Secure Coding mailing list archives

By default, the Verifier is disabled on .Net and Java

From: stephen at corsaire.com (Stephen de Vries)
Date: Wed, 3 May 2006 14:38:42 +0700


On 3 May 2006, at 06:48, Dinis Cruz wrote:

Here is a more detailed explanation of why (in my previous post) I  
said: "99% of .Net and Java code that is currently deployed is  
executed on an environment where the VM verifier is disabled,  ."

------------------

In .Net the verifier (the CLR function that checks for type safety)  
is only enabled on partial trust .Net environments.


Java has implemented this a bit differently, in that the byte code  
verifier and the security manager are independent.  So you could for  
example, run an application with an airtight security policy (equiv  
to partial trust), but it could still be vulnerable to type confusion  
attacks if the verifier was not explicitly enabled.  To have both  
enabled you'd need to run with:
java -verify -Djava.security.policy ...

regards,

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com

Current thread:

By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 02)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 04)
    - [Owasp-dotnet] Re: By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
    - By default, the Verifier is disabled on .Net and Java Jeff Williams (May 04)
    - Message not available
    - Message not available
    - Message not available
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 12)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 13)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 12)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 03)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 10)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 13)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 02)
  - By default, the Verifier is disabled on .Net and Java David Eisner (May 03)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
    - By default, the Verifier is disabled on .Net and Java Tim Hollebeek (May 04)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)

(Thread continues...)