[e-lang] Fwd: Another good one from the "surprising Java tricks" file

Mark Miller erights at gmail.com
Thu Aug 16 20:12:47 EDT 2007 

Depending on how the Joe-E verifier is to be used to guard loading
into a Java environment, I could imagine this attack might have gotten
past it. My statement to the contrary below is confused. As Dan's
command sequence demonstrates, this attack happens, in some sense,
purely at the Java source level.


Forwarded Conversation
Subject: Another good one from the "surprising Java tricks" file
------------------------

 From: Dan Bornstein <danfuzz at google.com>
To: Mark Miller <erights at google.com>
Date: Thu, Aug 16, 2007 at 12:21 PM

We just ran into this one. What is the output of this method?:

    public void isRunnable(Runnable r) {
        System.err.println(r instanceof Runnable);
    }

-dan

--------
 From: Dan Bornstein <danfuzz at google.com>
To: Mark Miller <erights at google.com>
Date: Thu, Aug 16, 2007 at 12:23 PM

Sorry, I fired too soon. I mean, what is the output of this method?:

    public void isRunnable(Runnable r) {
        System.err.println((r == null) || (r instanceof Runnable));
    }

-dan

--------
 From: Mark S. Miller <erights at google.com>
To: Dan Bornstein <danfuzz at google.com>
Date: Thu, Aug 16, 2007 at 12:33 PM

[Quoted text hidden]Ok, this one surprises me. How can this print non-true?


--
    Cheers,
    --MarkM

--------
 From: Dan Bornstein <danfuzz at google.com>
To: "Mark S. Miller" <erights at google.com>
Date: Thu, Aug 16, 2007 at 12:38 PM

[Quoted text hidden]Compile the two files below in sequence, and then run *with
verification enabled* (just to emphasize that this isn't a verifier
trick). Transcript at the bottom. Further explanation provided on
demand.

-dan

########## TrueRight.java

public class TrueRight {
    static public void main(String[] args) {
        Runnable r = new Blort();
        isRunnable(r);
    }

    static public void isRunnable(Runnable r) {
        System.err.println((r == null) || (r instanceof Runnable));
    }
}

class Blort implements Runnable {
    public void run() { }
}

########## Blort.java
class Blort { }

########## transcript
[blort 577]$ javac -d classes TrueRight.java
[blort 578]$ javac -d classes Blort.java
[blort 579]$ java -Xverify:all -cp classes TrueRight
false

--------
 From: Mark S. Miller <erights at google.com>
To: Dan Bornstein <danfuzz at google.com>
Date: Thu, Aug 16, 2007 at 12:50 PM

On 8/16/07, Dan Bornstein <danfuzz at google.com> wrote:
> Compile the two files below in sequence, and then run *with
> verification enabled* (just to emphasize that this isn't a verifier
> trick). Transcript at the bottom. Further explanation provided on
> demand.

I see that there are two class Blorts, one a Runnable and one not. But
I still can't figure out how this could possibly work.

Ok, I demand ;). How?

--
    Cheers,
    --MarkM

--------
 From: Dan Bornstein <danfuzz at google.com>
To: "Mark S. Miller" <erights at google.com>
Date: Thu, Aug 16, 2007 at 1:02 PM

On 8/16/07, Mark S. Miller <erights at google.com> wrote:
> I see that there are two class Blorts, one a Runnable and one not. But
> I still can't figure out how this could possibly work.

To be clear, the second Blort replaces the first, since
Java-the-language won't compile TrueRight against the second Blort.

> Ok, I demand ;). How?

The JVM (as specified) treats interfaces differently than
Java-the-language. In particular, there is only one place where the VM
is specified to check if an object implements a purported interface,
and that is during invokeinterface, which could cause a throw of
IncompatibleClassChangeError *at runtime*. The only other way declared
interface matter to the VM is that they can be used to distinguish
between overloaded methods, but that is effectively a textual
comparison; the actual types of arguments don't have any bearing on
that. The verifier, in a fairly fundamental way, treats interface
types as equivalent to Object.

-dan

--------
 From: Mark S. Miller <erights at google.com>
To: Dan Bornstein <danfuzz at google.com>
Date: Thu, Aug 16, 2007 at 1:11 PM

Wow. Ok, I get it. You should post this to e-lang. This is yet another
demonstration that Adrian did the right thing in building the Joe-E
verifier on the Java compiler rather than the JVM verifier. Sheesh!

--
    Cheers,
    --MarkM

--------
 From: Mark S. Miller <erights at google.com>
To: Dan Bornstein <danfuzz at google.com>
Date: Thu, Aug 16, 2007 at 1:15 PM

May I forward?

--
    Cheers,
    --MarkM

--------
 From: Dan Bornstein <danfuzz at google.com>
To: "Mark S. Miller" <erights at google.com>
Date: Thu, Aug 16, 2007 at 1:19 PM

On 8/16/07, Mark S. Miller <erights at google.com> wrote:
> May I forward?

Please, go ahead.

-dan

--------

More information about the e-lang mailing list