<br><br><div class="gmail_quote">On Thu, Mar 24, 2011 at 11:42 AM, Igor Stasenko <span dir="ltr"><<a href="mailto:siguctua@gmail.com">siguctua@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On 24 March 2011 19:34, Eliot Miranda <<a href="mailto:eliot.miranda@gmail.com">eliot.miranda@gmail.com</a>> wrote:<br>
><br>
><br>
> On Tue, Mar 22, 2011 at 5:34 AM, Stéphane Ducasse<br>
> <<a href="mailto:stephane.ducasse@inria.fr">stephane.ducasse@inria.fr</a>> wrote:<br>
>><br>
>> But why we could not have a byecode validator at the image level that<br>
>> first make sure that byte code are in sync with the format of the objects.<br>
><br>
> Because it can be compromised. An in-image verifier is subject to attack,<br>
> and could be disabled by an attack that got past the in-image verifier<br>
> before it got a chance to run. An in-VM verifier is not possible to<br>
> side-step because it is the only way to execute code. So an in-VM verifier<br>
> can be secure but an in-image one can't and so is pointless.<br>
><br>
</div></div>For real hacker there's nothing impossible :)<br></blockquote><div><br></div><div>True, but it can be much harder. How would you attempt to hack past the fact that the interpreter and JIT code, including the verifier, is in read-only memory? If this is the only route to create executable code, and it always verifies the bytecode before it executes then it is secure right?</div>
<div><br></div><div>[there are issues; one doesn't want to verify a method each time it is activated in the interpreter, but e.g. a bit in the header saying "this method has been verified" might be easy to compromise. I'm not sure it is though, because one big advantage of the current funky method format (half literals, half btes) is that there's only one primitive to construct a method and it has to have a valid header, and there's only one way to modify the header, objectAt:put:. So as far as I can see the VM can in fact preserve the integrty a header flag bit that says "this method has been verified". Am I right or wrong?]</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Right now its not possible to split image to layered onion (like<br>
operating system does, where you have kernel level,<br>
and user level), but i think (at least in theory) such composition<br>
could be implemented, except that sure thing<br>
we don't have resources to invest in this direction.<br>
<br>
It is actually nice field for research (hello guys from academy :)<br>
<div><div></div><div class="h5"><br>
--<br>
Best regards,<br>
Igor Stasenko AKA sig.<br>
<br>
</div></div></blockquote></div><br>