By default, the Verifier is disabled on .Net and Java

[dinis at ddplus.net (Dinis Cruz)]

Wall, Kevin wrote:

> Also, from the results of your test, it seems to indicate that SOME TYPE
> of verification is taking place, but if all you did was change a few
> ARBITRARY bytes in the .class file, I don't think that proves the
> byte code verifier is being being run in it's entirety. 
I agree with this analysis and think that the error on David's test was 
caused by a malformed bytecode instruction
> It's entirely possibly that the (new 1.5) default just does some
> surface level of byte code verification (e.g., verify that everything
> is legal "op codes" / byte code) 
Well, some level of verification (or bytecode check) must always occur 
during the conversion from bytecode to native code (but this has nothing 
to do with type safety)
> before HotSpot starts crunching
> on it and that this works differently if either the '-verify' or
> '-noverify' flags are used. E.g., suppose that '-verify' flag, does
> some deeper-level analysis, such as checks to ensure type safety, etc,
> whereas the '-noverify' doesn't even validate the byte codes are
> legal op codes or that the .class file has a legal format. This might
> even make sense because checking for valid file format and valid
> Java "op codes" ought to be fairly "cheap" checks compared to the
> deeper analysis required for things like type safety.
>   
I am a little bit confused here, isn't Java an open platform and almost 
Open Source?

If so, shouldn't issues like this be quite well documented? (if not on 
official documentation, at least on online discussion threads)

I have a couple books on java that discuss the verification process, but 
they are quite old, so It would be good to know the details about the 
current verification process (as implemented in the latest version)
> You didn't discuss details of what bits you tweaked, so I'm not
> quite yet ready to jump up and down for joy and conclude that Sun has
> now seen the light and has made the 1.5 JVM default to run the byte
> code through the *complete* byte code verifier. 
Unfortunately I don't think that Sun has seen the light on this one (and 
neither has Microsoft)
> I think more tests
> are either necessary or someone at Sun who can speak in some official
> capacity steps up and gives a definitive word one way or another on
> this.
>   
Talking about Sun, where are they? I know that Jeff Williams (Owasp) 
have tried several times to get a response from them on these issues but 
has been unsuccessful.

Aren't they (Sun) supposed to be much more open and transparent about 
Java? (at least when compared to Microsoft)

I am sure that there must be people from Sun on this list (likewise from 
Microsoft),  and it would be great if they joined this discussion so 
that we can understand exactly what is going on.

Best regards

Dinis Cruz
Owasp .Net Project
www.owasp.net