[PATCH] full bytecode verification

Jason Baker jbaker at cs.utah.edu
Fri Aug 3 08:31:21 PDT 2001 

> The current Kaffe bytecode verification code can verify only the
> basic Java types. It does not properly handle reference types and
> arrays of references. The lack of full bytecode verification
> allows an attacker to circumvent all Java security.
> 
> Attached is a patch that adds full bytecode verification to Kaffe.
> The patch applies cleanly to the CVS code from Aug 03, 2001 and
> can be easily applied to Kaffe 1.0.6 manualy (one hunk fails
> because of whitespace)
> 
> It was written by Dr. Joel Jones <jjones at uiuc.edu> for Kaffe 0.9.2
> and ported to the 1.0.6 and the latest CVS version by me.
> 
> The patch has been tested on Linux/i386 and Solaris/Sparc.
> 
> We would appreciate any feedback and additional testing results.

Does the verifier accept the class below?  From a brief look at the
code and vmspec sec. 4.9.2, it looks like the conditionals in makeI
and makeJ should produce the nearest superclass, Object.  But, jdk-1.2
accepts both methods.  Note that there is no nearest supertype
including interfaces.

Jason
----------------------------------------------------------------------
class IMerge {
  interface I { void imeth(); }
  interface J { void jmeth(); }
  interface I1 extends I, J { }
  interface I2 extends I, J { }

  I1 makeI1() { return null; }
  I2 makeI2() { return null; }

  boolean need2;

  I makeI() {
    I r = (need2 ? (I) makeI2() : (I) makeI1());
    r.imeth();
    return r;
  }

  J makeJ() {
    J r = (need2 ? (J) makeI2() : (J) makeI1());
    r.jmeth();
    return r;
  }

  public static void main(String[] _) {
    try { new IMerge().makeI(); }
    catch (NullPointerException __) { }

    try { new IMerge().makeJ(); }
    catch (NullPointerException __) { }
  }
}
--------------------------output of KOPI dis--------------------------
    /**
     * makeI
     *
     * @stack   2
     * @locals  2
     */
    IMerge$I makeI() {
        @line   13
                @aload          0
                @getfield       boolean IMerge.need2
                @ifeq           _L6
                @aload          0
                @invokevirtual  IMerge$I2 IMerge.makeI2()
                @goto           _L8
        _L6:    @aload          0
                @invokevirtual  IMerge$I1 IMerge.makeI1()
        _L8:    @astore         1
        @line   14
                @aload          1
                @invokeinterface        void IMerge$I.imeth() 1
        @line   15
                @aload          1
                @areturn        
    }

More information about the kaffe mailing list