Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: lunerwood at yahoo.com (j lunerwood)
Date: Sun, 14 May 2006 21:54:52 -0700 (PDT)
in reply to
Dinis Cruz dinis at ddplus.net Sun May 14 03:40:20 EDT 2006
<...skipped...>
So in an environment where you have a solid Security
Policy (enforced by
a Security Manager) but the verifier is NOT enabled,
then to jump out of
the sandbox all that you need to do is to create a
Type Confusion
exploit that allows you to access a private member
that either: calls
the protected resource directly or disables the
Security Manager (which
based on the description provided is the demo that I
think Ed Felten did). <....skipped...> I guess this is exactly the logic that was behind the implementation decision that by default Code isn't verified when and only when it is granted "All Permissions" mentioned here http://archives.java.sun.com/cgi-bin/wa?A2=ind0107&L=java-security&P=1305 Though the post at the link avove talks only about boot strap classes, i guess this policy is now implemented across the whole JVM (obviously some digging through the java sources would be needed to confirm this) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 09)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 13)
- Message not available
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 14)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 14)
- Message not available
- By default, the Verifier is disabled on .Net and Java j lunerwood (May 14)
- By default, the Verifier is disabled on .Net and Java leichter_jerrold at emc.com (May 15)