Verified Bytecode Model Checkers

  • David Basin
  • Stefan Friedrich
  • Marek Gawkowski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2410)


We have used Isabelle/HOL to formalize and prove correct an approach to bytecode verification based on model checking that we have developed for the Java Virtual Machine. Our work builds on, and extends, the formalization of the Java Virtual Machine and data flow analysis framework of Pusch and Nipkow. By building on their framework, we can reuse their results that relate the run-time behavior of programs with the existence of well-typings for the programs. Our primary extensions are to handle polyvariant data flow analysis and its realization as temporal logic model checking. Aside from establishing the correctness of our model-checking approach, our work contributes to understanding the interrelationships between classical data flow analysis and program analysis based on model checking.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    D. Basin, S. Friedrich, M.J. Gawkowski, and J. Posegga. Bytecode Model Checking: An Experimental Analysis. In 9th International SPIN Workshop on Model Checking of Software, 2002, volume 2318 of LNCS, pages 42–59, Grenoble. Springer-Verlag, 2002.Google Scholar
  2. 2.
    Y. Bertot. A Coq formalization of a type checker for object initialization in the Java Virtual Machine. Technical Report RR-4047, INRIA, Nov. 2000.Google Scholar
  3. 3.
    A. Coglio, A. Goldberg, and Z. Qian. Toward a provably-correct implementation of the JVM bytecode verifier. In Proc. DARPA Information Survivability Conference and Exposition (DISCEX’00), Vol. 2, pages 403–410. IEEE Computer Society Press, 2000.CrossRefGoogle Scholar
  4. 4.
    S. Freund and J. Mitchell. A type system for object initialisation in the Java byte-code language. In ACM Conf. Object-Oriented Programming: Systems, Languages and Applications, 1998.Google Scholar
  5. 5.
    S.N. Freund and J. C. Mitchell. A formal framework for the java bytecode language and verifier. In ACM Conf. Object-Oriented Programming: Systems, Languages and Applications, 1999.Google Scholar
  6. 6.
    A. Goldberg. A specification of Java loading and bytecode verification. In Proc. 5th ACM Conf. Computer and Communications Security, 1998.Google Scholar
  7. 7.
    M. Hagiya and A. Tozawa. On a new method for dataflow analysis of Java virtual machine subroutines. In G. Levi, editor. Static Analysis (SAS’98), volume 1503 of LNCS, pages 17–32. Springer-Verlag, 1998.CrossRefGoogle Scholar
  8. 8.
    G.A. Kildall. A unified approach to global program optimization. In Proc. ACM Symp. Principles of Programming Languages, pages 194–206, 1973.Google Scholar
  9. 9.
    X. Leroy. Java Bytecode Verification: An Overview. In G. Berry, H. Comon, and A. Finkel, editors. CAV 2001, LNCS, pages 265–285. Springer-Verlag, 2001.Google Scholar
  10. 10.
    T. Lindholm and F. Yellin. The Java Virtual Machine Specification. Addison-Wesley, 1996.Google Scholar
  11. 11.
    T. Nipkow. Verified Bytecode Verifiers. In Foundations of Software Science and Computation Structure (FOSSACS’01), pages 347–363, Springer-Verlag, 2001.Google Scholar
  12. 12.
    T. Nipkow and D. v. Oheimb. Javaligth is type-safe-definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161–170, 1998.Google Scholar
  13. 13.
    T. Nipkow, D.v. Oheimb, and C. Pusch. μJava: Embedding a programming language in a theorem prover. In F. Bauer and R. Steinbrüggen, editors, Foundations of Secure Computation, pages 117–144. IOS Press, 2000.Google Scholar
  14. 14.
    J. Posegga and H. Vogt. Java bytecode verification using model checking. In Workshop Fundamental Under spinnings of Java, 1998.Google Scholar
  15. 15.
    C. Pusch. Proving the soundness of a Java bytecode verifier specification in Isabelle/HOL. In W. Cleaveland, editor, Tools and Algorithms for the Construction and Analysis of Systems (TACAS’99), volume 1597 of LNCS, pages 89–103. Springer-Verlag, 1999.CrossRefGoogle Scholar
  16. 16.
    D.A. Schmidt. Data flow analysis is model checking of abstract interpretations. In POPL’98, pages 38–48. ACM Press 1998.Google Scholar
  17. 17.
    Z. Qian. A formal specification of Java Virtual Machine instructions for objects, methods and subroutines. In J. Alves-Foss, editor, Formal Syntax and Semantics of Java, volume 1523 of LNCS, pages 271–311. Springer-Verlag, 1999.CrossRefGoogle Scholar
  18. 18.
    Z. Qian. Standard fixpoint iteration for Java bytecode verification. ACM Trans. Programming Languages and Systems, 22(4):638–672, 2000.CrossRefGoogle Scholar
  19. 19.
    R. Stata and M. Abadi. A type system for Java bytecode subroutines. In Proc 25th ACM Symp. Principles of Programming Languages, pages 149–161. ACM Press, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • David Basin
    • 1
  • Stefan Friedrich
    • 1
  • Marek Gawkowski
    • 1
  1. 1.Albert-Ludwigs-Universität FreiburgGermany

Personalised recommendations