Pluggable verification modules: an extensible protection mechanism for the JVM

Through the design and implementation of a JVM that supports Pluggable Verification Modules (PVMs), the idea of an extensible protection mechanism is entertained. Link-time bytecode verification becomes a pluggable service that can be readily replaced, reconfigured and augmented. Application-specific verification services can be safely introduced into the dynamic linking process of the JVM. This feature is enabled by the adoption of a previously proposed modular verification architecture, Proof Linking [23, 24], which decouples bytecode verification from the dynamic linking process, rendering the verifier a replaceable module. The PVM mechanism has been implemented in an open source JVM, the Aegis VM [21]. To evaluate the software engineering and security engineering benefits of this extensible protection mechanism, an augmented type system JAC (Java Access Control) [37] has been successfully implemented as a PVM.

[1]  Jeffery von Ronne,et al.  SafeTSA: a type safe and referentially secure mobile-code representation based on static single assignment form , 2001, PLDI '01.

[2]  Liuba Shrira,et al.  Ownership types for object encapsulation , 2003, POPL '03.

[3]  Dirk Theisen,et al.  JAC—Access right based encapsulation for Java , 2001, Softw. Pract. Exp..

[4]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[5]  Robert O'Callahn A Simple, Comprehensive Type System for Java Bytecode Subroutines , 1999, POPL.

[6]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[7]  Alessandro Coglio,et al.  Type safety in the jvm: some problems in jdk 1 , 2000 .

[8]  R. Nigel Horspool,et al.  Simple Generation of Static Single-Assignment Form , 2000, CC.

[9]  DugganDominic Type-Safe linking with recursive DLLs and shared libraries , 2002 .

[10]  Robert D. Cameron,et al.  Proof linking: modular verification of mobile programs in the presence of lazy, dynamic linking , 2000, TSEM.

[11]  Michael D. Schroeder,et al.  Cooperation of mutually suspicious subsystems in a computer utility , 1972 .

[12]  David Notkin,et al.  ArchJava: connecting software architecture to implementation , 2002, ICSE '02.

[13]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.

[14]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[15]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[16]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.

[17]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[18]  Robert O'Callahan,et al.  A simple, comprehensive type system for Java bytecode subroutines , 1999, POPL 1999.

[19]  Timothy L. Harris,et al.  Extensible virtual machines , 2001 .

[20]  Luca Cardelli,et al.  Program fragments, linking, and modularization , 1997, POPL '97.

[21]  Giovanni Vigna,et al.  Designing Distributed Applications with Mobile Code Paradigms , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[22]  Martin Odersky,et al.  Making the future safe for the past: adding genericity to the Java programming language , 1998, OOPSLA '98.

[23]  Tarek S. Abdelrahman,et al.  A Modular and Extensible JVM Infrastructure , 2002, Java Virtual Machine Research and Technology Symposium.

[24]  Robert D. Cameron,et al.  Proof Linking: Distributed Verification of Java Classfiles in the Presence of Multiple Classloaders , 2001, Java Virtual Machine Research and Technology Symposium.

[25]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[26]  Allen Goldberg,et al.  A specification of Java loading and bytecode verification , 1998, CCS '98.

[27]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[28]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[29]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[30]  Ecma,et al.  Common Language Infrastructure (CLI) , 2001 .

[31]  Zhenyu Qian,et al.  A formal specification of Java class loading , 2000, OOPSLA '00.

[32]  Sheng Liang,et al.  Dynamic class loading in the Java virtual machine , 1998, OOPSLA '98.

[33]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[34]  J. W. Lloyd,et al.  Foundations of logic programming; (2nd extended ed.) , 1987 .

[35]  Craig Chambers,et al.  Alias annotations for program understanding , 2002, OOPSLA '02.

[36]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[37]  Daniel G. Bobrow,et al.  Book review: The Art of the MetaObject Protocol By Gregor Kiczales, Jim des Rivieres, Daniel G. and Bobrow(MIT Press, 1991) , 1991, SGAR.

[38]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[39]  Philip W. L. Fong Proof linking: a modular verification architecture for mobile code systems , 2004 .

[40]  Tommy Thorn,et al.  Programming languages for mobile code , 1997 .

[41]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[42]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[43]  H. Yamauchi,et al.  Engineering a customizable intermediate representation , 2003, IVME '03.

[44]  Philip W. L. Fong,et al.  Capabilities as Alias Control: Secure Cooperation in Dynamically Extensible Systems , 2005 .

[45]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[46]  J. Gregory Morrisett,et al.  Type-safe linking and modular assembly language , 1999, POPL '99.

[47]  David F. Bacon,et al.  MJ: a rational module system for Java and its applications , 2003, OOPSLA.

[48]  Sarfraz Khurshid,et al.  An analyzable annotation language , 2002, OOPSLA '02.

[49]  Martin C. Rinard,et al.  ACM Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), November 2002 Ownership Types for Safe Programming: Preventing Data Races and Deadlocks , 2022 .

[50]  Jan Vitek,et al.  Confined types in Java , 2001, Softw. Pract. Exp..

[51]  Jacques Ferber,et al.  Computational reflection in class based object-oriented languages , 1989, OOPSLA '89.

[52]  J. Lloyd Foundations of Logic Programming , 1984, Symbolic Computation.

[53]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[54]  John Tang Boyland,et al.  Capabilities for Sharing: A Generalisation of Uniqueness and Read-Only , 2001, ECOOP.

[55]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[56]  Susan Eisenbach,et al.  Formal underpinnings of Java , 1998, OOPSLA Addendum.

[57]  Zhenyu Qian,et al.  Standard fixpoint iteration for Java bytecode verification , 2000, TOPL.

[58]  John Tang Boyland,et al.  Alias burying: Unique variables without destructive reads , 2001, Softw. Pract. Exp..

[59]  Zhenyu Qian,et al.  Toward a provably-correct implementation of the JVM bytecode verifier , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.