Byte Code Verification

Slides:



Advertisements
Similar presentations
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Advertisements

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
1 Lecture 10 Intermediate Representations. 2 front end »produces an intermediate representation (IR) for the program. optimizer »transforms the code in.
METHOD OVERRIDING Sub class can override the methods defined by the super class. Overridden Methods in the sub classes should have same name, same signature.
Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.
BA1 JVM arkitektur BA2 Specifikation I The Java Virtual Machine Specification specificeres bl.a.: –De grundlæggende datatyper.
1 1 Lecture 14 Java Virtual Machine Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.
Lab 9 Java Bytecode & The Jasmin Assembler
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Compilation 2007 The Java Virtual Machine Michael I. Schwartzbach BRICS, University of Aarhus.
5/6/99 Ashish Sabharwal1 JVM Architecture n Local storage area –Randomly accessible –Just like standard RAM –Stores variables (eg. an array) –Have to specify.
Code Generation Introduction. Compiler (scalac, gcc) Compiler (scalac, gcc) machine code (e.g. x86, arm, JVM) efficient to execute i=0 while (i < 10)
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
CSC 8505 Compiler Construction IR Example: Java Bytecode (looking inside class files)
Java Programming Robert Chatley William Lee
Application Security Tom Chothia Computer Security, Lecture 14.
UNDER THE HOOD: THE JAVA VIRTUAL MACHINE Lecture 24 – CS2110 – Fall 2009.
CSCI 273: Processing An Introduction. Programming Languages –An abstract "human understandable" language for telling the computer what to do –The abstract.
1 The Java Virtual Machine Yearly Programming Project.
The Java Virtual Machine 1 Course Overview PART I: overview material 1Introduction 2Language processors (tombstone diagrams, bootstrapping) 3Architecture.
Krakatoa: Decompilation in Java “Does Bytecode Reveal Source?” Todd A. Proebsting Scott A. Watterson The University of Arizona Presented by Karl von Randow.
CS-2710 Dr. Mark L. Hornick 1 Defining and calling procedures (subroutines) in assembly And using the Stack.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or.
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
1 October 1, October 1, 2015October 1, 2015October 1, 2015 Azusa, CA Sheldon X. Liang Ph. D. Computer Science at Azusa Pacific University Azusa.
Java Bytecode What is a.class file anyway? Dan Fleck George Mason University Fall 2007.
1 Introduction to JVM Based on material produced by Bill Venners.
Syntax Directed Translation Compiler Design Lecture (03/16//98) Computer Science Rensselaer Polytechnic.
Netprog: Java Intro1 Crash Course in Java. Netprog: Java Intro2 Why Java? Network Programming in Java is very different than in C/C++ –much more language.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.
Comparing Java and.Net Security: Lessons Learned and Missed - Nathanael Paul, David Evans Presented by Dan Frohlich.
Runtime System CS 153: Compilers. Runtime System Runtime system: all the stuff that the language implicitly assumes and that is not described in the program.
More on MIPS programs n SPIM does not support everything supported by a general MIPS assembler. For example, –.end doesn’t work Use j $ra –.macro doesn’t.
#include "dump.h" int main ( int argc, char* argv[] ) { __asm { mov eax, 1// init eax to 1 mov ebx, esp; keep a copy of esp mov ecx, 3/* init ecx to 3.
Chap. 10, Intermediate Representations J. H. Wang Dec. 14, 2015.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 18: Code Safety and Virtual Machines
Chap. 10, Intermediate Representations J. H. Wang Dec. 27, 2011.
20-Feb-16 javap. Bytecode Java is compiled into bytecode, which is intermediate between Java and a “real” assembly language To implement Java, it is only.
1 cs205: engineering software university of virginia fall 2006 Image from GoldenBlue LLC. Hair-Dryer Attacks.
UNDER THE HOOD: THE JAVA VIRTUAL MACHINE II CS2110 Fall 200 Lecture 25 1.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code.
Review on Program Challenge CSc3210 Yuan Long.
Recap: Printing Trees into Bytecodes To evaluate e 1 *e 2 interpreter –evaluates e 1 –evaluates e 2 –combines the result using * Compiler for e 1 *e 2.
RealTimeSystems Lab Jong-Koo, Lim
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Design issues for Object-Oriented Languages
Introduction to Operating Systems
Java and C II CSE 351 Spring 2017 Instructor: Ruth Anderson
The Java Virtual Machine (JVM)
CS216: Program and Data Representation
Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.
CS 153: Concepts of Compiler Design November 2 Class Meeting
CS216: Program and Data Representation
Java Virtual Machine (JVM)
Introduction to Operating Systems
Lecture 18: Java™ Decaffeinated CS551: Security and Privacy
Java Byte Codes (0xCAFEBABE) cs205: engineering software
Security in Java Real or Decaf? cs205: engineering software
Introduction to Algorithm Design
Lecture 19: 0xCAFEBABE (Java Byte Codes) CS201j: Engineering Software
Course Overview PART I: overview material PART II: inside a compiler
Java Implementation – JVMs, JITs &c Hal Perkins Summer 2004
CS 153: Concepts of Compiler Design November 6 Class Meeting
CMPE 152: Compiler Design April 11 Class Meeting
A Few Review Questions Dan Fleck CS211 Fall 2007.
Java and C II CSE 351 Spring 2017 Instructor: Ruth Anderson
CMPE 152: Compiler Design April 16 Class Meeting
Presentation transcript:

