When Java source code is compiled, it is converted into bytecode, saved in one or more class files, and executed by the JVM. Java class files may be compiled on one machine and executed on another machine. A properly generated class file is said to be conforming. When the JVM loads a class file, it has no way of knowing whether the class file is conforming. The class file could have been created by some other process, or an attacker could tamper may have tampered with a conforming class file.
...
Users often assume that Java class files obtained from a trustworthy source will be conforming and, consequently, safe for execution. This belief can erroneously lead them to see bytecode verification as a superfluous activity for such classes. Consequently, they could might disable bytecode verification, undermining Java's safety and security guarantees. The bytecode verifier must not be suppressed.
...
Bytecode verification ensures that the bytecode contains many of the security checks mandated by the Java Language Specification. Omitting the verification step could permit execution of unsafe insecure Java code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV04-J | high | likely | low | P27 | L1 |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e5be1f0085926cd7-83315457-4b774660-ab0ab23e-1f82ec8914fd86edff1afb7a"><ac:plain-text-body><![CDATA[ | [[Oaks 2001 | AA. Bibliography#Oaks 01]] | The Bytecode Verifier | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="35adb96fa941f7de-ece85880-475c4aaa-a6e2bb02-35b92e53358367589b002af8"><ac:plain-text-body><![CDATA[ | [[Pistoia 2004 | AA. Bibliography#Pistoia 04]] | Section 7.3, The Class File Verifier | ]]></ac:plain-text-body></ac:structured-macro> |
...