Journal of Automated Reasoning

, Volume 30, Issue 3–4, pp 235–269 | Cite as

Java Bytecode Verification: Algorithms and Formalizations

  • Xavier Leroy
Article

Abstract

Bytecode verification is a crucial security component for Java applets, on the Web and on embedded devices such as smart cards. This paper reviews the various bytecode verification algorithms that have been proposed, recasts them in a common framework of dataflow analysis, and surveys the use of proof assistants to specify bytecode verification and prove its correctness.

bytecode verification Java Virtual Machine dataflow analysis abstract interpretation subroutines 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Banerjee, A., Heintze, N. and Riecke, J. G.: A core calculus of dependency, in 26th Symposium on Principles of Programming Languages, 1999, pp. 147-160.Google Scholar
  2. 2.
    Basin, D., Friedrich, S. and Gawkowski, M.: Bytecode verification by model checking, J. Automated Reasoning. Special issue on bytecode verification (this issue).Google Scholar
  3. 3.
    Bertot, Y.: Formalizing a JVML verifier for initialization in a theorem prover, in Proc. Computer Aided Verification (CAV'01), Lecture Notes in Comput. Sci. 2102, 2001, pp. 14-24.Google Scholar
  4. 4.
    Brisset, P.: Vers un vérifieur de bytecode Java certifié, Seminar given at Ecole Normale Supérieure, Paris, October 2, 1998.Google Scholar
  5. 5.
    Brunnstein, K.: Hostile ActiveX Control demonstrated, RISKS Forum 18(82) (1998).Google Scholar
  6. 6.
    Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer's Guide, The Java Series, Addison-Wesley, 2000.Google Scholar
  7. 7.
    Chugunov, G., Åke Fredlund, L. and Gurov, D.: Model checking multi-applet Java Card applications, in Smart Card Research and Advanced Applications Conference (CARDIS'02), 2002.Google Scholar
  8. 8.
    Coglio, A.: Simple verification technique for complex Java bytecode subroutines, in 4th ECOOP Workshop on Formal Techniques for Java-like Programs, 2002. Extended version available as Kestrel Institute technical report.Google Scholar
  9. 9.
    Coglio, A.: Improving the official specification of Java bytecode verification, Concurrency and Computation: Practice and Experience 15(2) (2003), 155-179.MATHCrossRefGoogle Scholar
  10. 10.
    Coglio, A., Goldberg, A. and Qian, Z.: Towards a provably-correct implementation of the JVM bytecode verifier, in OOPSLA Workshop on Formal Underpinnings of Java, 1998.Google Scholar
  11. 11.
    Cohen, R.: The defensive Java virtual machine specification, Technical Report, Computational Logic Inc., 1997.Google Scholar
  12. 12.
    Deville, D. and Grimaud, G.: Building an “impossible” verifier on a Java Card, in USENIX Workshop on Industrial Experiences with Systems Software (WIESS'02), 2002.Google Scholar
  13. 13.
    Freund, S. N. and Mitchell, J. C.: A type system for the Java bytecode language and verifier, J. Automated Reasoning. Special issue on bytecode verification (this issue).Google Scholar
  14. 14.
    Freund, S. N. and Mitchell, J. C.: A formal framework for the Java bytecode language and verifier, in Object-Oriented Programming Systems, Languages and Applications 1999, pp. 147-166.Google Scholar
  15. 15.
    Freund, S. N. and Mitchell, J. C.: A type system for object initialization in the Java bytecode language, ACM Transactions on Programming Languages and Systems 21(6) (1999), 1196-1250.CrossRefGoogle Scholar
  16. 16.
    Frey, A.: On-terminal verifier for JEFF files, Personal communication, 2001.Google Scholar
  17. 17.
    Goldberg, A.: A specification of Java loading and bytecode verification, in ACM Conference on Computer and Communications Security, 1998, pp. 49-58.Google Scholar
