Secure Coding mailing list archives

By default, the Verifier is disabled on .Net and Java

From: dinis at ddplus.net (Dinis Cruz)
Date: Fri, 12 May 2006 09:04:47 +0100

Tim Hollebeek wrote:

$ java -cp . -noverify HelloWorld
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d7415fb, 
pid=3512, tid=2260 # # Java VM: Java HotSpot(TM) Client VM 
(1.5.0_06-b05 mixed mode) # Problematic frame:
# V  [jvm.dll+0x615fb]



Note that EXCEPTION_ACCESS_VIOLATION is the Windows equivalent of a
segmentation violation; this isn't the Verifier complaining, it's
the JVM crashing.

Yes, I noticed that too, the byte manipulation created a situation that 
crashed the VM.

Usually these type of errors are caused by Buffer Overflows, so this 
could be a good example of how -noverify java code can be used to take 
over the local JVM process

Depending of where the exploit is placed, there is even a possibility 
that the Java ByteCode will not be affected (which would difficult the 
detection of this exploit by (for example) source code security analyzers).

Dinis Cruz
Owasp .Net Project
www.owasp.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20060512/97d9cbae/attachment.html

Current thread:

By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 03)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 10)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 13)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 02)
  - By default, the Verifier is disabled on .Net and Java David Eisner (May 03)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
    - By default, the Verifier is disabled on .Net and Java Tim Hollebeek (May 04)
    - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 03)
  - By default, the Verifier is disabled on .Net and Java Michael Silk (May 03)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
    - By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
    - By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)
  - By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
    - By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 04)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)

(Thread continues...)