WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: By default, the Verifier is disabled on .Net and Java

From: "Roman H." <ref66 () yahoo com>
Date: Wed, 3 May 2006 05:25:23 -0700 (PDT)
/Unfortunately Java is not much better. By default most Java code is 
also executed with -noverify.



/Any Comments?


My understanding is that verification in Java works like this:

By default, at class-loading time only classes that are loaded over the network are verified.  So the access violation 
example that you run from the command line will always work unless you use the explicit option (-verify or 
-Xverify:all).

At runtime, access checks (to prevent violation of the private keyword, etc.) are always performed unless the two 
classes in question share the same package and the same class loader (i.e. origin).  Of note, prohibited access via the 
Reflection API is also possible at runtime (when running with a SecurityManager this can be allowed via a policy that 
allows ReflectPermission/"suppressAccessChecks").  

With regard to the original assertion from Dinis:


/"99% of .Net and Java code that is currently deployed is executed on an 
environment where the VM verifier is disabled,  ."/


I would say this is true on the Java side.  In my experience the vast majority of present-day Java code is written for 
web-applications where the classes are exclusively loaded from the local filesystem, thus no verification occurs at 
class-loading time.  As for the runtime access checks, few Java developers seem to know what the SecurityManager is, 
let alone how to configure it.  So most Java applications run without a SecurityManager installed.  "Deny by default" 
is just way too inconvenient anyway.  :-)

You would think that Sun would clearly document this behavior somewhere.  I have only found bits and pieces around the 
internet and Java security books.  Most of the security documentation for the JVM is very old, even the "Java Security 
Archticture" link at java.sun.com/security/ has not been updated since 2002.  

Roman





-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: