Network Security: Detailed info on Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE

Subject:	Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code
Date:	Wed, 29 Mar 2006 11:00:15 -0500

Subject:

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code

Date:

Wed, 29 Mar 2006 11:00:15 -0500

On 3/28/06, Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> wrote:

On Mon, 27 Mar 2006, Brian Eaton wrote:

You lost me here.  How would you design a MAC policy that lets firefox
remember my password for a web site, but doesn't let arbitrary code
running via a buffer overflow get at that same password?


Let's call the object where the password is stored P, the subject
representing the site where P is used X, and the subject representing an
arbitrary evil site Y.

The (partial) mandatory policy is as follows:
1. X has "need to know" for P and is allowed to read it.
2. Y (or any other site) is not allowed to read P.

As soon as the browser process reads P, its (potential) ability to send
any data to Y is lost forever because information flow from P to Y is
prohibited by the mandatory policy. This is a dynamic variant of the
*-property of the Bell-LaPadula security model.


Ah, OK, I see what you're talking about now.  I hadn't considered the
possibility of applying ACLs to network connections.  The policy
design would be fairly tricky.

For one thing, you have proxy servers.  When using a proxy, nearly all
of the connections are going to the same host.

Also, you have to deal with the many-to-many mapping of web sites to
IP addresses on the web.  The ACL policy needs to say that the site
"www.example.com" has access to the password, but it is entirely
possible that "www.example.com" shares an IP address with several
other sites.

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, (continued) [Full-disclosure] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Jeff Williams [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Dinis Cruz Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Pilon Mntry Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Christopher Bergström Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Pavel Kankovsky Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Pavel Kankovsky Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code, Brian Eaton <= Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefoxvs IE security, User vs Admin risk profile, and browsers coded in 100%Managed Verifiable code, Pavel Kankovsky Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Valdis . Kletnieks Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Pavel Kankovsky Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Pavel Kankovsky Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, michaelslists Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Andrew van der Stock Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, michaelslists Java integer overflows (was: a really long topic), Andrew van der Stock [Full-disclosure] Re: Java integer overflows (was: a really long topic), michaelslists

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: [Full-disclosure] Noise, n3td3v
Next by Date:	Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code, Brian Eaton
Previous by Thread:	Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton
Next by Thread:	Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefoxvs IE security, User vs Admin risk profile, and browsers coded in 100%Managed Verifiable code, Pavel Kankovsky
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: [Full-disclosure] Noise, n3td3v

Next by Date:

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code, Brian Eaton

Previous by Thread:

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, Brian Eaton

Next by Thread:

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefoxvs IE security, User vs Admin risk profile, and browsers coded in 100%Managed Verifiable code, Pavel Kankovsky

Indexes:

[Date] [Thread] [Top] [All Lists]