1cs205: engineering software

cs205: engineering softwareuniversity of virginia fall 2006

Byte Code Verification

2cs205: engineering software

Java Byte Code Instructions

• 0: nop• 1-20: putting constants on the stack• 96-119: arithmetic on ints, longs,

floats, doubles

• What other kinds of instructions do we need?

3cs205: engineering software

Other Instructions• Loading and Storing Variables (65

instructions)• Control Flow (~20 instructions)

– if, goto, return

• Method Calls (4 instructions)• Creating objects (1 instruction)• Using object fields (4 instructions)• Arrays (3 instructions)• checkcast, instanceof

4cs205: engineering software

Referencing Memory

• iload <varnum>– Pushes the int in local variable

<varnum> (1 byte) on the stack

• istore <varnum>– Pops the int on the top of the stack and

stores it in local variable <varnum>

What if you have more than 256 local variables?

5cs205: engineering software

Referencing ExampleMethod void main(java.lang.String[]) 0 iconst_2 1 istore_1 2 iconst_3 3 istore_2 4 iload_1 5 iload_2 6 iadd 7 istore_3 8 getstatic #2 <Field java.io.PrintStream err> 11 new #3 <Class java.lang.StringBuffer> 14 dup 15 invokespecial #4 <Method java.lang.StringBuffer()> 18 ldc #5 <String "c: "> 20 invokevirtual #6 <Method java.lang.StringBuffer append(java.lang.String)>

23 iload_3 24 invokevirtual #7 <Method java.lang.StringBuffer append(int)> 27 invokevirtual #8 <Method java.lang.String toString()> 30 invokevirtual #9 <Method void println(java.lang.String)> 33 return

public class Locals1 { static public void main (String args[]) { int a = 2; int b = 3; int c = a + b;

System.err.println ("c: " + c); } }

6cs205: engineering software

Control Flow

• ifeq <label>Pop an int off the stack. If it is zero, jump to the label. Otherwise, continue normally.

• if_icmple <label>Pop two ints off the stack. If the second one is <= the first one, jump to the label. Otherwise, continue normally.

7cs205: engineering software

Method Calls• invokevirtual <method>

– Invokes the method <method> on the parameters and object on the top of the stack.

– Finds the appropriate method at run-time based on the actual type of the this object.

invokevirtual <Method void println(java.lang.String)>

8cs205: engineering software

Method Calls• invokestatic <method>

– Invokes a static (class) method <method> on the parameters on the top of the stack.

– Finds the appropriate method at run-time based on the actual type of the this object.

9cs205: engineering software

Example

public class Sample1 { static public void main (String args[]) { System.err.println ("Hello!"); System.exit (1); }}

10cs205: engineering software

> javap -c Sample1Compiled from Sample1.javapublic class Sample1 extends java.lang.Object { public Sample1(); public static void main(java.lang.String[]);}

Method Sample1() 0 aload_0 1 invokespecial #1 <Method java.lang.Object()> 4 return

Method void main(java.lang.String[]) 0 getstatic #2 <Field java.io.PrintStream err> 3 ldc #3 <String "Hello!"> 5 invokevirtual #4 <Method void println(java.lang.String)> 8 iconst_1 9 invokestatic #5 <Method void exit(int)> 12 return

public class Sample1 { static public void main (String args[]) { System.err.println ("Hello!"); System.exit (1); } }

11cs205: engineering software

The Worst Instructionjsr [branchbyte1] [branchbyte2] Operand Stack

... ..., addressDescriptionThe address of the opcode of the instruction immediately following this jsr instruction is pushed onto the operand stack as a value of type returnAddress. The unsigned branchbyte1 and branchbyte2 are used to construct a signed 16-bit offset, where the offset is (branchbyte1 << 8) | branchbyte2. Execution proceeds at that offset from the address of this jsr instruction. The target address must be that of an opcode of an instruction within the method that contains this jsr instruction.NotesThe jsr instruction is used with the ret instruction in the implementation of the finally clauses of the Java programming language. Note that jsr pushes the address onto the operand stack and ret gets it out of a local variable. This asymmetry is intentional.

