[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Bytecode: Safe or not? / luac manual
- From: Sean Conner <sean@...>
- Date: Tue, 1 Nov 2011 16:09:53 -0400
It was thus said that the Great Stefan Reich once stated:
> That is easily possible with many VMs. For example, a C64 emulator can
> in all likelihood not be crashed by bad C64 code. It just doesn't work
> that way as 6510 assembly instructions are easy to control. (Only
> controlled halting of the VM is possible.)
> Also, I once wrote a VM for an assembly language with only one
> instruction. That was also very easily verifiable bytecode.
> Also, Java has a bytecode verifier that, AFAIK, has no known vulnerabilities.
I don't know, doing a search for "java bytecode verifier vulnerability"
certain brought up a ton of results. Granted, the results appear to be
several years old, but from a quick scan through the results, it appears
that Java bytecode verification wasn't quite as trivial as you make it
-spc (Even if you carefully verify all the opcodes, you are still
vulnerable to a "return-to-libc" style attack)