The "verifier" is enabled via the commandline. It is either on or off.
the VM does other forms of "verification" though.
http://java.sun.com/docs/books/vmspec/2nd-edition/html/ConstantPool.doc.html#79383
...
-- Michael
On 5/11/06, Jeff Williams <jeff.williams_at_aspectsecurity.com> wrote:
> Stephen de Vries wrote:
> > With application servers such as Tomcat, WebLogic etc, I think we have a
> > special case in that they don't run with the verifier enabled - yet they
> > appear to be safe from type confusion attacks. (If you check the
> > startup scripts, there's no mention of running with -verify).
>
> You're right -- I checked that too. So I think it's just too simple to talk
> about the verifier being either on or off. It appears to me that the
> verifier can be enabled for some code and not for other code. I think
> you're right that this behavior has something to do with the classloader
> that is used, but I'd really like to understand exactly what the rules are.
>
> --Jeff
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L_at_securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------
Received on May 11 2006
Intro
