A Type System for the Java Bytecode Language and Verifier

The Java Virtual Machine executes bytecode programs that may have been sent from other, possibly untrusted, locations on the network. Since the transmitted code may be written by a malicious party or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier to check the code for type errors before it is run. As illustrated by reported attacks on Java run-time systems, the verifier is essential for system security. However, no formal specification of the bytecode verifier exists in the Java Virtual Machine Specification published by Sun. In this paper, we develop such a specification in the form of a type system for a subset of the bytecode language. The subset includes classes, interfaces, constructors, methods, exceptions, and bytecode subroutines. We also present a type checking algorithm and prototype bytecode verifier implementation, and we conclude by discussing other applications of this work. For example, we show how to extend our formal system to check other program properties, such as the correct use of object locks.

[1]  Cornelia Pusch,et al.  Proving the Soundness of a Java Bytecode Verifier Specification in Isabelle/HOL , 1999, TACAS.

[2]  Zhenyu Qian,et al.  Standard fixpoint iteration for Java bytecode verification , 2000, TOPL.

[3]  Peter Bertelsen,et al.  Dynamic semantics of Java bytecode , 2000, Future Gener. Comput. Syst..

[4]  Alessandro Coglio,et al.  Simple Verification Technique for Complex Java Bytecode Subroutines , 2001 .

[5]  Daniel Le Métayer,et al.  Security and dynamic class loading in Java: a formalisation , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[6]  Egon Börger,et al.  Java and the Java Virtual Machine: Definition, Verification, Validation , 2001 .

[7]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[8]  Yves Bertot,et al.  Formalizing a JVML Verifier for Initialization in a Theorem Prover , 2001, CAV.

[9]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[10]  David Walker,et al.  From System F to Typed Assembly Language (Extended Version) , 1997 .

[11]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[12]  ROBERT F. STÄRK,et al.  Completeness of a Bytecode Verifier and a Certifying Java-to-JVM Compiler , 2003, Journal of Automated Reasoning.

[13]  Egon Börger,et al.  A Programmer Friendly Modular Definition of the Semantics of Java , 1999, Formal Syntax and Semantics of Java.

[14]  Phillip M. Yelland,et al.  A compositional account of the Java virtual machine , 1999, POPL '99.

[15]  Alessandro Coglio,et al.  Type safety in the JVM: some problems in Java 2 SDK 1.2 and proposed solutions , 2001, Concurr. Comput. Pract. Exp..

[16]  Stephen N. Freund,et al.  Type systems for object-oriented intermediate languages , 2000 .

[17]  ThreadsCosimo,et al.  A Type System for JVM , 2002 .

[18]  Xavier Leroy,et al.  Java bytecode verification : algorithms and formalizations Xavier Leroy INRIA Rocquencourt and Trusted Logic , 2003 .

[19]  Robert O'Callahn A Simple, Comprehensive Type System for Java Bytecode Subroutines , 1999, POPL.

[20]  Stephen N. Freund,et al.  A formal framework for the Java bytecode language and verifier , 1999, OOPSLA '99.

[21]  Masami Hagiya,et al.  Careful Analysis of Type Spoofing , 1999, Java-Informations-Tage.

[22]  Alessandro Coglio Simple verification technique for complex Java bytecode subroutines: Research Articles , 2004 .

[23]  Xavier Leroy Java Bytecode Verification: An Overview , 2001, CAV.

[24]  Tobias Nipkow,et al.  Verified Bytecode Verifiers , 2001, FoSSaCS.

[25]  Masami Hagiya,et al.  On a New Method for Dataflow Analysis of Java Virtual Machine Subroutines , 1998, SAS.

[26]  Gerwin Klein,et al.  Verified Bytecode Subroutines , 2003, Journal of Automated Reasoning.

[27]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[28]  Robert E. Tarjan,et al.  A Unified Approach to Path Problems , 1981, JACM.

[29]  Zhenyu Qian,et al.  Toward a provably-correct implementation of the JVM bytecode verifier , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[30]  Zhenyu Qian,et al.  A Formal Specification of Java Virtual Machine Instructions for Objects, Methods and Subrountines , 1999, Formal Syntax and Semantics of Java.

[31]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[32]  Tobias Nipkow,et al.  Javalight is type-safe—definitely , 1998, POPL '98.

[33]  Mark P. Jones The Functions of Java Bytecode , 1998 .

[34]  Joachim Posegga,et al.  Byte Code Verification for Java Smart Card Based on Model Checking , 1998, ESORICS.

[35]  David Platt Introducing Microsoft .NET, Third Edition , 2003 .

[36]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[37]  Cosimo Laneve,et al.  A type system for JVM threads , 2003, Theor. Comput. Sci..

[38]  Robert O'Callahan,et al.  A simple, comprehensive type system for Java bytecode subroutines , 1999, POPL 1999.

[39]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[40]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[41]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[42]  Stephen N. Freund,et al.  A type system for object initialization in the Java bytecode language , 1998, OOPSLA '98.

[43]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[44]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[45]  Allen Goldberg,et al.  A specification of Java loading and bytecode verification , 1998, CCS '98.

[46]  Zhenyu Qian,et al.  A formal specification of Java class loading , 2000, OOPSLA '00.