Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: dinis at ddplus.net (Dinis Cruz)
Date: Fri, 12 May 2006 09:04:47 +0100
Tim Hollebeek wrote:
$ java -cp . -noverify HelloWorld # # An unexpected error has been detected by HotSpot Virtual Machine: # # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d7415fb, pid=3512, tid=2260 # # Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode) # Problematic frame: # V [jvm.dll+0x615fb]Note that EXCEPTION_ACCESS_VIOLATION is the Windows equivalent of a segmentation violation; this isn't the Verifier complaining, it's the JVM crashing.
Yes, I noticed that too, the byte manipulation created a situation that crashed the VM. Usually these type of errors are caused by Buffer Overflows, so this could be a good example of how -noverify java code can be used to take over the local JVM process Depending of where the exploit is placed, there is even a possibility that the Java ByteCode will not be affected (which would difficult the detection of this exploit by (for example) source code security analyzers). Dinis Cruz Owasp .Net Project www.owasp.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060512/97d9cbae/attachment.html
Current thread:
- By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 03)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 10)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 13)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 03)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 03)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java Tim Hollebeek (May 04)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 03)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)