Secure Coding mailing list archives

By default, the Verifier is disabled on .Net and Java

From: michaelslists at gmail.com (Michael Silk)
Date: Tue, 9 May 2006 10:16:55 +1000

On 5/9/06, Dinis Cruz <dinis at ddplus.net> wrote:

Stephen de Vries wrote:

Java has implemented this a bit differently, in that the byte code
verifier and the security manager are independent.  So you could for
example, run an application with an airtight security policy (equiv to
partial trust), but it could still be vulnerable to type confusion
attacks if the verifier was not explicitly enabled.  To have both
enabled you'd need to run with:
java -verify -Djava.security.policy ...


This is a very weird decision by the Java Architects, since what is the
point of creating and enforcing a airtight security policy if you can
jump strait out of it via a Type Confusion attack?

In fact, I would argue that you can't really say that you have an
'airtight security' policy if the verifier is not enabled!


You can't disable the security manager even with the verifier off. But
you could extend some final or private class that the security manager
gives access to.

Is there a example out there where (by default) java code is executed in
an environment with :

    * the security manager enabled (with a strong security policy) and
    * the verifier disabled


Yes. Your local JRE.

-- Michael

Current thread:

[Owasp-dotnet] Re: By default, the Verifier is disabled on .Net and Java, (continued)
- - - [Owasp-dotnet] Re: By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
    - By default, the Verifier is disabled on .Net and Java Jeff Williams (May 04)
    - Message not available
    - Message not available
    - Message not available
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 12)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 13)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 12)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 03)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 10)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 13)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 02)
  - By default, the Verifier is disabled on .Net and Java David Eisner (May 03)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
    - By default, the Verifier is disabled on .Net and Java Tim Hollebeek (May 04)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 03)
  - By default, the Verifier is disabled on .Net and Java Michael Silk (May 03)

(Thread continues...)