Managed Code and Runtime Environments - Another layer of added security?

[mouse at Rodents.Montreal.QC.CA (der Mouse)]

> Which brings us to the point of asking why we must have this run time
> environment to protect the computing resources.  Why isn't this a
> function of and included in the Operating System code?

Because "we" chose an OS that doesn't do that.

> Is this like a firewall and IDS - just another layer we have to add
> due to ineffective and insecure OS's?

In a sense.  But I'd put it in a way that slants it rather differently;
I'd say that they are layers "we" have to add because "we" chose an OS
that didn't include that stuff.

It's not the OS's fault that it doesn't do something it's not designed
to do.  The real problem from this perspective is all the people who
are picking Windows or Linux or something to run on their machines and
then expecting it to have security properties it was never intended to
have.

Of course, if you try a "real" (from this security standpoint) OS, you
will find that, as it must to achieve that level of assurance, it makes
a lot of the things you've used to doing a lot harder.  I suspect that
between the additional up-front cost of such an OS and the
inconvenience it imposes, most people prefer "add-on" security - less
thorough but sufficiently less costly to tip the balance.  (Actually, I
suspect most people don't actually think about it and just grumble that
the OS doesn't Just Do The Right Thing, even though that would require
the mythical mind-reading peripheral.)

> Are we dealing with symptoms or the real solution?

Symptoms.  The real problem is...well, depending on how you want to
spin it, it could be "choosing the wrong OS for the job" or "the high
cost of inconvenience" or various other things.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse at rodents.montreal.qc.ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B