  18. 18.
    Gong, L.: Inside Java 2 Platform Security: Architecture, API Design, and Implementation, The Java Series, Addison-Wesley, 1998.Google Scholar
  19. 19.
    Gosling, J. A.: Java intermediate bytecodes, in Proc. ACM SIGPLAN Workshop on Intermediate Representations, 1995, pp. 111-118.Google Scholar
  20. 20.
    Hagiya, M. and Tozawa, A.: On a new method for dataflow analysis of Java virtual machine subroutines, in G. Levi (ed.), SAS'98, Lecture Notes in Comput. Sci. 1503, 1998, pp. 17-32.Google Scholar
  21. 21.
    Hartel, P. H. and Moreau, L. A. V.: Formalizing the safety of Java, the Java virtual machine and Java Card, ACM Computing Surveys 33(4) (2001), 517-558.CrossRefGoogle Scholar
  22. 22.
    Heintze, N. and Riecke, J. G.: The SLam calculus: Programming with secrecy and integrity, in 25th Symposium Principles of Programming Languages, 1998, pp. 365-377.Google Scholar
  23. 23.
    Henrio, L. and Serpette, B.: A framework for bytecode verifiers: Application to intra-procedural continuations, Research Report, INRIA, 2001.Google Scholar
  24. 24.
    Huisman, M., Jacobs, B. and van den Berg, J.: A case study in class library verification: Java's Vector class, Software Tools for Technology Transfer 3(3) (2001), 332-352.MATHGoogle Scholar
  25. 25.
    Jensen, T., Le Métayer, D. and Thorn, T.: Verification of control flow based security properties, in IEEE Symposium on Security and Privacy, 1999.Google Scholar
  26. 26.
    Klein, G.: Verified Java bytecode verification, Ph.D. thesis, Technische Universität München, 2003.Google Scholar
  27. 27.
    Klein, G. and Nipkow, T.: Verified lightweight bytecode verification, Concurrency and Computation: Practice and Experience 13 (2001), 1133-1151.MATHCrossRefGoogle Scholar
  28. 28.
    Klein, G. and Nipkow, T.: Verified bytecode verifiers, Theoret. Comput. Sci. (2002). To appear.Google Scholar
  29. 29.
    Klein, G. and Wildmoser, M.: Verified bytecode subroutines, J. Automated Reasoning. Special issue on bytecode verification (this issue).Google Scholar
  30. 30.
    Knoblock, T. and Rehof, J.: Type elaboration and subtype completion for Java bytecode, in 27th Symposium Principles of Programming Languages, 2000, pp. 228-242.Google Scholar
  31. 31.
    Leroy, X.: Bytecode verification for Java smart card, Software Practice & Experience 32 (2002), 319-340.MATHCrossRefGoogle Scholar
  32. 32.
    Leroy, X. and Rouaix, F.: Security properties of typed applets, in J. Vitek and C. Jensen (eds.), Secure Internet Programming - Security Issues for Mobile and Distributed Objects, Lecture Notes in Comput. Sci. 1603, Springer-Verlag, 1999, pp. 147-182.Google Scholar
  33. 33.
    Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, 2nd edn, The Java Series, Addison-Wesley, 1999.Google Scholar
  34. 34.
    McGraw, G. and Felten, E.: Securing Java, Wiley, 1999.Google Scholar
  35. 35.
    Muchnick, S. S.: Advanced Compiler Design and Implementation, Morgan Kaufmann, 1997.Google Scholar
  36. 36.
    Necula, G. C.: Proof-carrying code, in 24th Symposium Principles of Programming Languages, 1997, pp. 106-119.Google Scholar
  37. 37.
    Nielson, F., Nielson, H. R. and Hankin, C.: Principles of Program Analysis, Springer-Verlag, 1999.Google Scholar
  38. 38.
    Nipkow, T.: Verified bytecode verifiers, in Foundations of Software Science and Computation Structures (FOSSACS'01), Lecture Notes in Comput. Sci. 2030, 2001, pp. 347-363.Google Scholar
  39. 39.
    O'Callahan, R.: A simple, comprehensive type system for Java bytecode subroutines, in 26th Symposium Principles of Programming Languages, 1999, pp. 70-78.Google Scholar
