WebApp Sec mailing list archives

RE: [SC-L] By default, the Verifier is disabled on .Net and Java


From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Thu, 11 May 2006 09:08:29 -0400

Stephen de Vries wrote:
With application servers such as Tomcat, WebLogic etc, I think we have a
special case in that they don't run with the verifier enabled - yet they
appear to be safe from type confusion attacks.  (If you check the
startup scripts, there's no mention of running with -verify).

You're right -- I checked that too.  So I think it's just too simple to talk
about the verifier being either on or off.  It appears to me that the
verifier can be enabled for some code and not for other code.  I think
you're right that this behavior has something to do with the classloader
that is used, but I'd really like to understand exactly what the rules are.

--Jeff



-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in 
the development of any web application. What methodology should be 
followed? What tools can accelerate the assessment process? 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------


Current thread: