I wonder if you could disable the default security manager with unverified code.
Probably. Hmm. -- Michael On 3/29/06, Jeff Williams <[EMAIL PROTECTED]> wrote: > > Jeff, as you can see by Stephen de Vries's response on this thread, > > you are wrong in your assumption that most Java code (since 1.2) > > must go through the Verifier (this is what I was sure it was > > happening since I remembered reading that most Java code executed > > in real-world applications is not verified) > > Wow. I ran some tests too, and Stephen is absolutely right. It appears > that Sun quietly turned off verification by default for bytecode loaded from > the local disk (not applets). They've apparently > (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4030988), acknowledged > that it is a bug, and said that it will not be fixed. The change had > something to do with compatibility with old bytecode. More details > (http://www.cafeaulait.org/reports/accessviolations.html) > > This is a clear violation of the JVM Spec. And (regardless of protestation > to the contrary) it IS a big security problem. Just because bytecode is > loaded from the local disk does not mean it's trustworthy. Every > application uses lots of libraries that developers download from the > Internet (as compiled jar files) and loaded from the local disk. Unless you > run with "java -verify" that code won't get verified. > > I'm sure that the percentage of applications that are running with both > verification and sandbox is terrifyingly small. Probably only applets and > maybe Java Web Start applications. As I mentioned before some of the J2EE > servers are now enabling a sandbox, but their security policies are > generally wide open. > > I think there are two relatively easy things we can do here. First, let's > find out what plans Sun has for the new verifier -- we should strongly > encourage them to turn it on by default. Second, we can work on ways to > encourage people to use sandboxes -- tools, articles, and awareness. > > --Jeff > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Owasp-dotnet mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/owasp-dotnet > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php