Re: [SC-L] By default, the Verifier is disabled on .Net and Java

[Dinis Cruz]

Tim Hollebeek wrote: $ java -cp . -noverify HelloWorld # # An unexpected error has been detected by HotSpot Virtual Machine: # # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d7415fb, pid=3512, tid=2260 # # Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode) # Problematic frame: # V [jvm.dll+0x615fb] Note that EXCEPTION_ACCESS_VIOLATION is the Windows equivalent of a segmentation violation; this isn't the Verifier complaining, it's the JVM crashing. Yes, I noticed that too, the byte manipulation created a situation that crashed the VM. Usually these type of errors are caused by Buffer Overflows, so this could be a good example of how -noverify java code can be used to take over the local JVM process Depending of where the exploit is placed, there is even a possibility that the Java ByteCode will not be affected (which would difficult the detection of this exploit by (for example) source code security analyzers). Dinis Cruz Owasp .Net Project www.owasp.net

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php