Re: [SC-L] By default, the Verifier is disabled on .Net and Java

["Michael Silk" <michaelslists () gmail com>]

The "verifier" is enabled via the commandline. It is either on or off.

the VM does other forms of "verification" though.

http://java.sun.com/docs/books/vmspec/2nd-edition/html/ConstantPool.doc.html#79383

...

-- Michael

On 5/11/06, Jeff Williams <jeff.williams () aspectsecurity com> wrote:
> Stephen de Vries wrote:
> > With application servers such as Tomcat, WebLogic etc, I think we have a
> > special case in that they don't run with the verifier enabled - yet they
> > appear to be safe from type confusion attacks.  (If you check the
> > startup scripts, there's no mention of running with -verify).
>
> You're right -- I checked that too.  So I think it's just too simple to talk
> about the verifier being either on or off.  It appears to me that the
> verifier can be enabled for some code and not for other code.  I think
> you're right that this behavior has something to do with the classloader
> that is used, but I'd really like to understand exactly what the rules are.
>
> --Jeff
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------