Upload
taylor-berger
View
16
Download
0
Embed Size (px)
DESCRIPTION
cs205: engineering software university of virginia fall 2006. Byte Code Verification. Java Byte Code Instructions. 0: nop 1-20: putting constants on the stack 96-119: arithmetic on ints, longs, floats, doubles What other kinds of instructions do we need?. Other Instructions. - PowerPoint PPT Presentation
Citation preview
1cs205: engineering software
cs205: engineering softwareuniversity of virginia fall 2006
Byte Code Verification
2cs205: engineering software
Java Byte Code Instructions
• 0: nop• 1-20: putting constants on the stack• 96-119: arithmetic on ints, longs,
floats, doubles
• What other kinds of instructions do we need?
3cs205: engineering software
Other Instructions• Loading and Storing Variables (65
instructions)• Control Flow (~20 instructions)
– if, goto, return
• Method Calls (4 instructions)• Creating objects (1 instruction)• Using object fields (4 instructions)• Arrays (3 instructions)• checkcast, instanceof
4cs205: engineering software
Referencing Memory
• iload <varnum>– Pushes the int in local variable
<varnum> (1 byte) on the stack
• istore <varnum>– Pops the int on the top of the stack and
stores it in local variable <varnum>
What if you have more than 256 local variables?
5cs205: engineering software
Referencing ExampleMethod void main(java.lang.String[]) 0 iconst_2 1 istore_1 2 iconst_3 3 istore_2 4 iload_1 5 iload_2 6 iadd 7 istore_3 8 getstatic #2 <Field java.io.PrintStream err> 11 new #3 <Class java.lang.StringBuffer> 14 dup 15 invokespecial #4 <Method java.lang.StringBuffer()> 18 ldc #5 <String "c: "> 20 invokevirtual #6 <Method java.lang.StringBuffer append(java.lang.String)>
23 iload_3 24 invokevirtual #7 <Method java.lang.StringBuffer append(int)> 27 invokevirtual #8 <Method java.lang.String toString()> 30 invokevirtual #9 <Method void println(java.lang.String)> 33 return
public class Locals1 { static public void main (String args[]) { int a = 2; int b = 3; int c = a + b;
System.err.println ("c: " + c); } }
6cs205: engineering software
Control Flow
• ifeq <label>Pop an int off the stack. If it is zero, jump to the label. Otherwise, continue normally.
• if_icmple <label>Pop two ints off the stack. If the second one is <= the first one, jump to the label. Otherwise, continue normally.
7cs205: engineering software
Method Calls• invokevirtual <method>
– Invokes the method <method> on the parameters and object on the top of the stack.
– Finds the appropriate method at run-time based on the actual type of the this object.
invokevirtual <Method void println(java.lang.String)>
8cs205: engineering software
Method Calls• invokestatic <method>
– Invokes a static (class) method <method> on the parameters on the top of the stack.
– Finds the appropriate method at run-time based on the actual type of the this object.
9cs205: engineering software
Example
public class Sample1 { static public void main (String args[]) { System.err.println ("Hello!"); System.exit (1); }}
10cs205: engineering software
> javap -c Sample1Compiled from Sample1.javapublic class Sample1 extends java.lang.Object { public Sample1(); public static void main(java.lang.String[]);}
Method Sample1() 0 aload_0 1 invokespecial #1 <Method java.lang.Object()> 4 return
Method void main(java.lang.String[]) 0 getstatic #2 <Field java.io.PrintStream err> 3 ldc #3 <String "Hello!"> 5 invokevirtual #4 <Method void println(java.lang.String)> 8 iconst_1 9 invokestatic #5 <Method void exit(int)> 12 return
public class Sample1 { static public void main (String args[]) { System.err.println ("Hello!"); System.exit (1); } }
11cs205: engineering software
The Worst Instructionjsr [branchbyte1] [branchbyte2] Operand Stack
... ..., addressDescriptionThe address of the opcode of the instruction immediately following this jsr instruction is pushed onto the operand stack as a value of type returnAddress. The unsigned branchbyte1 and branchbyte2 are used to construct a signed 16-bit offset, where the offset is (branchbyte1 << 8) | branchbyte2. Execution proceeds at that offset from the address of this jsr instruction. The target address must be that of an opcode of an instruction within the method that contains this jsr instruction.NotesThe jsr instruction is used with the ret instruction in the implementation of the finally clauses of the Java programming language. Note that jsr pushes the address onto the operand stack and ret gets it out of a local variable. This asymmetry is intentional.
