Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: dinis at ddplus.net (Dinis Cruz)
Date: Thu, 04 May 2006 04:26:29 +0100
Wall, Kevin wrote:
Also, from the results of your test, it seems to indicate that SOME TYPE of verification is taking place, but if all you did was change a few ARBITRARY bytes in the .class file, I don't think that proves the byte code verifier is being being run in it's entirety.
I agree with this analysis and think that the error on David's test was caused by a malformed bytecode instruction
It's entirely possibly that the (new 1.5) default just does some surface level of byte code verification (e.g., verify that everything is legal "op codes" / byte code)
Well, some level of verification (or bytecode check) must always occur during the conversion from bytecode to native code (but this has nothing to do with type safety)
before HotSpot starts crunching on it and that this works differently if either the '-verify' or '-noverify' flags are used. E.g., suppose that '-verify' flag, does some deeper-level analysis, such as checks to ensure type safety, etc, whereas the '-noverify' doesn't even validate the byte codes are legal op codes or that the .class file has a legal format. This might even make sense because checking for valid file format and valid Java "op codes" ought to be fairly "cheap" checks compared to the deeper analysis required for things like type safety.
I am a little bit confused here, isn't Java an open platform and almost Open Source? If so, shouldn't issues like this be quite well documented? (if not on official documentation, at least on online discussion threads) I have a couple books on java that discuss the verification process, but they are quite old, so It would be good to know the details about the current verification process (as implemented in the latest version)
You didn't discuss details of what bits you tweaked, so I'm not quite yet ready to jump up and down for joy and conclude that Sun has now seen the light and has made the 1.5 JVM default to run the byte code through the *complete* byte code verifier.
Unfortunately I don't think that Sun has seen the light on this one (and neither has Microsoft)
I think more tests are either necessary or someone at Sun who can speak in some official capacity steps up and gives a definitive word one way or another on this.
Talking about Sun, where are they? I know that Jeff Williams (Owasp) have tried several times to get a response from them on these issues but has been unsuccessful. Aren't they (Sun) supposed to be much more open and transparent about Java? (at least when compared to Microsoft) I am sure that there must be people from Sun on this list (likewise from Microsoft), and it would be great if they joined this discussion so that we can understand exactly what is going on. Best regards Dinis Cruz Owasp .Net Project www.owasp.net
Current thread:
- By default, the Verifier is disabled on .Net and Java, (continued)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 02)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 03)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java Tim Hollebeek (May 04)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 03)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 02)
- By default, the Verifier is disabled on .Net and Java Wall, Kevin (May 03)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 03)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java David Eisner (May 04)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 04)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 03)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)