Skip to main content
SpringerLink
Log in

Bytecode Verification by Model Checking

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

Java bytecode verification is traditionally performed by using dataflow analysis. We investigate an alternative based on reducing bytecode verification to model checking. First, we analyze the complexity and scalability of this approach. We show experimentally that, despite an exponential worst-case time complexity, model checking type-correct bytecode using an explicit-state on-the-fly model checker is feasible in practice, and we give a theoretical account why this is the case. Second, we formalize our approach using Isabelle/HOL and prove its correctness. In doing so we build on the formalization of the Java Virtual Machine and dataflow analysis framework of Pusch and Nipkow and extend it to a more general framework for reasoning about model-checking-based analysis. Overall, our work constitutes the first comprehensive investigation of the theory and practice of bytecode verification by model checking.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Basin, D., Friedrich, S. and Gawkowski, M.: Verified bytecode model checkers, in V. A. Carreño, C. A. Muñoz and S. Tahar (eds.), Theorem Proving in Higher Order Logics (TPHOLs'02), Lecture Notes in Comput. Sci. 2410, 2002, pp. 47-66.

  2. Basin, D., Friedrich, S., Gawkowski, M. and Posegga, J.: Bytecode model checking: An experimental analysis, in D. Bosnacki and S. Leue (eds.), Model Checking Software, 9th International SPIN Workshop, Lecture Notes in Comput. Sci. 2318, 2002, pp. 42-59.

  3. Basin, D., Friedrich, S., Posegga, J. and Vogt, H.: Java byte code verification by model checking, in N. Halbwachs and D. Peled (eds.), 11th International Conference on Computer-Aided Verification (CAV' 99), 1999, pp. 491-494.

  4. Bertot, Y.: A Coq formalization of a type checker for object initialization in the Java virtual machine, Research Report RR-4047, INRIA, 2000.

  5. Biere, A., Cimatti, A., Clarke, E. and Zhu, Y.: Symbolic model checking without BDDs, in W. R. Cleaveland (ed.), Tools and Algorithms for the Construction and Analysis of Systems, TACAS' 99, Lecture Notes in Comput. Sci. 1579, 1999, pp. 193-207.

  6. Coglio, A.: Simple verification technique for complex Java bytecode subroutines, in Proc. 4th ECOOP Workshop on Formal Techniques for Java-like Programs, 2002.

  7. Cohen, R.: The defensive Java Virtual Machine specification, Technical Report, Computational Logic Inc., 1997.

  8. Freund, S. N. and Mitchell, J. C.: A formal framework for the Java bytecode language and verifier, ACM SIGPLAN Notices 34(10) (1999), 147-166.

    Article  Google Scholar 

  9. Freund, S. N. and Mitchell, J. C.: The type system for object initialization in the Java bytecode language, ACM Transactions on Programming Languages and Systems 21(6) (1999), 1196-1250.

    Article  Google Scholar 

  10. Holzmann, G. J.: The SPIN model checker, IEEE Transactions on Software Engineering 23(5) (1997), 279-295.

    Article  MathSciNet  Google Scholar 

  11. Kfoury, A. J., Tiuryn, J. and Urzyczyn, P.: An analysis of ML typability, J. ACM 41(2) (1994), 368-398.

    Article  MATH  Google Scholar 

  12. Klein, G. and Nipkow, T.: Verified bytecode verifiers, Theoret. Comput. Sci. (2002), to appear.

  13. Klein, G. and Wildmoser, M.: Verified bytecode subroutines, J. Automated Reasoning (2003), in this issue.

  14. Leroy, X.: Java bytecode verification: An overview, in G. Berry, H. Comon and A. Finkel (eds.), Computer Aided Verification, 13th International Conference, CAV 2001, Lecture Notes in Comput. Sci. 2102, 2001, pp. 265-285.

  15. Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, The Java Series 1102, Addison-Wesley, 1997.

  16. McMillan, K.: Symbolic model checking: An approach to the state explosion problem, Ph.D. thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, 1992. CMUCS-92-131.

    Google Scholar 

  17. Nipkow, T.: Verified bytecode verifiers, in F. Honsell and M. Miculan (eds.), Foundations of Software Science and Computation Structures, 4th International Conference, FOSSACS 2001, Lecture Notes in Comput. Sci. 2030, 2001, pp. 347-363.

  18. Nipkow, T., v. Oheimb, D. and Pusch, C.: µJava: Embedding a programming language in a theorem prover, in F. Bauer and R. Steinbrüggen (eds.), Foundations of Secure Computation. Proc. Int. Summer School Marktoberdorf 1999, 2000, pp. 117-144.

  19. Nipkow, T., Paulson, L. C. and Wenzel, M.: Isabelle/HOL, A Proof Assistant for Higher-Order Logic, Lecture Notes in Comput. Sci. 2283, Springer, 2002.

  20. Paulson, L. C.: Isabelle: A Generic Theorem Prover; With Contributions by Tobias Nipkow, Lecture Notes in Comput. Sci. 828, Springer, 1994.

  21. Posegga, J. and Vogt, H.: Byte code verification for Java smart cards based on model checking, in J.-J. Quisquater, Y. Deswarte, C. Meadows, and D. Gollmann (eds.), Computer Security - ESORICS 98, 5th European Symposium on Research in Computer Security, Lecture Notes in Comput. Sci. 1485, 1998, pp. 175-190.

  22. Pusch, C.: Formalizing the Java virtual machine in Isabelle/HOL, Technical Report TUMI9816, Institut für Informatik, Technische Universität München, 1998.

  23. Pusch, C.: Proving the soundness of a Java bytecode verifier specification in Isabelle/HOL, in W. R. Cleaveland (ed.), Tools and Algorithms for the Construction and Analysis of Systems, TACAS' 99, Lecture Notes in Comput. Sci. 1579, 1999, pp. 89-103.

  24. Qian, Z.: A formal specification of Java Virtual Machine instructions for objects, methods and subroutines, in J. Alves-Foss (ed.), Formal Syntax and Semantics of Java, Lecture Notes in Comput. Sci. 1528, Springer, 1999, pp. 271-311.

  25. Qian, Z.: Standard fixpoint iteration for Java bytecode verification, ACM Transactions on Programming Languages and Systems 22(4) (2000), 638-672.

    Article  Google Scholar 

  26. Ruys, T. C.: Towards effective model checking, Ph.D. thesis, University of Twente, Department of Computer Science, 2001.

  27. Schmidt, D.: Data flow analysis is model checking of abstract interpretations, in Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL' 98), 1998, pp. 38-48.

  28. Schmidt, D. and Steffen, B.: Program analysis as model checking of abstract interpretations, in G. Levi (ed.), Static Analysis, 5th International Symposium, SAS' 98, Lecture Notes in Comput. Sci. 1503, 1998, pp. 351-380.

  29. Stärk, R. F. and Schmid, J.: Java bytecode verification is not possible, in R. Moreno-Díaz and A. Quesada-Arencibia (eds.), Formal Methods and Tools for Computer Science, Eurocast, Extended Abstract, 2001.

  30. Stata, R. and Abadi, M.: A type system for Java bytecode subroutines, ACM Transactions on Programming Languages and Systems 21(1) (1999), 90-137.

    Article  Google Scholar 

  31. Yellin, F.: Low level security in Java, in World Wide Web Journal: The Fourth International WWW Conference Proceedings, Cambridge, MA, 1995, pp. 369-380.

Download references

Author information

Authors and Affiliations

  1. ETH Zürich, Switzerland

    David Basin

  2. Albert-Ludwigs-Universität, Freiburg

    Stefan Friedrich

  3. Universität Kaiserslautern, Germany

    Marek Gawkowski

Authors
  1. David Basin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Friedrich
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marek Gawkowski
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Basin, D., Friedrich, S. & Gawkowski, M. Bytecode Verification by Model Checking. Journal of Automated Reasoning 30, 399–444 (2003). https://doi.org/10.1023/A:1025059508087

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1025059508087

Search

Navigation