University of Washington's
Research Findings on the Java Verifier


For more details

Due to the large number of inquiries, additional details about the UW research project and the verifier assurance effort is posted at http://java.sun.com/security/UWdetails.html. (May 21, 1997)


Background

A team of computer scientist researchers at the University of Washington has found a verifier bug as part of a research effort developing automatic Java(tm) verification services. The research project, Kimera, focuses on advanced language and operating system topics.

Brian Bershad, Associate Professor of Computer Science, developed a new verification system, along with graduate student Emin Gun Sirer and staff programmer Sean McDirmid.

The team built a Java verification system, following the specification for the verifier in the Java Virtual Machine specification. They then generated random bytecode patterns and fed the bytecodes into their verification system, as well as the verifier provided in commercial Java Virtual Machine implementations.

This led to the discovery of a bug in the JDK 1.1.1 verifier, which is now fixed in the JDK 1.1.2 verifier. JDK 1.1.2 will be publically available in the week of May 26; the fix has been communicated to Java licensees.

What's the bug?

The JDK 1.1.1 bytecode verifier does not check that the number of arguments passed into a method is less than the amount of space allocated to local variables for that method, in its MAXLOCAL classfile attribute. So, if a method is given more arguments than it has room for in the space allotted to its local variables, this could cause a stack overflow, most likely leading to the JVM crashing. There is no known security attack based on this verifier bug, but since the bug relates to classloading, which has been the basis for security attacks in the past, it is appropriate to issue a fix.

What's the fix?

The fix is in the native C code that implements the classloader. The fix actually incorporates two additional safety checks:

What's the impact?

There are no known security attacks based on exploiting this bug in the verifier. The practical impact of the bug is therefore understood to be minimal, and JavaSoft looks forward to continuing to work with the University of Washington researchers on important aspects of the Java security model and implementation.

For more info

For more information about Java security and about the University of Washington's research, check out
java-security@java.sun.com
Last modified: Fri May 16 19:12:31 PDT