<br><br><div class="gmail_quote">On Sat, Jun 18, 2011 at 4:20 PM, Gerardo Richarte <span dir="ltr"><<a href="mailto:gera@corest.com">gera@corest.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br><u></u>
<div bgcolor="#ffffff" text="#000000">
On 06/15/11 05:05, Mariano Martinez Peck wrote:
<blockquote type="cite"><br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
and lastly but not less, you have found 2 security problems in
the VM<br>
(may be just one, ok).<br>
<br>
The first one is at a language level, where you can break the<br>
encapsulation of objects by executing an arbitrary
CompiledMethod in any<br>
object.<br>
</blockquote>
<div><br>
Yes, but this is already possible with some other primitives
;)<br>
</div>
</div>
</blockquote>
It'd be very interesting to build a list of those primitives, what
others<br>
do you have in mind?</div></blockquote><div><br>mmmm I have in mind only yhe two that are for executing CompiledMethod in an object. Those are primitive 188 and 189.<br> "Perform method directly"<br> (188 primitiveExecuteMethodArgsArray)<br>
(189 primitiveExecuteMethod)<br><br>But that ony happens by using the bytecode as we saw in this example. I have no idea whether the same can happens from another place. <br><br><br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> In any case, I think there is a subtle
difference<br>
between a bytecode and a primitive. </div></blockquote><div><br>+1<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div bgcolor="#ffffff" text="#000000">
A primitive can be effectively<br>
stopped at language level, by not exposing a method, or
discretionary<br>
exposing it, or not making reachable the object implementing it. A<br>
bytecode is different, and has to be checked by the interpreter-jit<br>
(runtime environment in general). Well, I think<br>
<br>
<blockquote type="cite">
<div class="gmail_quote">
<div><br>
What I wonder, and what I would really like to know is the
reason why NOT to check bounds. Is all about speed?<br>
</div>
</div>
<br>
</blockquote>
I think yes, it is speed: if every bytecode had to check it, it'd be
a<br>
strong degradation of performance. </div></blockquote><div><br>Do you know what happens in other Smalltalk VMs in this concrete case for example?<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">A more complex implementation<br>
could have a /bytecode verifier/, to check, when then native code is<br>
emitted, if the structure of the receiver, in this case, is suitable
for<br>
the code. In an interpreter similar checks could be done, once the<br>
first time a method is going to be activated in a certain receiver<br>
(if instance methods are not possible in the system, this could be<br>
cached per class, otherwise some little more complex checks have<br>
to be implemented.<br>
<br>
As a note, the Java VM and the Flash VM, at least, have strong
bytecode<br>
verifiers specifically for security reasons.<br>
<br></div></blockquote><div><br>thanks, interesting :)<br><br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div bgcolor="#ffffff" text="#000000">
gera<br>
<br>
<br>
<blockquote type="cite">Thanks<br>
<br clear="all">
<br>
-- <br>
Mariano<br>
<a href="http://marianopeck.wordpress.com" target="_blank">http://marianopeck.wordpress.com</a><br>
<br>
</blockquote>
<br>
</div>
<br></blockquote></div><br><br clear="all"><br>-- <br>Mariano<br><a href="http://marianopeck.wordpress.com" target="_blank">http://marianopeck.wordpress.com</a><br><br>