Michael Silk wrote:
> The "verifier" is enabled via the commandline. It is either on or off.
I'm not sure that's true. See:
http://securecoding.org/pipermail/sc-l/2006/000262.html
Summary: there are *three* comandline options: -verify, -noverify, and
-verifyremote. It is -verifyremote that
The "verifier" is enabled via the commandline. It is either on or off.
the VM does other forms of "verification" though.
http://java.sun.com/docs/books/vmspec/2nd-edition/html/ConstantPool.doc.html#79383
...
-- Michael
On 5/11/06, Jeff Williams <[EMAIL PROTECTED]> wrote:
Stephen de Vries wro
Stephen de Vries wrote:
> With application servers such as Tomcat, WebLogic etc, I think we have a
> special case in that they don't run with the verifier enabled - yet they
> appear to be safe from type confusion attacks. (If you check the
> startup scripts, there's no mention of running with -ve
For the ones that are going to the next Black Hat in Vegas, I am
delivering a two day course based on my .Net research which some of you
might want to attend (or recommend to somebody).
You can read the relevant details at the end of this email or directly
on http://www.blackhat.com/html/bh
Michael Silk wrote:
> On 5/9/06, Dinis Cruz <[EMAIL PROTECTED]> wrote:
>
>> Is there a example out there where (by default) java code is executed in
>> an environment with :
>>
>> * the security manager enabled (with a strong security policy) and
>> * the verifier disabled
>
> Yes. You