Re: [WEB SECURITY] By default, the Verifier is disabled on .Net and Java

[Stephen de Vries <stephen () corsaire com>]

On 3 May 2006, at 06:49, Dinis Cruz wrote:

> Here is a more detailed explanation of why (in my previous post) I  
> said: /"99% of .Net and Java code that is currently deployed is  
> executed on an environment where the VM verifier is disabled,  ."/
>
> ------------------
>
> In .Net the verifier (the CLR function that checks for type safety)  
> is only enabled on partial trust .Net environments.

Java has implemented this a bit differently, in that the byte code  
verifier and the security manager are independent.  So you could for  
example, run an application with an airtight security policy (equiv  
to partial trust), but it could still be vulnerable to type confusion  
attacks if the verifier was not explicitly enabled.  To have both  
enabled you'd need to run with:
java -verify -Djava.security.policy ...

regards,

--
Stephen de Vries
Corsaire Ltd
E-mail: stephen () corsaire com
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com






-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------