[Mono-dev] The State Of Mono Assembly Verification?
vargaz at gmail.com
Mon Jan 30 16:04:57 EST 2006
The verifier situation is not very good: we have some verifier code,
but it is not
complete, not tested, and certainly not reviewed from a security standpoint. The
same goes for most of the runtime code. So at this point, loading and using
untrusted assemblies is a very bad idea IMHO.
On 1/30/06, Jim Purbrick <jimpurbrick at yahoo.co.uk> wrote:
> Hi All,
> I'm currently looking at verifying untrusted
> assemblies before loading them in to an embedded mono
> runtime and, as we currently don't use any Windows
> machines server side, I'd like a (preferably open
> source) CLI assembly verifier that runs on Linux.
> I've been experimenting with calling
> mono_image_verify_tables and mono_method_verify a la
> pedump, but I think verification is erroneously
> failing, especially when verifying branching.
> It looks as though mono_method_verify is performing
> most per-opcode checks, but not correctly storing the
> types on the stack for branch targets, so it can't
> perform stack merge checks properly and ends up with
> an incorrect type stack when checking opcodes
> following branch opcodes which are branch targets. The
> other thing I've noticed is that it doesn't seem to be
> checking that the parameter types for method calls
> match the types on the stack.
> Does that sound about right? Is there anything else
> missing from the verification code? Is fixing the code
> the best thing to do? How much work would it be? Would
> anyone like to help me fix it? Are there any other
> open CLI assembly verifiers I could use instead?
> To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
More information about the Mono-devel-list