Byte Code Verification cs205: engineering software university of virginia fall 2006 Byte Code Verification

Java Byte Code Instructions 0: nop 1-20: putting constants on the stack 96-119: arithmetic on ints, longs, floats, doubles What other kinds of instructions do we need?

Other Instructions Loading and Storing Variables (65 instructions) Control Flow (~20 instructions) if, goto, return Method Calls (4 instructions) Creating objects (1 instruction) Using object fields (4 instructions) Arrays (3 instructions) checkcast, instanceof

Referencing Memory iload <varnum> istore <varnum> Pushes the int in local variable <varnum> (1 byte) on the stack istore <varnum> Pops the int on the top of the stack and stores it in local variable <varnum> What if you have more than 256 local variables?

Referencing Example public class Locals1 { Method void main(java.lang.String[]) 0 iconst_2 1 istore_1 2 iconst_3 3 istore_2 4 iload_1 5 iload_2 6 iadd 7 istore_3 8 getstatic #2 <Field java.io.PrintStream err> 11 new #3 <Class java.lang.StringBuffer> 14 dup 15 invokespecial #4 <Method java.lang.StringBuffer()> 18 ldc #5 <String "c: "> 20 invokevirtual #6 <Method java.lang.StringBuffer append(java.lang.String)> 23 iload_3 24 invokevirtual #7 <Method java.lang.StringBuffer append(int)> 27 invokevirtual #8 <Method java.lang.String toString()> 30 invokevirtual #9 <Method void println(java.lang.String)> 33 return public class Locals1 { static public void main (String args[]) { int a = 2; int b = 3; int c = a + b; System.err.println ("c: " + c); } }

Control Flow ifeq <label> if_icmple <label> Pop an int off the stack. If it is zero, jump to the label. Otherwise, continue normally. if_icmple <label> Pop two ints off the stack. If the second one is <= the first one, jump to the label. Otherwise, continue normally.

invokevirtual <Method void println(java.lang.String)> Method Calls invokevirtual <method> Invokes the method <method> on the parameters and object on the top of the stack. Finds the appropriate method at run-time based on the actual type of the this object. invokevirtual <Method void println(java.lang.String)>

Method Calls invokestatic <method> Invokes a static (class) method <method> on the parameters on the top of the stack. Finds the appropriate method at run-time based on the actual type of the this object.

Example public class Sample1 { static public void main (String args[]) { System.err.println ("Hello!"); System.exit (1); }

> javap -c Sample1 Compiled from Sample1.java public class Sample1 { static public void main (String args[]) { System.err.println ("Hello!"); System.exit (1); } } > javap -c Sample1 Compiled from Sample1.java public class Sample1 extends java.lang.Object { public Sample1(); public static void main(java.lang.String[]); } Method Sample1() 0 aload_0 1 invokespecial #1 <Method java.lang.Object()> 4 return Method void main(java.lang.String[]) 0 getstatic #2 <Field java.io.PrintStream err> 3 ldc #3 <String "Hello!"> 5 invokevirtual #4 <Method void println(java.lang.String)> 8 iconst_1 9 invokestatic #5 <Method void exit(int)> 12 return

The Worst Instruction Jump subroutine Format jsr branchbyte1 Operation Jump subroutine Format The Worst Instruction jsr branchbyte1 branchbyte2 http://java.sun.com/docs/books/vmspec/2nd-edition/html/Instructions2.doc7.html jsr [branchbyte1] [branchbyte2] Operand Stack ...  ..., address Description The address of the opcode of the instruction immediately following this jsr instruction is pushed onto the operand stack as a value of type returnAddress. The unsigned branchbyte1 and branchbyte2 are used to construct a signed 16-bit offset, where the offset is (branchbyte1 << 8) | branchbyte2. Execution proceeds at that offset from the address of this jsr instruction. The target address must be that of an opcode of an instruction within the method that contains this jsr instruction. Notes The jsr instruction is used with the ret instruction in the implementation of the finally clauses of the Java programming language. Note that jsr pushes the address onto the operand stack and ret gets it out of a local variable. This asymmetry is intentional.

