In this paper, we provide a theoretical foundation for and improvements to the existing bytecode verification technology, a critical component of the Java security model, for mobile code used with the Java “micro edition” (J2ME), which is intended for embedded computing devices. In Java, remotely loaded “bytecode” class files are required to be bytecode verified before execution, that is, to undergo a static type analysis that protects the platform's Java run-time system from so-called type confusion attacks such as pointer manipulation. The data flow analysis that performs the verification, however, is beyond the capacity of most embedded devices because of the memory requirements that the typical algorithm will need. We propose to take a proof-carrying code approach to data flow analysis in defining an alternative technique called “lightweight analysis” that uses the notion of a “certificate” to reanalyze a previously analyzed data flow problem, even on poorly resourced platforms. We formally prove that the technique provides the same guarantees as standard bytecode safety verification analysis, in particular that it is “tamper proof” in the sense that the guarantees provided by the analysis cannot be broken by crafting a “false” certificate or by altering the analyzed code. We show how the Java bytecode verifier fits into this framework for an important subset of the Java Virtual Machine; we also show how the resulting “lightweight bytecode verification” technique generalizes and simulates the J2ME verifier (to be expected as Sun's J2ME “K-Virtual machine” verifier was directly based on an early version of this work), as well as Leroy's “on-card bytecode verifier,” which is specifically targeted for Java Cards.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
Abadi, M. and Cardelli, L.: A Theory of Objects, Monographs in Computer Science, Springer-Verlag, 1996.
Anderson, R.: Why cryptosystems fail, Comm. ACM 37(11) (1994), 32–40.
Barthe, G., Dufay, G., Jakubiec, L., Serpette, B., Sousa, S. and Yu, S.: Formalization in Coq of the Java Card VirtualMachine, in S. Drossopoulou, S. Eisenbach, B. Jacobs, G. T. Leavens, P. Müller, and A. Poetzsch-Heffter (eds.), Formal Techniques for Java Programs (ECOOP 2000 workshop), Sophia-Antipolis, France, 2000.
Bracha, G.: Java class file specification update, http://jcp.org/en/jsr/detail?id=202, 2000.
Chen, Z.: Java Card Technology for Smart Cards, The Java Series, Addison-Wesley, 2000.
Colby, C., Lee, P., Necula, G. C., Blau, F., Plesko, M. and Cline, K.: A certifying compiler for Java, ACM SIGPLAN Notices 35(5) (2000a), 95–107. Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '00).
Colby, C., Necula, G. C. and Lee, P.: A proof-carrying code architecture for Java, in Proceedings of the 12th International Conference on Computer Aided Verification (CAV00), Chicago, IL, 2000b.
Drossopoulou, S., Eisenbach, S. and Khurshid, S.: Is the Java type system sound?, Theory and Practice of Object Systems 5(1) (1999), 3–24.
Freund, S.: The costs and benefits of Java bytecode subroutines, in S. Eisenbach (ed.), Formal Underpinnings of Java (an OOPSLA workshop), Vancouver, BC, Canada, 1998.
Freund, S. and Mitchell, J.: A formal framework for the Java bytecode language and verifier, in ACM Conference on Object-Oriented Programming: Systems, Languages and Applications, 1999.
Hartel, P. and Moreau, L.: Formalizing the safety of Java, the Java Virtual Machine and Java Card, ACM Computing Surveys 33(4) (2001), 517–558.
Jensen, T., Le Métayer, D. and Thorn, T.: A formalisation of visibility and dynamic loading in Java, in ICCL '98, 1998. Also published as a IRISA Technical Report no. 1137, October 1997.
Kildall, G. A.: A unified approach to global program optimization, in Conference Record of the ACM Symposium on Principles of Programming Languages, Boston, Mass., 1973, pp. 194–206.
Klein, G.: Verified Java bytecode verification, Ph.D. thesis, Institut für Informatik, Technische Universität München, 2003.
