Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

By default, the Verifier is disabled on .Net and Java

From: gem at cigital.com (Gary McGraw)
Date: Fri, 5 May 2006 10:12:24 -0400
An interesting experiment on cracking verifiers was performed about ten years ago by brian bershad at the university of 
washington.  The paradigm used comparative testing on multiple verifiers to find discrepancies.  

This is covered in securing java as well.

Funny how I became interested in software security because of java security.  We're coming full circle.

gem
www.cigital.com/~gem
www.swsec.com

 -----Original Message-----
From:   Stephen de Vries [mailto:stephen at corsaire.com]
Sent:   Fri May 05 10:06:36 2006
To:     David Eisner
Cc:     'Secure Coding Mailing List'
Subject:        Re: [SC-L] By default, the Verifier is disabled on .Net and Java

David Eisner wrote:

<snip some good research>


What determines when access to a private member is illegal?  Is it, in
fact, the bytecode verifier? 


Yes, it's done by the fourth pass of the verifier as described here:
http://java.sun.com/sfaq/verifier.html#HEADING13

Interestingly, Sun have posted a contest to try and crack the new
verifier in Mustang:  https://jdk.dev.java.net/CTV/learn.html


-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: