cs205: engineering software?
20 September 2010

CS205 Notes 31 (3 November 2006)

Upcoming Schedule

  • Monday, November 6: Quiz 4 — the quiz will cover everything up to (and including) today's class, but will focus mostly on material since the midterm exam
  • Friday, November 10 (beginning of class) — project design document
  • week of November 13 — project design reviews
  • week of November 27 — project progress reports
  • Monday, December 4 (in class) — project presentations/demos
  • Tuesday, December 5 (before 5pm) — project final reports including code and teammate assessments

    Bytecode Verifier

    Explain how a Java VM (byte codes) program could violate low-level code safety properties: What safety properties can and cannot be enforced by the Java byte code verifier?

    How can the bytecode verifier make claims about infinitely many possible paths of a Java program?

    What is bad about the jsr instruction?
    (from the Java Virtual Machine Specification:)
    jsr [branchbyte1] [branchbyte2]

    Operand Stack: ... ==> ..., address

    The address of the opcode of the instruction immediately following this jsr instruction is pushed onto the operand stack as a value of type returnAddress. The unsigned branchbyte1 and branchbyte2 are used to construct a signed 16-bit offset, where the offset is (branchbyte1 << 8) | branchbyte2. Execution proceeds at that offset from the address of this jsr instruction. The target address must be that of an opcode of an instruction within the method that contains this jsr instruction.

    The jsr instruction is used with the ret instruction in the implementation of the finally clauses of the Java programming language. Note that jsr pushes the address onto the operand stack and ret gets it out of a local variable. This asymmetry is intentional.

    Must security enforcement in Java be divided between the bytecode verifier and reference monitor?

    What are the vulnerabilities in the Java security approach?