Skip to main content
SpringerLink
Log in

Java Bytecode Verification: Algorithms and Formalizations

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

Bytecode verification is a crucial security component for Java applets, on the Web and on embedded devices such as smart cards. This paper reviews the various bytecode verification algorithms that have been proposed, recasts them in a common framework of dataflow analysis, and surveys the use of proof assistants to specify bytecode verification and prove its correctness.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi, M., Banerjee, A., Heintze, N. and Riecke, J. G.: A core calculus of dependency, in 26th Symposium on Principles of Programming Languages, 1999, pp. 147-160.

  2. Basin, D., Friedrich, S. and Gawkowski, M.: Bytecode verification by model checking, J. Automated Reasoning. Special issue on bytecode verification (this issue).

  3. Bertot, Y.: Formalizing a JVML verifier for initialization in a theorem prover, in Proc. Computer Aided Verification (CAV'01), Lecture Notes in Comput. Sci. 2102, 2001, pp. 14-24.

  4. Brisset, P.: Vers un vérifieur de bytecode Java certifié, Seminar given at Ecole Normale Supérieure, Paris, October 2, 1998.

  5. Brunnstein, K.: Hostile ActiveX Control demonstrated, RISKS Forum 18(82) (1998).

  6. Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer's Guide, The Java Series, Addison-Wesley, 2000.

  7. Chugunov, G., Åke Fredlund, L. and Gurov, D.: Model checking multi-applet Java Card applications, in Smart Card Research and Advanced Applications Conference (CARDIS'02), 2002.

  8. Coglio, A.: Simple verification technique for complex Java bytecode subroutines, in 4th ECOOP Workshop on Formal Techniques for Java-like Programs, 2002. Extended version available as Kestrel Institute technical report.

  9. Coglio, A.: Improving the official specification of Java bytecode verification, Concurrency and Computation: Practice and Experience 15(2) (2003), 155-179.

    Article  MATH  Google Scholar 

  10. Coglio, A., Goldberg, A. and Qian, Z.: Towards a provably-correct implementation of the JVM bytecode verifier, in OOPSLA Workshop on Formal Underpinnings of Java, 1998.

  11. Cohen, R.: The defensive Java virtual machine specification, Technical Report, Computational Logic Inc., 1997.

  12. Deville, D. and Grimaud, G.: Building an “impossible” verifier on a Java Card, in USENIX Workshop on Industrial Experiences with Systems Software (WIESS'02), 2002.

  13. Freund, S. N. and Mitchell, J. C.: A type system for the Java bytecode language and verifier, J. Automated Reasoning. Special issue on bytecode verification (this issue).

  14. Freund, S. N. and Mitchell, J. C.: A formal framework for the Java bytecode language and verifier, in Object-Oriented Programming Systems, Languages and Applications 1999, pp. 147-166.

  15. Freund, S. N. and Mitchell, J. C.: A type system for object initialization in the Java bytecode language, ACM Transactions on Programming Languages and Systems 21(6) (1999), 1196-1250.

    Article  Google Scholar 

  16. Frey, A.: On-terminal verifier for JEFF files, Personal communication, 2001.

  17. Goldberg, A.: A specification of Java loading and bytecode verification, in ACM Conference on Computer and Communications Security, 1998, pp. 49-58.

  18. Gong, L.: Inside Java 2 Platform Security: Architecture, API Design, and Implementation, The Java Series, Addison-Wesley, 1998.

  19. Gosling, J. A.: Java intermediate bytecodes, in Proc. ACM SIGPLAN Workshop on Intermediate Representations, 1995, pp. 111-118.

  20. Hagiya, M. and Tozawa, A.: On a new method for dataflow analysis of Java virtual machine subroutines, in G. Levi (ed.), SAS'98, Lecture Notes in Comput. Sci. 1503, 1998, pp. 17-32.

  21. Hartel, P. H. and Moreau, L. A. V.: Formalizing the safety of Java, the Java virtual machine and Java Card, ACM Computing Surveys 33(4) (2001), 517-558.

    Article  Google Scholar 

  22. Heintze, N. and Riecke, J. G.: The SLam calculus: Programming with secrecy and integrity, in 25th Symposium Principles of Programming Languages, 1998, pp. 365-377.

  23. Henrio, L. and Serpette, B.: A framework for bytecode verifiers: Application to intra-procedural continuations, Research Report, INRIA, 2001.

  24. Huisman, M., Jacobs, B. and van den Berg, J.: A case study in class library verification: Java's Vector class, Software Tools for Technology Transfer 3(3) (2001), 332-352.

    MATH  Google Scholar 

  25. Jensen, T., Le Métayer, D. and Thorn, T.: Verification of control flow based security properties, in IEEE Symposium on Security and Privacy, 1999.

  26. Klein, G.: Verified Java bytecode verification, Ph.D. thesis, Technische Universität München, 2003.

  27. Klein, G. and Nipkow, T.: Verified lightweight bytecode verification, Concurrency and Computation: Practice and Experience 13 (2001), 1133-1151.

    Article  MATH  Google Scholar 

  28. Klein, G. and Nipkow, T.: Verified bytecode verifiers, Theoret. Comput. Sci. (2002). To appear.

  29. Klein, G. and Wildmoser, M.: Verified bytecode subroutines, J. Automated Reasoning. Special issue on bytecode verification (this issue).

