Run-time configurable sandboxes

Michael Maass mmaass at
Wed May 27 12:32:45 UTC 2015

Good point! The Web Application Servers use case also seems to have been 
the impetus behind
JSR 121: Application Isolation API Specification 
( Mark, note the dates on this 
spec. Specification started in 2001 and ended in 2006.

Security Explorations released a report last year on GAE with some 
decent discussion of the architecture: 
Most of the serious vulnerabilities are in class loaders.

Bernd, I'll send you a copy of the paper shortly.


On 05/26/2015 04:40 PM, Bernd Eckenfels wrote:
> Hello,
> partial quote as I want to add to a point:
> Am Tue, 26 May 2015 16:19:59 -0400
> schrieb Michael Maass <mmaass at>:
>> 3. Common security reasons to use the sandbox: (a) using a third
>> party library that isn't fully trusted (convenience often trumps
>> security) and (b) frameworks loading third party plugins.
>  From looking at CVEs it looks like the only other common reason not
> mentioned here is multi tenancy for Web Application Servers (i.e.
> seperate WAR deployments).
> And I am quite sure by now (i.e. contains and other PaaS technolgies)
> nobody considers that anymore. So the biggest user might as well be
> Google App Engine (not sure how far their special platform relies on
> the security manager).
> Gruss
> Bernd
> PS: Michael I would be interested in your paper for my personal
> education.

More information about the security-dev mailing list