Notes 31

CS205 Notes 31 (3 November 2006)

Upcoming Schedule

Monday, November 6: Quiz 4 — the quiz will cover everything up to (and including) today's class, but will focus mostly on material since the midterm exam

Friday, November 10 (beginning of class) — project design document

week of November 13 — project design reviews

week of November 27 — project progress reports

Monday, December 4 (in class) — project presentations/demos

Tuesday, December 5 (before 5pm) — project final reports including code and teammate assessments

Bytecode Verifier

Explain how a Java VM (byte codes) program could violate low-level code safety properties:

Type Safety
Memory Safety
Control Flow Safety

What safety properties can and cannot be enforced by the Java byte code verifier?

How can the bytecode verifier make claims about infinitely many possible paths of a Java program?

What is bad about the jsr instruction?

(from the Java Virtual Machine Specification:)
jsr [branchbyte1] [branchbyte2]
Operand Stack: ... ==> ..., address
Description
The address of the opcode of the instruction immediately following this jsr instruction is pushed onto the operand stack as a value of type returnAddress. The unsigned branchbyte1 and branchbyte2 are used to construct a signed 16-bit offset, where the offset is (branchbyte1 << 8) | branchbyte2. Execution proceeds at that offset from the address of this jsr instruction. The target address must be that of an opcode of an instruction within the method that contains this jsr instruction.
Notes
The jsr instruction is used with the ret instruction in the implementation of the finally clauses of the Java programming language. Note that jsr pushes the address onto the operand stack and ret gets it out of a local variable. This asymmetry is intentional.

Must security enforcement in Java be divided between the bytecode verifier and reference monitor?

What are the vulnerabilities in the Java security approach?