On 3 May 2006, at 06:48, Dinis Cruz wrote:
Here is a more detailed explanation of why (in my previous post) I
said: "99% of .Net and Java code that is currently deployed is
executed on an environment where the VM verifier is disabled, ."
------------------
In .Net the verifier (the CLR function that checks for type safety)
is only enabled on partial trust .Net environments.
Java has implemented this a bit differently, in that the byte code
verifier and the security manager are independent. So you could for
example, run an application with an airtight security policy (equiv
to partial trust), but it could still be vulnerable to type confusion
attacks if the verifier was not explicitly enabled. To have both
enabled you'd need to run with:
java -verify -Djava.security.policy ...
regards,
--
Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECTED]
Tel: +44 1483 226014
Fax: +44 1483 226068
Web: http://www.corsaire.com
_______________________________________________
Secure Coding mailing list (SC-L)
[email protected]
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
