According to this eWeek article, Google has just bought Internet security startup GreenBorder Technologies Inc.
Here’s an excerpt from the article:
GreenBorder, a venture-backed startup founded in 2001 and based in Mountain View, California, where Google is also headquartered, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web, then discards the resulting data once the user is finished surfing.
The article then goes on to describe the technology:
The technology creates a secure zone, called a sandbox, for online interaction. "Any type of activity and interaction, while you are on the Internet, will be directed to the protected environment," according to GreenBorder's site.
Out of the many ways to protect end users from malware, viruses and other types of malicious content, I am a strong supporter of this specific positive approach, and am very surprised (and saddened) to see that desktop anti-virus vendors have mostly decided to disregard this approach, and stick mainly to negative (signature-based) solutions.
About 10 years ago, I received a demo version of a product called Eliashim eSafe Protect
The eSafe protect (now belongs to Aladdin), defined a clear sandbox, in which web content would be bound. Users could define what web content (e.g. ActiveX, Java Applets, etc.) were allowed (and not allowed) to do, for example – ActiveX objects could not access C:\Windows, or the Windows Registry, etc.
Sadly, the product was discontinued (it is currently only available as a Gateway product).
Since the web is so full of malicious content, I am surprised to see that other Anti-Virus vendors (as well as browser vendors) did not decide to go in that same path – using sandboxes instead of signatures.
Taking this a step further into the webappsec field, I believe that issues such as XSRF,XSS and other client-targeting attacks, should be handled in two different methods:
- Web Applications should try to protect their users as much as possible
- Web clients should try to protect their users as much as possible, using positive approaches such as sandboxes and script access control mechanisms. I seriously don’t see a reason why web malware should have access to my registry?!
Indeed -- Justin Schuh and Gervase Markham have some good posts on that topic:
http://www.gerv.net/security/content-restrictions/
http://taossa.com/index.php/2007/02/17/same-origin-proposal/
The more discussion about how we can actually start /fixing/ the mess that is web applications and browsers, the better.
Posted by: Jordan | May 30, 2007 at 05:06 PM
Thanks for the links Jordan.
The last OWASP AppSec conference that was held in Milan, had an interesting panel on the subject of "What is needed to fix web app sec vulnerabilities once and for all?".
At the panel, the panelists played around with the idea of improving HTTP, and adding inherent support for 'state'. the idea was that applications and browsers will communicate session state information on a separate SSL channel, instead of using cookies or parameters inside HTTP messages.
Posted by: AppSecInsider | May 30, 2007 at 09:47 PM