http://java.sun.com/docs/books/vmspec/2nd-edition/html/Instructions2.doc7.html
12cs205: engineering software
public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println ("There was an exception!"); } finally { System.out.println ("I am finally here!"); }
}}
Try-Catch-Finally
13cs205: engineering software
Method void main(java.lang.String[]) 0 getstatic #2 <Field java.io.PrintStream out> 3 ldc #3 <String "hello"> 5 invokevirtual #4 <Method void println(java.lang.String)> 8 jsr 35 11 goto 46 14 astore_1 15 getstatic #2 <Field java.io.PrintStream out> 18 ldc #6 <String "There was an exception!"> 20 invokevirtual #4 <Method void println(java.lang.String)> 23 jsr 35 26 goto 46 29 astore_2 30 jsr 35 33 aload_2 34 athrow 35 astore_3 36 getstatic #2 <Field java.io.PrintStream out> 39 ldc #7 <String "I am finally here!"> 41 invokevirtual #4 <Method void println(java.lang.String)> 44 ret 3 46 return
public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println (“... exception!"); } finally { System.out.println ("I am finally"); }
}}
Exception table: from to target type 0 8 14 <Class java.lang.Exception>
0 11 29 any 14 26 29 any 29 33 29 any
14cs205: engineering software
Javajavac
Compiler malcode.java
malcode.classJVML
Joe User
Java Bytecode Verifier
JavaVM
“Okay”
Invalid
STOP
Trusted Computing Base
15cs205: engineering software
Running Mistyped Code
> java SimpleException in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type
.method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_2 iconst_3 iadd … return.end method
> java –noverify Simpleresult: 5
16cs205: engineering software
Running Mistyped Code
> java –noverify SimpleUnexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEBFunction=JVM_FindSignal+0x1105FLibrary=C:\j2sdk1.4.2\jre\bin\client\jvm.dll
Current Java thread:at Simple.main(Simple.java:7)…
## HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION# Error ID : 4F530E43505002EF# Please report this error at# http://java.sun.com/cgi-bin/bugreport.cgi## Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode)
.method public static main([Ljava/lang/String;)V …
ldc 205 istore_0 aload_0 iconst_2 iconst_3 iadd ….end method
17cs205: engineering software
Bytecode Verifier• Checks class file is formatted correctly
– Magic number: class file starts with 0xCAFEBABE
– String table, code, methods, etc.• Checks JVML code satisfies safety
properties– Simulates program execution to know
types are correct, but doesn’t need to examine any instruction more than once
18cs205: engineering software
Verifying Safety Properties• Type safe
– Stack and variable slots must store and load as same type
• Memory safe– Must not attempt to pop more values from
stack than are on it– Doesn’t access private fields and methods
outside class implementation
• Control flow safe– Jumps must be to valid addresses within
function, or call/return
19cs205: engineering software
Simulating All Paths
• The bytecode verifier verifies type safety for all possible executions of the program
• Since there are infinitely many paths through the program, how is this possible?
20cs205: engineering software
Verifier (should be) Conservative
JVML programs
Safe programs
Verifiable programs
(Slide from Nate Paul’s ACSAC talk)
21cs205: engineering software
Complexity Increases Risk
JVML programs
Safe programs
Verifiable programs
Bug (Slide from Nate Paul’s ACSAC talk)
22cs205: engineering software
Vulnerabilities in JavaVM
0
5
10
15
20
25
30
35
40
45
0 1 2 3 4 5 6 7 8 9
Vuln
era
bili
ties
Report
ed
Years Since First ReleaseJuly 1996 July 2005
23cs205: engineering software
Where are They?
Verification 12
API bugs 10
Class loading 8
Other or unknown 2Missing policy checks 3
Configuration 4
DoS attacks (crash, consumption) 5
several of these were because of jsr complexity
24cs205: engineering software
Summary:Low-level vs. Policy Security
• Low-level Code Safety:– Type safety, memory safety, control flow
safety– Needed to prevent malcode from
circumventing any policy mechanism• Policy Security:
– Control access and use of resources (files, network, display, etc.)
– Enforced by Java class– Hard part is deciding on a good policy