[Mono-dev] The State Of Mono Assembly Verification?

Jim Purbrick jimpurbrick at yahoo.co.uk
Mon Jan 30 14:03:02 EST 2006

Hi All,

I'm currently looking at verifying untrusted
assemblies before loading them in to an embedded mono
runtime and, as we currently don't use any Windows
machines server side, I'd like a (preferably open
source) CLI assembly verifier that runs on Linux.

I've been experimenting with calling
mono_image_verify_tables and mono_method_verify a la
pedump, but I think verification is erroneously
failing, especially when verifying branching. 

It looks as though mono_method_verify is performing
most per-opcode checks, but not correctly storing the
types on the stack for branch targets, so it can't
perform stack merge checks properly and ends up with
an incorrect type stack when checking opcodes
following branch opcodes which are branch targets. The
other thing I've noticed is that it doesn't seem to be
checking that the parameter types for method calls
match the types on the stack.

Does that sound about right? Is there anything else
missing from the verification code? Is fixing the code
the best thing to do? How much work would it be? Would
anyone like to help me fix it? Are there any other
open CLI assembly verifiers I could use instead?



To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com

More information about the Mono-devel-list mailing list