Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: gem at cigital.com (Gary McGraw)
Date: Fri, 5 May 2006 10:12:24 -0400
An interesting experiment on cracking verifiers was performed about ten years ago by brian bershad at the university of washington. The paradigm used comparative testing on multiple verifiers to find discrepancies. This is covered in securing java as well. Funny how I became interested in software security because of java security. We're coming full circle. gem www.cigital.com/~gem www.swsec.com -----Original Message----- From: Stephen de Vries [mailto:stephen at corsaire.com] Sent: Fri May 05 10:06:36 2006 To: David Eisner Cc: 'Secure Coding Mailing List' Subject: Re: [SC-L] By default, the Verifier is disabled on .Net and Java David Eisner wrote: <snip some good research>
What determines when access to a private member is illegal? Is it, in fact, the bytecode verifier?
Yes, it's done by the fourth pass of the verifier as described here: http://java.sun.com/sfaq/verifier.html#HEADING13 Interestingly, Sun have posted a contest to try and crack the new verifier in Mustang: https://jdk.dev.java.net/CTV/learn.html -- Stephen de Vries Corsaire Ltd E-mail: stephen at corsaire.com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 03)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 03)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 03)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 04)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 05)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 09)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 13)
- Message not available
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 14)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 14)
- Message not available