[cap-talk] Security and Full Abstraction (was: Cap OS question)
Bill Frantz
frantz at pwpconsult.com
Wed Sep 9 19:09:07 PDT 2009
daw at cs.berkeley.edu (David Wagner) on Wednesday, September 9, 2009 wrote:
>> The idea that a Java(1) ->
>> byte-code(1) -> Java(2) -> byte-code(2) process would result in
>> byte-code(2) having the same meaning as the first byte-code(1) seems risky.
>
>Can you elaborate on your reasoning? Are you arguing that the
>possibility of obfuscation is relevant here? I don't quite see how?
>If (a) the bytecode->source disassembler is correct, and (b) the
>source->bytecode compiler is correct, then presumably this pipeline
>will be correct. By correct, I mean that if the program is unable to
>provide a semantics-preserving transformation of its input, it must fail
>(abort with a visible error, rather than producing incorrect output).
>The possibility of obfuscation demonstrates that any correct disassembler
>must be prepared to abort on some bytecode-inputs, but I'm not sure
>whether it demonstrates anything more.
>
>Of course, the crucial question is whether assumptions (a) and (b)
>are valid. Assumption (b) looks maybe somewhat plausible: if it is
>violated, you've found a bug in the Java compiler, which I suppose maybe
>one could argue is somewhat unlikely (since Java compilers are probably
>pretty well-tested). On the other hand assumption (a) looks considerably
>more questionable, as disassemblers probably aren't tested anywhere near
>as widely as existing Java compilers. I don't know what to do about that.
It seems risky, as you say, to rely on the correctness of the
bytecode->source disassembler step. The only thing that obfuscators
demonstrate is that there are byte code sequences which can not be produced
by a correct Java compiler. Test data for such a disassembler will have to
be produced by other tools which are themselves low-use items, and
therefore of questionable correctness and completeness.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"After all, if the conventional wisdom was working, the
408-356-8506 | rate of systems being compromised would be going down,
www.periwinkle.com | wouldn't it?" -- Marcus Ranum
More information about the cap-talk
mailing list