Klein, G. and Nipkow, T.: Verified lightweight bytecode verification, Concurrency and Computation: Practice and Experience 13(13) (2001), 1133–1151. Invited contribution to special issue of papers from Formal Techniques for Java Programs (ECOOP 2000 workshop).
Klein, G. and Nipkow, T.: Verified bytecode verifiers, Theoret. Comput. Sci. (2002). To appear.
Leroy, X.: Java bytecode verification: An overview, in Computer Aided Verification, CAV 2001, Lecture Notes in Comput. Sci., Springer-Verlag, 2001, pp. 265–285.
Leroy, X.: Bytecode verification for Java smart card, Software Practice & Experience 32 (2002), 319–340.
Liang, S.: Sun's new verifier, Personal Communication (e-mail). Explains how the KVM's verifier implements lightweigt verification, 1999.
Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, The Java Series, Addison-Wesley, 1996.
Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, 2nd edn, The Java Series, Addison-Wesley, 1999.
McGraw, G. and Felten, E. W.: Java Security: Hostile Applets, Holes, and Antidotes, Wiley, 1997.
Necula, G. C.: Proof-carrying code, in POPL '97 – 24th Annual ACM Symposium on Principles of Programming Languages, SIGPLAN Notices, 1997.
Necula, G. C. and Lee, P.: Safe kernel extensions without run-time checking, in OSDI '96 – Second Symposium on Operating Systems Design and Implementation, Seattle, Washington, 1996.
Nielson, F., Nielson, H. R. and Hankin, C.: Principles of Program Analysis, Springer-Verlag, 1999.
O'Connell, M.: Java: The inside story, SunWorld. http://sunsite.uakom.sk/sunworldonline/swol-07-1995-swol-07-java.html, 1995.
Rose, E.: Towards bytecode verification on a Java card, in M. Abadi (ed.), Workshop on Security and Languages, Palo Alto, California, 1997.
Rose, E.: Vérification de code d'octet de la machine virtuelle Java. Formalisation et implantation, Ph.D. thesis, SE. RoseUniversité Paris VII, 2, Place de Jussieu, 75251 Paris Cedex 05, France, 2002. Available from http://www.evarose.net/thesis-submitted.pdf.
Rose, E. and Rose, K. H.: Lightweight bytecode verification, in S. Eisenbach (ed.), Formal Underpinnings of Java (an OOPSLA workshop), Vancouver, BC, Canada, 1998.
Rose, E. and Rose, K. H.: Java access protection through typing, Concurrency and Computation: Practice and Experience 13(13) (2001), 1125–1132. First presented at the ECOOP 2000 workshop on Formal Techniques for Java Programs.
Stärk, R., Schmid, J. and Börger, E.: Java and the Java Virtual Machine – Definition, Verification, Validation, Springer-Verlag, 2001.
Stata, R. and Abadi, M.: A type system for Java bytecode subroutines, in L. Cardelli (ed.), Proceedings of the Twenty-Fifth Annual ACM Symposium on Principles of Programming Languages, San Diego, California, ACM, 1998.
Sun: Java frequently asked question 1.1: Where did Java come from? http://www.ibiblio.org/javafaq/javafaq.html, 1997.
Sun: Java 2 platform, micro edition, http://java.sun.com/j2me, 1999a.
Sun: Java Card 2.1 platform, http://java.sun.com/products/javacard/javacard21.html, 1999b.
Sun: Java 2 platform micro edition (J2ME) technology for creating mobile devices, http://java.sun.com/products/cldc/wp/KVMwp.pdf, 2000.
Sun: Secure computing with Java: Now and the future, http://java.sun.com/marketing/collateral/security.html, 2002. White paper.
Taivalsaari, A.: J2ME connected, limited device configuration, http://jcp.org/en/jsr/detail?id=30, 2000.
About this article
Cite this article
Rose, E. Lightweight Bytecode Verification. Journal of Automated Reasoning 31, 303–334 (2003). https://doi.org/10.1023/B:JARS.0000021015.15794.82
- bytecode verification
- data flow analysis
- proof-carrying code