Formalizing the safety of Java, the Java virtual machine, and Java card

We review the existing literature on Java safety, emphasizing formal approaches, and the impact of Java safety on small footprint devices such as smartcards. The conclusion is that although a lot of good work has been done, a more concerted effort is needed to build a coherent set of machine-readable formal models of the whole of Java and its implementation. This is a formidable task but we believe it is essential to build trust in Java safety, and thence to achieve ITSEC level 6 or Common Criteria level 7 certification for Java programs.

[1]  Alessandro Coglio,et al.  Type safety in the jvm: some problems in jdk 1 , 2000 .

[2]  Rida A. Bazzi,et al.  The power of processor consistency , 1993, SPAA '93.

[3]  Pieter H. Hartel,et al.  A Programming and a Modelling Perspective on the Evaluation of Java Card Implementations , 2000, Java Card Workshop.

[4]  Bart Jacobs,et al.  A Monad for Basic Java Semantics , 2000, AMAST.

[5]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[6]  William Pugh The Java memory model is fatally flawed , 2000, Concurr. Pract. Exp..

[7]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[8]  Assaf Schuster,et al.  Java consistency: nonoperational characterizations for Java memory behavior , 2000, TOCS.

[9]  Jean-Louis Lanet,et al.  Electronic Purse Applet Certification: extended abstract , 2000, Electron. Notes Theor. Comput. Sci..

[10]  Matthias Felleisen,et al.  A Programmer's Reduction Semantics for Classes and Mixins , 1999, Formal Syntax and Semantics of Java.

[11]  Guy L. Steele,et al.  Java Language Specification, Second Edition: The Java Series , 2000 .

[12]  Peter Bertelsen,et al.  Semantics of Java Byte Code , 1997 .

[13]  Martín Abadi Protection in Programming-Language Translations , 1999, Secure Internet Programming.

[14]  George C. Necula,et al.  Efficient representation and validation of proofs , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[15]  Joachim Posegga,et al.  Byte Code Verification for Java Smart Card Based on Model Checking , 1998, ESORICS.

[16]  Ewen Denney,et al.  Correctness of Java Card Method Lookup via Logical Relations , 2000, ESOP.

[17]  Karl Crary,et al.  From system F to typed assembly language , 1999 .

[18]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[19]  Jong-Deok Choi,et al.  Escape analysis for Java , 1999, OOPSLA '99.

[20]  Gilad Bracha,et al.  GJ: Extending the Java programming language with type parameters , 1999 .

[21]  Bart Jacobs,et al.  A Type-Theoretic Memory Model for Verification of Sequential Java Programs , 1999, WADT.

[22]  Alessandro Coglio,et al.  Type safety in the JVM: some problems in Java 2 SDK 1.2 and proposed solutions , 2001, Concurr. Comput. Pract. Exp..

[23]  Radu Iosif,et al.  Modeling and Validation of Java Multithreading Applications using SPIN , 1998 .

[24]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[25]  J. S. Moore,et al.  Proving Theorems About Java-Like Byte Code , 1999, Correct System Design.

[26]  Egon Börger,et al.  A Practical Method for Specification and Analysis of Exception Handling - A Java/JVM Case Study , 2000, IEEE Trans. Software Eng..

[27]  Eva Rose,et al.  Towards Secure Bytecode Verification on a Java Card , 1998 .

[28]  Denis Caromel,et al.  Smart Tools for Java Cards , 2000, CARDIS.

[29]  Peter Lee,et al.  The TIL/ML Compiler: Performance and Safety through Types , 1996 .

[30]  Sophia Drossopoulou,et al.  What is Java binary compatibility? , 1998, OOPSLA '98.

[31]  Scott Oaks,et al.  Java Security , 1998 .

[32]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[33]  Tommy Thorne,et al.  Programming languages for mobile code , 1997, CSUR.

[34]  Wan Fokkink,et al.  A Conservative Look at Operational Semantics with Variable Binding , 1998, Inf. Comput..

[35]  Pietro Cenciarelli,et al.  Towards a Modular Denotational Semantics of Java , 1999, ECOOP Workshops.

[36]  Pieter H. Hartel,et al.  LETOS – a lightweight execution tool for operational semantics , 1999 .

[37]  Geoffrey Smith,et al.  Language Issues in Mobile Program Security , 1998, Mobile Agents and Security.