  30. Knoblock, T. and Rehof, J.: Type elaboration and subtype completion for Java bytecode, in 27th Symposium Principles of Programming Languages, 2000, pp. 228-242.

  31. Leroy, X.: Bytecode verification for Java smart card, Software Practice & Experience 32 (2002), 319-340.

    Article  MATH  Google Scholar 

  32. Leroy, X. and Rouaix, F.: Security properties of typed applets, in J. Vitek and C. Jensen (eds.), Secure Internet Programming - Security Issues for Mobile and Distributed Objects, Lecture Notes in Comput. Sci. 1603, Springer-Verlag, 1999, pp. 147-182.

  33. Lindholm, T. and Yellin, F.: The Java Virtual Machine Specification, 2nd edn, The Java Series, Addison-Wesley, 1999.

  34. McGraw, G. and Felten, E.: Securing Java, Wiley, 1999.

  35. Muchnick, S. S.: Advanced Compiler Design and Implementation, Morgan Kaufmann, 1997.

  36. Necula, G. C.: Proof-carrying code, in 24th Symposium Principles of Programming Languages, 1997, pp. 106-119.

  37. Nielson, F., Nielson, H. R. and Hankin, C.: Principles of Program Analysis, Springer-Verlag, 1999.

  38. Nipkow, T.: Verified bytecode verifiers, in Foundations of Software Science and Computation Structures (FOSSACS'01), Lecture Notes in Comput. Sci. 2030, 2001, pp. 347-363.

  39. O'Callahan, R.: A simple, comprehensive type system for Java bytecode subroutines, in 26th Symposium Principles of Programming Languages, 1999, pp. 70-78.

  40. Posegga, J. and Vogt, H.: Java bytecode verification using model checking, in Workshop Fundamental Underpinnings of Java, 1998.

  41. Pottier, F. and Simonet, V.: Information flow inference for ML, in 29th Symposium Principles of Programming Languages, 2002, pp. 319-330.

  42. Pottier, F., Skalka, C. and Smith, S.: A systematic approach to static access control, in D. Sands (ed.), Proceedings of the 10th European Symposium on Programming (ESOP'01), Lecture Notes in Comput. Sci. 2028, 2001, pp. 30-45.

  43. Pusch, C.: Proving the soundness of a Java bytecode verifier specification in Isabelle/HOL, in W. R. Cleaveland (ed.), TACAS'99, Lecture Notes in Comput. Sci. 1579, 1999, pp. 89-103.

  44. Qian, Z.: A formal specification of Java virtual machine instructions for objects, methods and subroutines, in J. Alves-Foss (ed.), Formal Syntax and Semantics of Java, Lecture Notes in Comput. Sci. 1523, Springer-Verlag, 1998.

  45. Qian, Z.: Standard fixpoint iteration for Java bytecode verification, ACM Transactions on Programming Languages and Systems 22(4) (2000), 638-672.

    Article  Google Scholar 

  46. Rose, E.: Vérification de code d'octet de la machine virtuelle Java: formalisation et implantation, Ph.D. thesis, University Paris 7, 2002.

  47. Rose, E. and Rose, K.: Lightweight bytecode verification, in OOPSLA Workshop on Formal Underpinnings of Java, 1998.

  48. Schmidt, D. A.: Data flow analysis is model checking of abstract interpretations, in 25th Symposium Principles of Programming Languages, 1998, pp. 38-48.

  49. Stärk, R., Schmid, J. and Börger, E.: Java and the Java Virtual Machine, Springer-Verlag, 2001.

  50. Stärk, R. F. and Schmid, J.: Completeness of a bytecode verifier and a certifying Java-to-JVM compiler, J. Automated Reasoning. Special issue on bytecode verification (this issue).

  51. Stata, R. and Abadi, M.: A type system for Java bytecode subroutines, ACM Transactions on Programming Languages and Systems 21(1) (1999), 90-137.

    Article  Google Scholar 

  52. Sun Microsystems: Java 2 platform micro edition technology for creating mobile devices, White paper, http://java.sun.com/products/cldc/wp/KVMwp.pdf, 2000.

  53. Trusted Logic: Off-card bytecode verifier for Java card, 2001. Distributed as part of Sun's Java Card Development Kit.

  54. Vigna, G. (ed.): Mobile Agents and Security, Lecture Notes in Comput. Sci. 1419, Springer-Verlag, 1998.

  55. Volpano, D. and Smith, G.: A type-based approach to program security, in Proceedings of TAPSOFT'97, Colloquium on Formal Approaches in Software Engineering, Lecture Notes in Comput. Sci. 1214, 1997, pp. 607-621.

  56. Volpano, D., Smith, G. and Irvine, C.: A sound type system for secure flow analysis, J. Computer Security 4(3) (1996), 1-21.

    Google Scholar 

  57. Walker, D.: A type system for expressive security policies, in 27th Symposium Principles of Programming Languages, 2000, pp. 254-267.

  58. Yellin, F.: Low level security in Java, in Proceedings of the Fourth International World Wide Web Conference, 1995, pp. 369-379.

Download references

Author information

Authors and Affiliations

  1. INRIA Rocquencourt and Trusted Logic S.A, France

    Xavier Leroy

Authors
  1. Xavier Leroy
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Leroy, X. Java Bytecode Verification: Algorithms and Formalizations. Journal of Automated Reasoning 30, 235–269 (2003). https://doi.org/10.1023/A:1025055424017

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1025055424017

Search

Navigation