| Stephen de Vries wrote:
| > Hi Dinis,
| >
| > I think you're overestimating the effectiveness of a sandbox in
preventing
| > common web app vulnerabilities, and you're instead focussing on the tiny
| > fraction of specific attacks that can be stopped with sandboxes.
| Well Stephen, I would argue
Gary McGraw wrote:
> Btw, bill also said they tried twice to build an OS on java and failed both
> times. We both agree that a type safe OS will happen one day.
>
Did he ever articulate what happened to these OS's? I recall a
presentation at OSDI 1996 by a Sun executive talking about JavaOS an
Dinis,
Sandboxing prevents a machine from having bad system() and buffer
overflows causing system compromise. Sure that's bad enough. However,
sandboxing does not prevent:
* all types of cross-site scripting
* SQL injection
* Command injection via SQL injection (xp_cmdshell and similar Orac
