On 3 May 2006, at 06:49, Dinis Cruz wrote:
> Here is a more detailed explanation of why (in my previous post) I
> said: /"99% of .Net and Java code that is currently deployed is
> executed on an environment where the VM verifier is disabled, ."/
>
> ------------------
>
> In .Net the verifier (the CLR function that checks for type safety)
> is only enabled on partial trust .Net environments.
Java has implemented this a bit differently, in that the byte code
verifier and the security manager are independent. So you could for
example, run an application with an airtight security policy (equiv
to partial trust), but it could still be vulnerable to type confusion
attacks if the verifier was not explicitly enabled. To have both
enabled you'd need to run with:
java -verify -Djava.security.policy ...
regards,
--
Stephen de Vries
Corsaire Ltd
E-mail: stephen_at_corsaire.com
Tel: +44 1483 226014
Fax: +44 1483 226068
Web: http://www.corsaire.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
Received on May 03 2006
Intro
