Bytecode verifier

Cedric Berger cedric@berger.to
Tue Mar 30 04:19:00 GMT 2004

• Previous message (by thread): Bytecode verifier
• Next message (by thread): Bytecode verifier
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Tom Tromey wrote:
>I have run a lot of code through this verifier. Unfortunately there
>are several orders of magnitude fewer bad bytecode examples than there
>are good ones. So it is hard to trust any verifier's capacity to
>detect errors.
>I don't know how effective that would be, but that's pretty easy to
create bad bytecode mechanically. For example, just just take correct
bytecode, and then run it (uncompressed) through something like that
(untested):
main(int argc, argv[]) {
 for(;;) {
 int c = getchar();
 if (c < 0)
 return (0);
 /* introduce 3 errors randomly every 1000 bytes */
 switch (arc4random() % 1000)
 case 0: /* remove byte */
 continue;
 case 1: /* insert byte */
 putchar(arc4random())
 break;
 case 2: /* replace byte */
 c = arc4random();
 break;
 }
 putchar(c)
 }
}
Then the resulting bugcode could be fed to both GCJ and Sun's verifier
for comparaisons.
Variations of that method have been used to detect flaws in SNMP and
OpenSSL recently I think.
Cedric

---

• Previous message (by thread): Bytecode verifier
• Next message (by thread): Bytecode verifier
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Java mailing list