I just tried a few ways and couldn't figure anything out; It doesn't seem like you can modify a java.lang Class from outside the package (even unverified) and I also couldn't get my class _inside_ java.lang.
Maybe BCEL can get further ... or maybe I missed something. -- Michael On 3/29/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I wonder if you could disable the default security manager with unverified > code. > > Probably. > > Hmm. > > -- Michael > > > On 3/29/06, Jeff Williams <[EMAIL PROTECTED]> wrote: > > > Jeff, as you can see by Stephen de Vries's response on this thread, > > > you are wrong in your assumption that most Java code (since 1.2) > > > must go through the Verifier (this is what I was sure it was > > > happening since I remembered reading that most Java code executed > > > in real-world applications is not verified) > > > > Wow. I ran some tests too, and Stephen is absolutely right. It appears > > that Sun quietly turned off verification by default for bytecode loaded from > > the local disk (not applets). They've apparently > > (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4030988), acknowledged > > that it is a bug, and said that it will not be fixed. The change had > > something to do with compatibility with old bytecode. More details > > (http://www.cafeaulait.org/reports/accessviolations.html) > > > > This is a clear violation of the JVM Spec. And (regardless of protestation > > to the contrary) it IS a big security problem. Just because bytecode is > > loaded from the local disk does not mean it's trustworthy. Every > > application uses lots of libraries that developers download from the > > Internet (as compiled jar files) and loaded from the local disk. Unless you > > run with "java -verify" that code won't get verified. > > > > I'm sure that the percentage of applications that are running with both > > verification and sandbox is terrifyingly small. Probably only applets and > > maybe Java Web Start applications. As I mentioned before some of the J2EE > > servers are now enabling a sandbox, but their security policies are > > generally wide open. > > > > I think there are two relatively easy things we can do here. First, let's > > find out what plans Sun has for the new verifier -- we should strongly > > encourage them to turn it on by default. Second, we can work on ways to > > encourage people to use sandboxes -- tools, articles, and awareness. > > > > --Jeff _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
