WebApp Sec mailing list archives
Re: [WEB SECURITY] By default, the Verifier is disabled on .Net and Java
From: Stephen de Vries <stephen () corsaire com>
Date: Wed, 3 May 2006 14:43:05 +0700
On 3 May 2006, at 06:49, Dinis Cruz wrote:
Here is a more detailed explanation of why (in my previous post) I said: /"99% of .Net and Java code that is currently deployed is executed on an environment where the VM verifier is disabled, ."/------------------In .Net the verifier (the CLR function that checks for type safety) is only enabled on partial trust .Net environments.
Java has implemented this a bit differently, in that the byte code verifier and the security manager are independent. So you could for example, run an application with an airtight security policy (equiv to partial trust), but it could still be vulnerable to type confusion attacks if the verifier was not explicitly enabled. To have both enabled you'd need to run with:
java -verify -Djava.security.policy ... regards, -- Stephen de Vries Corsaire Ltd E-mail: stephen () corsaire com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- Re: [WEB SECURITY] By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 03)
- Re: By default, the Verifier is disabled on .Net and Java Roman H. (May 03)