Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: jeff.williams at aspectsecurity.com (Jeff Williams)
Date: Thu, 11 May 2006 09:08:29 -0400
Stephen de Vries wrote:
With application servers such as Tomcat, WebLogic etc, I think we have a special case in that they don't run with the verifier enabled - yet they appear to be safe from type confusion attacks. (If you check the startup scripts, there's no mention of running with -verify).
You're right -- I checked that too. So I think it's just too simple to talk about the verifier being either on or off. It appears to me that the verifier can be enabled for some code and not for other code. I think you're right that this behavior has something to do with the classloader that is used, but I'd really like to understand exactly what the rules are. --Jeff
Current thread:
- By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 04)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 05)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 09)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 13)
- Message not available
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 14)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 14)
- Message not available
- By default, the Verifier is disabled on .Net and Java j lunerwood (May 14)
- By default, the Verifier is disabled on .Net and Java leichter_jerrold at emc.com (May 15)