http://java.sun.com/docs/books/vmspec/2nd-edition/html/Instructions2.doc7.html

12cs205: engineering software

public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println ("There was an exception!"); } finally { System.out.println ("I am finally here!"); }

}}

Try-Catch-Finally

13cs205: engineering software

Method void main(java.lang.String[]) 0 getstatic #2 <Field java.io.PrintStream out> 3 ldc #3 <String "hello"> 5 invokevirtual #4 <Method void println(java.lang.String)> 8 jsr 35 11 goto 46 14 astore_1 15 getstatic #2 <Field java.io.PrintStream out> 18 ldc #6 <String "There was an exception!"> 20 invokevirtual #4 <Method void println(java.lang.String)> 23 jsr 35 26 goto 46 29 astore_2 30 jsr 35 33 aload_2 34 athrow 35 astore_3 36 getstatic #2 <Field java.io.PrintStream out> 39 ldc #7 <String "I am finally here!"> 41 invokevirtual #4 <Method void println(java.lang.String)> 44 ret 3 46 return

public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println (“... exception!"); } finally { System.out.println ("I am finally"); }

}}

Exception table: from to target type 0 8 14 <Class java.lang.Exception>

0 11 29 any 14 26 29 any 29 33 29 any

14cs205: engineering software

Javajavac

Compiler malcode.java

malcode.classJVML

Joe User

Java Bytecode Verifier

JavaVM

“Okay”

Invalid

STOP

Trusted Computing Base

15cs205: engineering software

Running Mistyped Code

> java SimpleException in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type

.method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return.end method

> java –noverify Simpleresult: 5

16cs205: engineering software

Running Mistyped Code

> java –noverify SimpleUnexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEBFunction=JVM_FindSignal+0x1105FLibrary=C:\j2sdk1.4.2\jre\bin\client\jvm.dll

Current Java thread:at Simple.main(Simple.java:7)…

## HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION# Error ID : 4F530E43505002EF# Please report this error at# http://java.sun.com/cgi-bin/bugreport.cgi## Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode)

.method public static main([Ljava/lang/String;)V …

ldc 205 istore_0 aload_0 iconst_2 iconst_3 iadd ….end method

17cs205: engineering software

Bytecode Verifier• Checks class file is formatted correctly

– Magic number: class file starts with 0xCAFEBABE

– String table, code, methods, etc.• Checks JVML code satisfies safety

properties– Simulates program execution to know

types are correct, but doesn’t need to examine any instruction more than once

18cs205: engineering software

Verifying Safety Properties• Type safe

– Stack and variable slots must store and load as same type

• Memory safe– Must not attempt to pop more values from

stack than are on it– Doesn’t access private fields and methods

outside class implementation

• Control flow safe– Jumps must be to valid addresses within

function, or call/return

19cs205: engineering software

Simulating All Paths

• The bytecode verifier verifies type safety for all possible executions of the program

• Since there are infinitely many paths through the program, how is this possible?

20cs205: engineering software

Verifier (should be) Conservative

JVML programs

Safe programs

Verifiable programs

(Slide from Nate Paul’s ACSAC talk)

21cs205: engineering software

Complexity Increases Risk

JVML programs

Safe programs

Verifiable programs

Bug (Slide from Nate Paul’s ACSAC talk)

22cs205: engineering software

Vulnerabilities in JavaVM

0

5

10

15

20

25

30

35

40

45

0 1 2 3 4 5 6 7 8 9

Vuln

era

bili

ties

Report

ed

Years Since First ReleaseJuly 1996 July 2005

23cs205: engineering software

Where are They?

Verification 12

API bugs 10

Class loading 8

Other or unknown 2Missing policy checks 3

Configuration 4

DoS attacks (crash, consumption) 5

several of these were because of jsr complexity

24cs205: engineering software

Summary:Low-level vs. Policy Security

• Low-level Code Safety:– Type safety, memory safety, control flow

safety– Needed to prevent malcode from

circumventing any policy mechanism• Policy Security:

– Control access and use of resources (files, network, display, etc.)

– Enforced by Java class– Hard part is deciding on a good policy

25cs205: engineering software

Charge

• Monday: – Quiz 4: will cover through Friday’s

lecture on the Java bytecode verifier– Using CVS (Dan)

• Friday: project design documents due