Lightweight Modeling of Java Virtual Machine Security Constraints

  • Mark C. Reynolds
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5977)


The Java programming language has been widely described as secure by design. Nevertheless, a number of serious security vulnerabilities have been discovered in Java, particularly in the component known as the Bytecode Verifier. This paper describes a method for representing Java security constraints using the Alloy modeling language. It further describes a system for performing a security analysis on any block of Java bytecodes by converting the bytes into relation initializers in Alloy. Any counterexamples found by the Alloy analyzer correspond directly to insecure code. Analysis of a real world malicious applet is given to demonstrate the efficacy of the approach. This type of analysis represents a significant departure from standard malware detection methods based on signatures or anomaly detection.


Alloy JVM lightweight modeling Java security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alloy website,
  2. 2.
    Jackson, D.: Software Abstractions: Logic, Language and Analysis. MIT Press, Cambridge (2006)Google Scholar
  3. 3.
    McGraw, G., Felten, E.: Securing Java: Getting Down to Business with Mobile Code, 2nd edn. Wiley, New York (1999)Google Scholar
  4. 4.
    Common Vulnerabilities and Exposures,
  5. 5.
  6. 6.
    Java and Java Virtual Machine security vulnerabilities and their exploitation techniques,
  7. 7.
    Lindholm, T., Yellin, F.: The Java Virtual Machine Specification Second Edition. Addison Wesley, Boston (2003)Google Scholar
  8. 8.
    Xu, H.: Java Security Model and Bytecode Verification,
  9. 9.
    Posegga, J., Vogt, H.: Java bytecode verification using model checking,
  10. 10.
    Leroy, X.: Java Bytecode Verification: An Overview. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 265–285. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
  12. 12.
  13. 13.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Mark C. Reynolds
    • 1
  1. 1.Department of Computer ScienceBoston University 

Personalised recommendations