>of checking the kernel would need to do would probably outweight the
>performance advantage of native code over a JIT compiler.

Not necessarily true.  See Goldberg, Wagner, Thomas, and Brewer, "A Secure
Environment for Untrusted Helper Applications, Confining the Wily Hacker"
from the 6th USENIX Security Symposium proceedings.  (The paper won the
"best paper" award too.)

>This is scaremongering.  No, I don't virus scan every new CD I get from
>Microsoft/Netscape/etc, do you?

No, but I would prefer to know what their applications are accessing and
why.  That's why current systems are not good from a security prospective.

I would be a great advance in security if *everything* ran in a sandbox.  A
sandbox specially built for it where it had access to the things it
customarily needed and all other access was mediated by the user.  This
kind of environment has its costs, not so much in performance as in
changing the way people work with computers, but it would be a lot more

Bill Frantz       | I still read when I should | Periwinkle -- Consulting
(408)356-8506     | be doing something else.   | 16345 Englewood Ave.
frantz@netcom.com | It's a vice. - R. Heinlein | Los Gatos, CA 95032, USA