Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: dinis at ddplus.net (Dinis Cruz)
Date: Mon, 08 May 2006 20:24:14 +0100
Jeff Williams wrote:
But Dinis is right. There is a real problem with verification, as demonstrated in the message below. This is a clear violation of the Java VM Spec, yet my messages to the team at Sun developing the new verifier have been ignored. And it?s a real issue, given the number of applications that rely on libraries they didn?t compile. I don?t think a real explanation of how the Sun verifier actually works is too much to ask, given the risk.
And 9 days into this discussion, Sun's comment (or somebody from Sun) is still nowhere to be seen (Microsoft is not the online one MIA :). Anybody had any luck with their off list attempts to get a comment on this issue? What about the main Java Application Server developers? WebSphere , WebLogic, JBoss, Enhydra, Blazix, Resin, JOnAS etc... It is important that they participate in this discussion, because amongst other things I would like them to answer my next questions, which are: "What is the point of the verifier?' , 'Why use it? and 'What are the real security advantages of enabling the verifier if the code is executed in an environment with the security manager disabled?' So far we have identified several cases where: * the Java verifier is NOT enabled by default - Local code (i.e. loaded from the local system) * the Java verifier is enabled by default - classes that come with the Java platform - classes running inside Tomcat - classes running inside BEA WebLogic Given that the main attack vector (to exploit the lack of verification) is the same for all cases mentioned above (the attack vector being the injection of malicious Java code on the application being executed) then I would like to know the reason for the inconsistency? I also would like to ask if the following comments are correct: Option A) 99% of the Java code deployed to live systems is executed in an environment with the verifier disabled Option B) 99% of the Java code deployed to live systems is executed in an environment with the verifier disabled OR with the security manager disabled If not, what value should Option A and B be? 10%, 50%, 75? Thanks for your comments Best regards Dinis Cruz Owasp .Net Project www.owasp.net
Current thread:
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 02)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 02)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 04)
- [Owasp-dotnet] Re: By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 04)
- Message not available
- Message not available
- Message not available
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 12)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 13)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 04)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 02)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 12)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 10)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 13)
- <Possible follow-ups>
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 02)