Try-Catch-Finally public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println ("There was an exception!"); } finally { System.out.println ("I am finally here!"); }

0 8 14 <Class java.lang.Exception> 0 11 29 any 14 26 29 any Method void main(java.lang.String[]) 0 getstatic #2 <Field java.io.PrintStream out> 3 ldc #3 <String "hello"> 5 invokevirtual #4 <Method void println(java.lang.String)> 8 jsr 35 11 goto 46 14 astore_1 15 getstatic #2 <Field java.io.PrintStream out> 18 ldc #6 <String "There was an exception!"> 20 invokevirtual #4 <Method void println(java.lang.String)> 23 jsr 35 26 goto 46 29 astore_2 30 jsr 35 33 aload_2 34 athrow 35 astore_3 36 getstatic #2 <Field java.io.PrintStream out> 39 ldc #7 <String "I am finally here!"> 41 invokevirtual #4 <Method void println(java.lang.String)> 44 ret 3 46 return public class JSR { static public void main (String args[]) { try { System.out.println("hello"); } catch (Exception e) { System.out.println (“... exception!"); } finally { System.out.println ("I am finally"); } Exception table: from to target type 0 8 14 <Class java.lang.Exception> 0 11 29 any 14 26 29 any 29 33 29 any

Java Bytecode Verifier malcode.java javac Compiler malcode.class JVML Trusted Computing Base Java Bytecode Verifier Invalid Joe User “Okay” STOP JavaVM

Running Mistyped Code .method public static main([Ljava/lang/String;)V … iconst_2 istore_0 aload_0 iconst_3 iadd return .end method > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type > java –noverify Simple result: 5

Running Mistyped Code ldc 205 .method public static main([Ljava/lang/String;)V … ldc 205 istore_0 aload_0 iconst_2 iconst_3 iadd .end method > java –noverify Simple Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x809DCEB Function=JVM_FindSignal+0x1105F Library=C:\j2sdk1.4.2\jre\bin\client\jvm.dll Current Java thread: at Simple.main(Simple.java:7) … # # HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION # Error ID : 4F530E43505002EF # Please report this error at # http://java.sun.com/cgi-bin/bugreport.cgi # Java VM: Java HotSpot(TM) Client VM (1.4.2-b28 mixed mode)

Bytecode Verifier Checks class file is formatted correctly Magic number: class file starts with 0xCAFEBABE String table, code, methods, etc. Checks JVML code satisfies safety properties Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once

Verifying Safety Properties Type safe Stack and variable slots must store and load as same type Memory safe Must not attempt to pop more values from stack than are on it Doesn’t access private fields and methods outside class implementation Control flow safe Jumps must be to valid addresses within function, or call/return

Simulating All Paths The bytecode verifier verifies type safety for all possible executions of the program Since there are infinitely many paths through the program, how is this possible?

Verifier (should be) Conservative JVML programs Safe programs Verifiable programs (Slide from Nate Paul’s ACSAC talk)

Complexity Increases Risk JVML programs Safe programs Verifiable programs 7/8 titles confusing Bug (Slide from Nate Paul’s ACSAC talk)

Vulnerabilities in JavaVM 45 40 35 30 25 Vulnerabilities Reported 20 15 10 5 1 2 3 4 5 6 7 8 9 July 1996 Years Since First Release July 2005

Where are They? Verification 12 API bugs 10 Class loading 8 Other or unknown 2 Missing policy checks 3 Configuration 4 DoS attacks (crash, consumption) 5 several of these were because of jsr complexity

Summary: Low-level vs. Policy Security Low-level Code Safety: Type safety, memory safety, control flow safety Needed to prevent malcode from circumventing any policy mechanism Policy Security: Control access and use of resources (files, network, display, etc.) Enforced by Java class Hard part is deciding on a good policy

Charge Monday: Friday: project design documents due Quiz 4: will cover through Friday’s lecture on the Java bytecode verifier Using CVS (Dan) Friday: project design documents due