Hm... Just the same that I'm fearing:
| 2.1 Verification | The general problem of verifying type safety is undecidable
aka "verification does not work". So far, so good. And now?
| if a program passes verification it is | guaranteed to satisfy prescribed safety properties
Of course. But these safety properties are doubtful, if there is pointer semantics.
| A bug in the Java bytecode verifier or Microsoft's | JIT verifier can be exploited by a hostile program to | circumvent all security measures
OMN! Java, too. Why didn't they implement a typing system in the interpreter, if everybody uses JIT compiling anyways?
It's not a bug, if a program verifies but is not secure. "This behaviour is by design", because the general problem of verifying type safety is undecidable.
Or is the simpler problem of the concrete verification process decidable? And how does this work, if there is pointer semantics? Does anybody know?
| 5.1 Checking Permissions | ... | .NET performs a similar stack walk with Frame | objects representing the frames on the stack. To | support multiple languages (including type unsafe | languages like C++), the stack has frames that are | managed and unmanaged. The managed frames are | frames that are verified for type safety while the | unmanaged frames have no safety guarantees.
This seems to be the answer: if there is pointer semantics, neither verification nor checking permissions will work. This means "bye-bye .NET security" for code, which uses unmanaged stack frames.
Does anybody know, when such code is usable?
BTW: very good paper, Duane! Sebastian, your fears, that .NET is as bad as ActiveX, seem to be causeless.
But even in this paper, the keypoints don't become clear:
For Java and .NET:
- how exactly does the verification process work
- can it guarantee type safety in verified code
- is this a decidable problem, what they designed (ridiculous, but we're talking about problems near the halting problem)
For .NET only:
- how does .NET handle not-typesafe code like every code with pointer semantics
- is there code running "trusted", but using "unmanaged stack frames" in .NET
- is there trusted code, which can use C++ interop
- how are the security checks done, CAS implements for flat API calls
See also:
Yours, VB.