If you are interrested in this topic, the best place to start is this PPT presentation (which was the last one I created): Making the case for Sandbox v1.1 - Dinis Cruz - SD Conference.ppt
Here is the post I wrote when I gave up (in April 2006): I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
Here is some of the public posts/articles I wrote:
- An 'Asp.Net' accident waiting to happen
- Microsoft must deliver secure environments not tools to write secure code
- Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position
- Current Microsoft Info about CAS and Full Trust
- What are the 'Real World' security advantages of the .Net Framework and the JVM?
- Microsoft's 'Full Trust ASP.NET in IIS 6.0 is Insecure by Design, by Default and in Deployment' Internal White Paper
- Secure by de...what? (User instances in SQL Server 2005 Express Edition)
- The .Net Framework is also affected by the WMF vulnerabilty
- Mono vs Medium Trust
- 'Is .NET A Wrapper Around Win32?' and 'Analysis of .NET Use in Longhorn and Vista'
- ANSA - Asp.Net Security Analyzer
- SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments)
- Online IIS Metabase Explorer
- http://www.securitytechnet.com/resource/security/os/SecureSharedHostingwithIIS5.0Version0.96.doc
And ... the good news ... is that with the latest research that I am doing and publishing (see O2 #OunceOpen), I think I am closer to a solution for this problem ...
:) ... hopefully I will find the time to blog about it
