Run-time configurable sandboxes

Michael Maass mmaass at andrew.cmu.edu
Wed May 27 12:32:45 UTC 2015


Good point! The Web Application Servers use case also seems to have been 
the impetus behind
JSR 121: Application Isolation API Specification 
(https://jcp.org/en/jsr/detail?id=121). Mark, note the dates on this 
spec. Specification started in 2001 and ended in 2006.

Security Explorations released a report last year on GAE with some 
decent discussion of the architecture: 
http://www.security-explorations.com/materials/se-2014-02-report.pdf. 
Most of the serious vulnerabilities are in class loaders.

Bernd, I'll send you a copy of the paper shortly.

Michael

On 05/26/2015 04:40 PM, Bernd Eckenfels wrote:
> Hello,
>
> partial quote as I want to add to a point:
>
> Am Tue, 26 May 2015 16:19:59 -0400
> schrieb Michael Maass <mmaass at andrew.cmu.edu>:
>
>> 3. Common security reasons to use the sandbox: (a) using a third
>> party library that isn't fully trusted (convenience often trumps
>> security) and (b) frameworks loading third party plugins.
>  From looking at CVEs it looks like the only other common reason not
> mentioned here is multi tenancy for Web Application Servers (i.e.
> seperate WAR deployments).
>
> And I am quite sure by now (i.e. contains and other PaaS technolgies)
> nobody considers that anymore. So the biggest user might as well be
> Google App Engine (not sure how far their special platform relies on
> the security manager).
>
> Gruss
> Bernd
>
> PS: Michael I would be interested in your paper for my personal
> education.



More information about the security-dev mailing list