[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Another Method to Block Java Hijinks



On Thu, Apr 05, 2007 at 11:27:48PM -0700, Kyle Williams wrote:
> It didn't report my real IP address.
> I tried this page with JanusVM and recorded the session in FLASH.
> Here's the link if anyone would like to see for themselves.
> 
> http://janusvm.peertech.org/Flash/JanusVM-SEC-Demo-1.html
> 
> Needless to say, it didn't compromise my real IP address with JAVA TURNED
> ON.
> We also tested the Metasploit Project's Decloaking Engine.  It failed too.

This certainly does seem like a nice approach -- run a virtual computer in
between you and the Internet, a) so your computer never knows its external
IP address, and b) so you can intercept all outgoing communications and
either scrub them or drop them, depending.

James Muir, HD Moore, others: can you give some thought to what attacks
and vulnerabilities remain even in this model? I guess we can still
overflow the browser and start looking around for private data on the
computer, like an Outlook address book. What other issues remain? And
does this approach introduce any new issues?

Kyle: this would be more useful if it didn't depend on a non-free vm
player. Do any of the free software variants of VMWare actually work
well enough for this approach? Also, is there any way to adapt this idea
for resource-constrained systems, e.g. a Tor client running on an old
computer in an oppressed country, or is the LiveCD idea definitely the
more feasible approach there?

--Roger