Wall, Kevin wrote:
Also, from the results of your test, it seems to indicate that SOME TYPE
of verification is taking place, but if all you did was change a few
ARBITRARY bytes in the .class file, I don't think that proves the
byte code verifier is being being run in it's entirety.
I agree with this analysis and think that the error on David's test was
caused by a malformed bytecode instruction
It's entirely possibly that the (new 1.5) default just does some
surface level of byte code verification (e.g., verify that everything
is legal "op codes" / byte code)
Well, some level of verification (or bytecode check) must always occur
during the conversion from bytecode to native code (but this has nothing
to do with type safety)
before HotSpot starts crunching
on it and that this works differently if either the '-verify' or
'-noverify' flags are used. E.g., suppose that '-verify' flag, does
some deeper-level analysis, such as checks to ensure type safety, etc,
whereas the '-noverify' doesn't even validate the byte codes are
legal op codes or that the .class file has a legal format. This might
even make sense because checking for valid file format and valid
Java "op codes" ought to be fairly "cheap" checks compared to the
deeper analysis required for things like type safety.
I am a little bit confused here, isn't Java an open platform and almost
Open Source?
If so, shouldn't issues like this be quite well documented? (if not on
official documentation, at least on online discussion threads)
I have a couple books on java that discuss the verification process, but
they are quite old, so It would be good to know the details about the
current verification process (as implemented in the latest version)
You didn't discuss details of what bits you tweaked, so I'm not
quite yet ready to jump up and down for joy and conclude that Sun has
now seen the light and has made the 1.5 JVM default to run the byte
code through the *complete* byte code verifier.
Unfortunately I don't think that Sun has seen the light on this one (and
neither has Microsoft)
I think more tests
are either necessary or someone at Sun who can speak in some official
capacity steps up and gives a definitive word one way or another on
this.
Talking about Sun, where are they? I know that Jeff Williams (Owasp)
have tried several times to get a response from them on these issues but
has been unsuccessful.
Aren't they (Sun) supposed to be much more open and transparent about
Java? (at least when compared to Microsoft)
I am sure that there must be people from Sun on this list (likewise from
Microsoft), and it would be great if they joined this discussion so
that we can understand exactly what is going on.
Best regards
Dinis Cruz
Owasp .Net Project
www.owasp.net
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