  40. 40.
    Posegga, J. and Vogt, H.: Java bytecode verification using model checking, in Workshop Fundamental Underpinnings of Java, 1998.Google Scholar
  41. 41.
    Pottier, F. and Simonet, V.: Information flow inference for ML, in 29th Symposium Principles of Programming Languages, 2002, pp. 319-330.Google Scholar
  42. 42.
    Pottier, F., Skalka, C. and Smith, S.: A systematic approach to static access control, in D. Sands (ed.), Proceedings of the 10th European Symposium on Programming (ESOP'01), Lecture Notes in Comput. Sci. 2028, 2001, pp. 30-45.Google Scholar
  43. 43.
    Pusch, C.: Proving the soundness of a Java bytecode verifier specification in Isabelle/HOL, in W. R. Cleaveland (ed.), TACAS'99, Lecture Notes in Comput. Sci. 1579, 1999, pp. 89-103.Google Scholar
  44. 44.
    Qian, Z.: A formal specification of Java virtual machine instructions for objects, methods and subroutines, in J. Alves-Foss (ed.), Formal Syntax and Semantics of Java, Lecture Notes in Comput. Sci. 1523, Springer-Verlag, 1998.Google Scholar
  45. 45.
    Qian, Z.: Standard fixpoint iteration for Java bytecode verification, ACM Transactions on Programming Languages and Systems 22(4) (2000), 638-672.CrossRefGoogle Scholar
  46. 46.
    Rose, E.: Vérification de code d'octet de la machine virtuelle Java: formalisation et implantation, Ph.D. thesis, University Paris 7, 2002.Google Scholar
  47. 47.
    Rose, E. and Rose, K.: Lightweight bytecode verification, in OOPSLA Workshop on Formal Underpinnings of Java, 1998.Google Scholar
  48. 48.
    Schmidt, D. A.: Data flow analysis is model checking of abstract interpretations, in 25th Symposium Principles of Programming Languages, 1998, pp. 38-48.Google Scholar
  49. 49.
    Stärk, R., Schmid, J. and Börger, E.: Java and the Java Virtual Machine, Springer-Verlag, 2001.Google Scholar
  50. 50.
    Stärk, R. F. and Schmid, J.: Completeness of a bytecode verifier and a certifying Java-to-JVM compiler, J. Automated Reasoning. Special issue on bytecode verification (this issue).Google Scholar
  51. 51.
    Stata, R. and Abadi, M.: A type system for Java bytecode subroutines, ACM Transactions on Programming Languages and Systems 21(1) (1999), 90-137.CrossRefGoogle Scholar
  52. 52.
    Sun Microsystems: Java 2 platform micro edition technology for creating mobile devices, White paper, http://java.sun.com/products/cldc/wp/KVMwp.pdf, 2000.Google Scholar
  53. 53.
    Trusted Logic: Off-card bytecode verifier for Java card, 2001. Distributed as part of Sun's Java Card Development Kit.Google Scholar
  54. 54.
    Vigna, G. (ed.): Mobile Agents and Security, Lecture Notes in Comput. Sci. 1419, Springer-Verlag, 1998.Google Scholar
  55. 55.
    Volpano, D. and Smith, G.: A type-based approach to program security, in Proceedings of TAPSOFT'97, Colloquium on Formal Approaches in Software Engineering, Lecture Notes in Comput. Sci. 1214, 1997, pp. 607-621.Google Scholar
  56. 56.
    Volpano, D., Smith, G. and Irvine, C.: A sound type system for secure flow analysis, J. Computer Security 4(3) (1996), 1-21.Google Scholar
  57. 57.
    Walker, D.: A type system for expressive security policies, in 27th Symposium Principles of Programming Languages, 2000, pp. 254-267.Google Scholar
  58. 58.
    Yellin, F.: Low level security in Java, in Proceedings of the Fourth International World Wide Web Conference, 1995, pp. 369-379.Google Scholar

Copyright information

© Kluwer Academic Publishers 2003

Authors and Affiliations

  • Xavier Leroy
    • 1
  1. 1.INRIA Rocquencourt and Trusted Logic S.AFrance

Personalised recommendations