[Mono-dev] The State Of Mono Assembly Verification?

Paolo Molaro lupus at ximian.com
Fri Feb 3 05:29:24 EST 2006 

On 02/02/06 Jim Purbrick wrote:
> > mono_method_verify () has been superseded by
> > verification during JIT time.
> 
> When JIT time verification is failed is there an
> exception thrown that an embedding app can use to take
> appropriate action?

Yes, this is a trivial change to make, I'll do it today.

> Do you know exactly which checks are missing? I can

There are many checks that need to be performed, it's not
as simple as doing opcode checks as you seem to believe.
The only way to know which are missing is to review all the code.
Of course the review needs to be done independently by multiple
people with the right skills and mindset (and time)...

> What's the best way to set up this test suite?
> Manually craft unverifiable assemblies for each
> verification check and then test that Mono rejects
> them?

Well, since there are many possible attack ways, we also need
many ways to test for them.
First we need test cases for each opcode verification rule.
These should be done with IL test programs.
Note that we needs separate tests for invalid IL code
and unverifiable IL code: they are two completely different
things.
Then we need to test for metdata issues: some things can be
done again with IL sources, but many will be rejected by
ilasm or by the underlying library PEAPI. We need to
investigate if it's better to change ilasm to produce
the incorrect assemblies (when given a specific command
line option) or write a specific front-end to PEAPI
or Cecil that can be used to create broken assemblies.
Last, we need a crashme-like tool: the tool will
randomly change bytes in some correct assembly and
the assembly is fed to the jit. The jit must deal with the
possible errors generated without crashing. Note that, while
the assembly corruption can and needs to be automated,
the jit behaviour can only be partially automatically monitored.
A change could be made that doesn't affect the jit, but which
should be detected...
I'm sure Sebastien can offer more advice for the testing, too.

lupus

-- 
-----------------------------------------------------------------
lupus at debian.org                                     debian/rules
lupus at ximian.com                             Monkeys do it better

More information about the Mono-devel-list mailing list