[38]  Masami Hagiya,et al.  On a New Method for Dataflow Analysis of Java Virtual Machine Subroutines , 1998, SAS.

[39]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[40]  Steven B. Lipner,et al.  Trusted Computer System Evaluation Criteria ( Orange Book ) December , 2001 .

[41]  Antero Taivalsaari,et al.  The Spotless System: Implementing a Java System for the Palm Connected Organizer , 1999 .

[42]  Assaf Schuster,et al.  A high performance cluster JVM presenting a pure single system image , 2000, JAVA '00.

[43]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[44]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[45]  Stephen N. Freund,et al.  Adding type parameterization to the Java language , 1997, OOPSLA '97.

[46]  Stephen N. Freund,et al.  A type system for object initialization in the Java bytecode language , 1998, OOPSLA '98.

[47]  Bart Jacobs,et al.  Specification of the JavaCard API in JML , 2000, CARDIS.

[48]  Philip Wadler,et al.  Comprehending monads , 1990, LISP and Functional Programming.

[49]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[50]  Jakob Rehof,et al.  Type elaboration and subtype completion for Java bytecode , 2000, TOPL.

[51]  Pierre Jouvelot,et al.  Polymorphic type, region and effect inference , 1992, Journal of Functional Programming.

[52]  Michael Factor,et al.  cJVM: a single system image of a JVM on a cluster , 1999, Proceedings of the 1999 International Conference on Parallel Processing.

[53]  Jim Alves-Foss,et al.  Formal Syntax and Semantics of Java , 2002, Lecture Notes in Computer Science.

[54]  Doug Simon,et al.  The 1999/smli_tr-99-72.ps: Implementing a Java TM System for the Palm Connected Organizer , 1999 .

[55]  R. W. Witty,et al.  Safe programming , 1978 .

[56]  Tobias Nipkow,et al.  Javalight is type-safe—definitely , 1998, POPL '98.

[57]  George C. Necula,et al.  Oracle-based checking of untrusted software , 2001, POPL '01.

[58]  Flemming Nielson,et al.  Semantics with applications - a formal introduction , 1992, Wiley professional computing.

[59]  Martin Wirsing,et al.  Formal Syntax and Semantics of Java , 1999 .

[60]  Bart Jacobs,et al.  Formal specification of the JavaCard API in JML: the APDU class , 2001, Comput. Networks.

[61]  Z. Chen Java Card Technology for Smart Cards: Architecture and Programmer''s Guide. The Java Series. Addis , 2000 .

[62]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[63]  Robert O'Callahn A Simple, Comprehensive Type System for Java Bytecode Subroutines , 1999, POPL.

[64]  Edward W. Felten,et al.  A Java Filter , 1997 .

[65]  Bernhard Möller,et al.  Prospects for Hardware Foundations , 2002, Lecture Notes in Computer Science.

[66]  Tobias Nipkow,et al.  Machine-Checking the Java Specification: Proving Type-Safety , 1999, Formal Syntax and Semantics of Java.

[67]  Emin Gün Sirer,et al.  Static Analyses for Eliminating Unnecessary Synchronization from Java Programs , 1999, SAS.

[68]  David Detlefs,et al.  Garbage collection and local variable type-precision and liveness in Java virtual machines , 1998, PLDI.

[69]  Johannes F. Broenink,et al.  Communicating Java Threads , 1997 .

[70]  Bart Jacobs,et al.  The LOOP Compiler for Java and JML , 2001, TACAS.

[71]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[72]  V. H. AllanComputer Multijav: a Distributed Shared Memory System Based on Multiple Java Virtual Machines , 1998 .

[73]  Egon Börger,et al.  A Programmer Friendly Modular Definition of the Semantics of Java , 1999, Formal Syntax and Semantics of Java.

[74]  Philip J. Hatcher,et al.  The Hyperion system: Compiling multithreaded Java bytecode for distributed execution , 2001, Parallel Comput..

[75]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[76]  Denis Caromel,et al.  Smart tools for Java Card , 2000 .

[77]  Sophia Drossopoulou,et al.  A fragment calculus-towards a model of separate compilation, linking and binary compatibility , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[78]  Gianna Reggio,et al.  An Operational Semantics for Java , 1998 .

[79]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[80]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[81]  Martin Wirsing,et al.  An Event-Based Structural Operational Semantics of Multi-Threaded Java , 1999, Formal Syntax and Semantics of Java.

