David Eisner wrote:
Wall, Kevin wrote:
same intuition about the verifier, but have just tested
this and it is not the case. It seems that the -noverify is the
default setting! If you want to verify classes loaded from the local
filesystem, then you need to explicitly
Wall, Kevin wrote:
Also, from the results of your test, it seems to indicate that SOME TYPE
of verification is taking place, but if all you did was change a few
ARBITRARY bytes in the .class file, I don't think that proves the
byte code verifier is being being run in it's entirety.
I agree with
On 5/4/06, Dinis Cruz <[EMAIL PROTECTED]> wrote:
Wall, Kevin wrote:
> Also, from the results of your test, it seems to indicate that SOME TYPE
> of verification is taking place, but if all you did was change a few
> ARBITRARY bytes in the .class file, I don't think that proves the
> byte code ve
Stories about this (below) X bug and the DHS-sponsored project that found it
have been floating around the net all week. This story caught my eye,
though:
http://www.net-security.org/secworld.php?id=3994
The author claims, "This flaw, caused by something as seemingly harmless as a
missing clo
On Thu, 4 May 2006, Kenneth R. van Wyk wrote:
> Stories about this (below) X bug and the DHS-sponsored project that found it
> have been floating around the net all week. This story caught my eye,
> though:
>
> http://www.net-security.org/secworld.php?id=3994
>
> The author claims, "This flaw,
On Thursday 04 May 2006 12:40, Gadi Evron wrote:
> Hmm, I think this was fixed in earlier X versions.
Not impossible, but the article clearly indicated that it's in 6.9.0 and
7.0.0, which are the most current in general circulation, I believe.
But, some bugs are so important that they deserved t
Dinis Cruz wrote:
> Ok, I just did some further tests and I think I can say that Java
> (version 1.5.0_06) has similar verification issues to the ones I
> discovered on the .Net Framework (see links in my previous post).
[...]
> This should prove that the verifier is not enabled by default on java
> $ java -cp . -noverify HelloWorld
> #
> # An unexpected error has been detected by HotSpot Virtual Machine:
> #
> # EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x6d7415fb,
> pid=3512, tid=2260 # # Java VM: Java HotSpot(TM) Client VM
> (1.5.0_06-b05 mixed mode) # Problematic frame:
> # V [
I'm psyched about this thread. Rock on guys.
For those of you who may need some basics, you might want to read
Securing Java (a book I wrote with Ed Felten in 1999...the first edition
in 1996 was called Java Security). The book is available completely for
free in searchable format at http://www.
Jeff Williams wrote:
Two important clarifications for Java
(based on my experiments):
1) The verifier IS enabled for the classes
that come with the Java platform, such as those in rt.jar. So, for
example, if you create a class that tries to set System.security (the
private variab
10 matches
Mail list logo