Formalization and Analysis of Class Loading in Java

Since Java security relies on the type-safety of the JVM, many formal approaches have been taken in order to prove the soundness of the JVM. This paper presents a new formalization of the JVM and proves its soundness. It is the first model to employ dynamic linking and bytecode verification to analyze the loading constraint scheme of Java2. The key concept required for proving the soundness of the new model is augmented value typing, which is defined from ordinary value typing combined with the loading constraint scheme. In proving the soundness of the model, it is shown that there are some problems inside the current reference implementation of the JVM with respect to our model. We also analyze the findClass scheme, newly introduced in Java2. The same analysis also shows why applets cannot exploit the type-spoofing vulnerability reported by Saraswat, which led to the introduction of the loading constraint scheme.

[1]  Sheng Liang,et al.  Dynamic class loading in the Java virtual machine , 1998, OOPSLA '98.

[2]  Allen Goldberg,et al.  A specification of Java loading and bytecode verification , 1998, CCS '98.

[3]  J. Gregory Morrisett,et al.  Type-safe linking and modular assembly language , 1999, POPL '99.

[4]  Robert D. Cameron,et al.  Proof linking: an architecture for modular verification of dynamically-linked mobile code , 1998, SIGSOFT '98/FSE-6.

[5]  Masami Hagiya,et al.  Careful Analysis of Type Spoofing , 1999, Java-Informations-Tage.

[6]  Zhenyu Qian,et al.  A formal specification of Java class loading , 2000, OOPSLA '00.

[7]  Daniel Le Métayer,et al.  Security and dynamic class loading in Java: a formalisation , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[8]  Zhenyu Qian,et al.  A Formal Specification of Java Virtual Machine Instructions for Objects, Methods and Subrountines , 1999, Formal Syntax and Semantics of Java.

[9]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[10]  Cornelia Pusch,et al.  Proving the Soundness of a Java Bytecode Verifier Specification in Isabelle/HOL , 1999, TACAS.

[11]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[12]  Stephen N. Freund,et al.  A type system for object initialization in the Java bytecode language , 1998, OOPSLA '98.

[13]  Masami Hagiya,et al.  On a New Method for Dataflow Analysis of Java Virtual Machine Subroutines , 1998, SAS.

[14]  Luca Cardelli,et al.  Program fragments, linking, and modularization , 1997, POPL '97.

[15]  Tobias Nipkow,et al.  Javalight is type-safe—definitely , 1998, POPL '98.