[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mono-devel-list
Subject:    Re: [Mono-dev] The State Of Mono Assembly Verification?
From:       Zoltan Varga <vargaz () gmail ! com>
Date:       2006-01-30 21:04:57
Message-ID: 295e750a0601301304v2a1cb82cj65ac2b273110a6b2 () mail ! gmail ! com
[Download RAW message or body]

                                     Hi,

  The verifier situation is not very good: we have some verifier code,
but it is not
complete, not tested, and certainly not reviewed from a security standpoint. The
same goes for most of the runtime code. So at this point, loading and using
untrusted assemblies is a very bad idea IMHO.

                                               Zoltan

On 1/30/06, Jim Purbrick <jimpurbrick@yahoo.co.uk> wrote:
> Hi All,
> 
> I'm currently looking at verifying untrusted
> assemblies before loading them in to an embedded mono
> runtime and, as we currently don't use any Windows
> machines server side, I'd like a (preferably open
> source) CLI assembly verifier that runs on Linux.
> 
> I've been experimenting with calling
> mono_image_verify_tables and mono_method_verify a la
> pedump, but I think verification is erroneously
> failing, especially when verifying branching.
> 
> It looks as though mono_method_verify is performing
> most per-opcode checks, but not correctly storing the
> types on the stack for branch targets, so it can't
> perform stack merge checks properly and ends up with
> an incorrect type stack when checking opcodes
> following branch opcodes which are branch targets. The
> other thing I've noticed is that it doesn't seem to be
> checking that the parameter types for method calls
> match the types on the stack.
> 
> Does that sound about right? Is there anything else
> missing from the verification code? Is fixing the code
> the best thing to do? How much work would it be? Would
> anyone like to help me fix it? Are there any other
> open CLI assembly verifiers I could use instead?
> 
> Cheers,
> 
> Jim.
> 
> 
> 
> ___________________________________________________________
> To help you stay safe and secure online, we've developed the all new Yahoo! \
> Security Centre. http://uk.security.yahoo.com \
> _______________________________________________ Mono-devel-list mailing list
> Mono-devel-list@lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
> 
_______________________________________________
Mono-devel-list mailing list
Mono-devel-list@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-devel-list


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic