Journal of Automated Reasoning

, Volume 31, Issue 3–4, pp 303–334 | Cite as

Lightweight Bytecode Verification

  • Eva Rose

Abstract

In this paper, we provide a theoretical foundation for and improvements to the existing bytecode verification technology, a critical component of the Java security model, for mobile code used with the Java “micro edition” (J2ME), which is intended for embedded computing devices. In Java, remotely loaded “bytecode” class files are required to be bytecode verified before execution, that is, to undergo a static type analysis that protects the platform's Java run-time system from so-called type confusion attacks such as pointer manipulation. The data flow analysis that performs the verification, however, is beyond the capacity of most embedded devices because of the memory requirements that the typical algorithm will need. We propose to take a proof-carrying code approach to data flow analysis in defining an alternative technique called “lightweight analysis” that uses the notion of a “certificate” to reanalyze a previously analyzed data flow problem, even on poorly resourced platforms. We formally prove that the technique provides the same guarantees as standard bytecode safety verification analysis, in particular that it is “tamper proof” in the sense that the guarantees provided by the analysis cannot be broken by crafting a “false” certificate or by altering the analyzed code. We show how the Java bytecode verifier fits into this framework for an important subset of the Java Virtual Machine; we also show how the resulting “lightweight bytecode verification” technique generalizes and simulates the J2ME verifier (to be expected as Sun's J2ME “K-Virtual machine” verifier was directly based on an early version of this work), as well as Leroy's “on-card bytecode verifier,” which is specifically targeted for Java Cards.

bytecode verification data flow analysis proof-carrying code 

References

  1. Abadi, M. and Cardelli, L.: A Theory of Objects, Monographs in Computer Science, Springer-Verlag, 1996.Google Scholar
  2. Anderson, R.: Why cryptosystems fail, Comm. ACM 37(11) (1994), 32–40.CrossRefGoogle Scholar
  3. Barthe, G., Dufay, G., Jakubiec, L., Serpette, B., Sousa, S. and Yu, S.: Formalization in Coq of the Java Card VirtualMachine, in S. Drossopoulou, S. Eisenbach, B. Jacobs, G. T. Leavens, P. Müller, and A. Poetzsch-Heffter (eds.), Formal Techniques for Java Programs (ECOOP 2000 workshop), Sophia-Antipolis, France, 2000.Google Scholar
  4. Bracha, G.: Java class file specification update, http://jcp.org/en/jsr/detail?id=202, 2000.Google Scholar
  5. Chen, Z.: Java Card Technology for Smart Cards, The Java Series, Addison-Wesley, 2000.Google Scholar
  6. Colby, C., Lee, P., Necula, G. C., Blau, F., Plesko, M. and Cline, K.: A certifying compiler for Java, ACM SIGPLAN Notices 35(5) (2000a), 95–107. Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '00).CrossRefGoogle Scholar
  7. Colby, C., Necula, G. C. and Lee, P.: A proof-carrying code architecture for Java, in Proceedings of the 12th International Conference on Computer Aided Verification (CAV00), Chicago, IL, 2000b.Google Scholar
  8. Drossopoulou, S., Eisenbach, S. and Khurshid, S.: Is the Java type system sound?, Theory and Practice of Object Systems 5(1) (1999), 3–24.CrossRefGoogle Scholar
  9. Freund, S.: The costs and benefits of Java bytecode subroutines, in S. Eisenbach (ed.), Formal Underpinnings of Java (an OOPSLA workshop), Vancouver, BC, Canada, 1998.Google Scholar
  10. Freund, S. and Mitchell, J.: A formal framework for the Java bytecode language and verifier, in ACM Conference on Object-Oriented Programming: Systems, Languages and Applications, 1999.Google Scholar
  11. Hartel, P. and Moreau, L.: Formalizing the safety of Java, the Java Virtual Machine and Java Card, ACM Computing Surveys 33(4) (2001), 517–558.CrossRefGoogle Scholar
  12. Jensen, T., Le Métayer, D. and Thorn, T.: A formalisation of visibility and dynamic loading in Java, in ICCL '98, 1998. Also published as a IRISA Technical Report no. 1137, October 1997.Google Scholar
  13. Kildall, G. A.: A unified approach to global program optimization, in Conference Record of the ACM Symposium on Principles of Programming Languages, Boston, Mass., 1973, pp. 194–206.Google Scholar
  14. Klein, G.: Verified Java bytecode verification, Ph.D. thesis, Institut für Informatik, Technische Universität München, 2003.Google Scholar
  15. Klein, G. and Nipkow, T.: Verified lightweight bytecode verification, Concurrency and Computation: Practice and Experience 13(13) (2001), 1133–1151. Invited contribution to special issue of papers from Formal Techniques for Java Programs (ECOOP 2000 workshop).MATHCrossRefGoogle Scholar
  16. Klein, G. and Nipkow, T.: Verified bytecode verifiers, Theoret. Comput. Sci. (2002). To appear.Google Scholar
  17. Leroy, X.: Java bytecode verification: An overview, in Computer Aided Verification, CAV 2001, Lecture Notes in Comput. Sci., Springer-Verlag, 2001, pp. 265–285.Google Scholar
  18. Leroy, X.: Bytecode verification for Java smart card, Software Practice & Experience 32 (2002), 319–340.MATHCrossRefGoogle Scholar
  19. Liang, S.: Sun's new verifier, Personal Communication (e-mail). Explains how the KVM's verifier implements lightweigt verification, 1999.Google Scholar
  20. Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, The Java Series, Addison-Wesley, 1996.Google Scholar
  21. Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, 2nd edn, The Java Series, Addison-Wesley, 1999.Google Scholar
  22. McGraw, G. and Felten, E. W.: Java Security: Hostile Applets, Holes, and Antidotes, Wiley, 1997.Google Scholar
  23. Necula, G. C.: Proof-carrying code, in POPL '97 – 24th Annual ACM Symposium on Principles of Programming Languages, SIGPLAN Notices, 1997.Google Scholar
  24. Necula, G. C. and Lee, P.: Safe kernel extensions without run-time checking, in OSDI '96 – Second Symposium on Operating Systems Design and Implementation, Seattle, Washington, 1996.Google Scholar
  25. Nielson, F., Nielson, H. R. and Hankin, C.: Principles of Program Analysis, Springer-Verlag, 1999.Google Scholar
  26. O'Connell, M.: Java: The inside story, SunWorld. http://sunsite.uakom.sk/sunworldonline/swol-07-1995-swol-07-java.html, 1995.Google Scholar
  27. Rose, E.: Towards bytecode verification on a Java card, in M. Abadi (ed.), Workshop on Security and Languages, Palo Alto, California, 1997.Google Scholar
  28. Rose, E.: Vérification de code d'octet de la machine virtuelle Java. Formalisation et implantation, Ph.D. thesis, SE. RoseUniversité Paris VII, 2, Place de Jussieu, 75251 Paris Cedex 05, France, 2002. Available from http://www.evarose.net/thesis-submitted.pdf.Google Scholar
  29. Rose, E. and Rose, K. H.: Lightweight bytecode verification, in S. Eisenbach (ed.), Formal Underpinnings of Java (an OOPSLA workshop), Vancouver, BC, Canada, 1998.Google Scholar
  30. Rose, E. and Rose, K. H.: Java access protection through typing, Concurrency and Computation: Practice and Experience 13(13) (2001), 1125–1132. First presented at the ECOOP 2000 workshop on Formal Techniques for Java Programs.MATHCrossRefGoogle Scholar
  31. Stärk, R., Schmid, J. and Börger, E.: Java and the Java Virtual Machine – Definition, Verification, Validation, Springer-Verlag, 2001.Google Scholar
  32. Stata, R. and Abadi, M.: A type system for Java bytecode subroutines, in L. Cardelli (ed.), Proceedings of the Twenty-Fifth Annual ACM Symposium on Principles of Programming Languages, San Diego, California, ACM, 1998.Google Scholar
  33. Sun: Java frequently asked question 1.1: Where did Java come from? http://www.ibiblio.org/javafaq/javafaq.html, 1997.Google Scholar
  34. Sun: Java 2 platform, micro edition, http://java.sun.com/j2me, 1999a.Google Scholar
  35. Sun: Java Card 2.1 platform, http://java.sun.com/products/javacard/javacard21.html, 1999b.Google Scholar
  36. Sun: Java 2 platform micro edition (J2ME) technology for creating mobile devices, http://java.sun.com/products/cldc/wp/KVMwp.pdf, 2000.Google Scholar
  37. Sun: Secure computing with Java: Now and the future, http://java.sun.com/marketing/collateral/security.html, 2002. White paper.Google Scholar
  38. Taivalsaari, A.: J2ME connected, limited device configuration, http://jcp.org/en/jsr/detail?id=30, 2000.Google Scholar

Copyright information

© Kluwer Academic Publishers 2003

Authors and Affiliations

  • Eva Rose
    • 1
  1. 1.IBM T. J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations