Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: leichter_jerrold at emc.com (leichter_jerrold at emc.com)
Date: Mon, 15 May 2006 14:31:46 -0400
| Kevin is correct, a type confusion attack will allow the bypass of the
| security manager simply because via a type confusion attack you will be
able
| to change what the security manager is 'seeing'....
|
| So in an environment where you have a solid Security Policy (enforced by a
| Security Manager) but the verifier is NOT enabled, then to jump out of the
| sandbox all that you need to do is to create a Type Confusion exploit that
| allows you to access a private member that either: calls the protected
| resource directly or disables the Security Manager (which based on the
| description provided is the demo that I think Ed Felten did)....
|
| I will stick to my guns and say that in a Virtual Machine environment like
| the JVM or CLR it doesn't make sense to have the overhead of a security
| system (like CAS or Security Manager) if the verifier is disabled....
This is taking a bit too extreme a point of view.
The issue here is what's trusted, and for what purpose. *Something* has
to be trusted. The verifier, the security manager, the JVM - if you
can't trust these, you have no hope.
The Java/.Net defaults explicitly say: (a) I trust the compiler not to
generate dangerous code; (b) I trust the local user not to put stuff
on the local disk where it can be executed unless it came from the
compiler and he trusts it; (c) I trust the OS to protect the stuff on
the local disk. On the other hand, I *don't* trust stuff that comes
off the network.
Given the realities of the last 10 years of virus-like attacks, this
trust model may well be questionable. But keep in mind that just
because a Java application passes every verification and is acceptable
to even a very strict security policy doesn't mean it isn't a trojan
horse at a higher semantic level!
Verifying bytecodes certainly blocks many attack vectors, and is a
fine idea - but things are not all black and white. Runtime
checking will inherently cost you performance. Someone will
always have an application where the extra cost is "too high"
relative to the risk of running unverified.
Rather than absolute statements about requiring verification
for all user-written code - while leaving it off for the
large volume of system-provided code - we need a more nuanced
view, a better way to quantify risks and costs and trade them
off. Otherwise, the same forces that to this day argue that
Java is unacceptable because of the overhead of garbage
collection will continue to push for writing in completely
unsafe languages.
-- Jerry
Current thread:
- By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 08)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 09)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 11)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 11)
- By default, the Verifier is disabled on .Net and Java Gary McGraw (May 13)
- Message not available
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 14)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 14)
- Message not available
- By default, the Verifier is disabled on .Net and Java j lunerwood (May 14)
- By default, the Verifier is disabled on .Net and Java leichter_jerrold at emc.com (May 15)