University of Washington's
Research Findings on the Java Verifier
For more details
Due to the large number of inquiries, additional details about the UW research project and the verifier assurance effort is posted at
http://java.sun.com/security/UWdetails.html. (May 21, 1997)
Background
A team of computer scientist researchers at the University of Washington has
found a verifier bug as part of a research effort developing automatic
Java(tm) verification services. The research project, Kimera, focuses on
advanced language and operating system topics.
Brian
Bershad, Associate Professor of Computer Science, developed a new
verification system, along with graduate student Emin Gun Sirer and
staff programmer Sean McDirmid.
The team built a Java verification system, following the specification
for the verifier in the Java Virtual Machine specification. They then
generated random bytecode patterns and fed the bytecodes into their
verification system, as well as the verifier provided in commercial
Java Virtual Machine implementations.
This led to the discovery of a bug in the JDK 1.1.1 verifier, which is
now fixed in the JDK 1.1.2 verifier. JDK 1.1.2 will be publically
available in the week of May 26; the fix has been communicated to Java
licensees.
What's the bug?
The JDK 1.1.1 bytecode verifier does not check that the number of
arguments passed into a method is less than the amount of space
allocated to local variables for that method, in its MAXLOCAL
classfile attribute. So, if a method is given more arguments than it
has room for in the space allotted to its local variables, this could
cause a stack overflow, most likely leading to the JVM crashing.
There is no known security attack based on this verifier bug, but
since the bug relates to classloading, which has been the basis for
security attacks in the past, it is appropriate to issue a fix.
What's the fix?
The fix is in the native C code that implements the classloader. The
fix actually incorporates two additional safety checks:
- Check that the number of arguments is smaller than the number of
local variables.
- Check that the number of arguments is fewer than 255, to match
the Java Virtual Machine specification.
What's the impact?
There are no known security attacks based on exploiting this bug in
the verifier. The practical impact of the bug is therefore understood
to be minimal, and JavaSoft looks forward to continuing to work with
the University of Washington researchers on important aspects of the
Java security model and implementation.
For more info
For more information about Java security and
about the University of Washington's research, check out
java-security@java.sun.com
Last modified: Fri May 16 19:12:31 PDT