[82]  Patrick Borras,et al.  Centaur: the system , 1988, Software Development Environments.

[83]  Sheng Liang,et al.  Dynamic class loading in the Java virtual machine , 1998, OOPSLA '98.

[84]  Dan S. Wallach,et al.  A new approach to mobile code security , 1999 .

[85]  Karen Stephenson Towards an Algebraic Specification of the Java Virtual Machine , 1998, Prospects for Hardware Foundations.

[86]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[87]  Philip Wadler,et al.  Comprehending monads , 1990, Mathematical Structures in Computer Science.

[88]  Michael K. Reiter,et al.  Secure execution of Java applets using a remote playground , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[89]  Karl Crary,et al.  Resource bound certification , 2000, POPL '00.

[90]  Charles Wallace The semantics of the Java programming language: Preliminary version , 1997 .

[91]  Marieke Huisman,et al.  Reasoning about Java programs in higher order logic using PVS and Isabelle , 2001 .

[92]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[93]  John C. Mitchell Java Bytecode Modification and Applet Security , 1998 .

[94]  Stephen N. Freund The Costs and Benefits of Java Bytecode Subroutines , 1998 .

[95]  Sophia Drossopoulou,et al.  Describing the Semantics of Java and Proving Type Soundness , 1999, Formal Syntax and Semantics of Java.

[96]  Zhenyu Qian,et al.  Standard fixpoint iteration for Java bytecode verification , 2000, TOPL.

[97]  Martin Odersky,et al.  Pizza into Java: translating theory into practice , 1997, POPL '97.

[98]  X. Chen,et al.  MultiJav: A Distributed Shared Memory System Based on Multiple Java Virtual Machines , 2002 .

[99]  Yuri Gurevich,et al.  Evolving algebras 1993: Lipari guide , 1995, Specification and validation methods.

[100]  Bart Jacobs,et al.  A Formalisation of Java's Exception Mechanism , 2001, ESOP.

[101]  Cornelia Pusch Formalizing the Java Virtual Machine in Isabelle/HOL , 1998 .

[102]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[103]  Samuel P. Midkiff,et al.  From flop to megaflops: Java for technical computing , 1998, TOPL.

[104]  Zhenyu Qian,et al.  A Formal Specification of Java Virtual Machine Instructions for Objects, Methods and Subrountines , 1999, Formal Syntax and Semantics of Java.

[105]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[106]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[107]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[108]  OwreSam,et al.  Formal Verification for Fault-Tolerant Architectures , 1995 .

[109]  Jim Alves-Foss,et al.  Dynamic Denotational Semantics of Java , 1999, Formal Syntax and Semantics of Java.

[110]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[111]  Stephan Diehl A Formal Introduction to the Compilation of Java , 1998, Softw. Pract. Exp..

[112]  Xiangmin Zhang,et al.  Java Security , 2000 .

[113]  William Pugh,et al.  Semantics of Multithreaded Java , 2001 .

[114]  Jean-Louis Lanet,et al.  Are Smart Cards the Ideal Domain for Applying Formal Methods? , 2000, ZB.

[115]  W. Webb,et al.  EMBEDDED JAVA : AN UNCERTAIN FUTURE , 1999 .

[116]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[117]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[118]  Cosimo Laneve,et al.  A type system for JVM threads , 2003, Theor. Comput. Sci..

[119]  Andrew K. Wright Practical soft typing , 1994, Rice COMP TR.

[120]  Stephanie Motre Formal Model and Implementation of the Java Card Dynamic Security Policy , 1999 .

[121]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 1999, OOPSLA '99.

[122]  Scott F. Smith,et al.  Static enforcement of security with types , 2000, ICFP '00.

[123]  George C. Necula,et al.  A certifying compiler for Java , 2000, PLDI '00.

[124]  Etienne Gagnon,et al.  Intra-procedural inference of static types , 1999 .

[125]  Bart Jacobs,et al.  A case study in class library verification: Java’s vector class , 1999, International Journal on Software Tools for Technology Transfer.

[126]  Egon Börger,et al.  Initialization problems for Java , 2000, Softw. Concepts Tools.

[127]  Cornelia Pusch,et al.  Proving the Soundness of a Java Bytecode Verifier Specification in Isabelle/HOL , 1999, TACAS.

[128]  Matthias Felleisen,et al.  Abstract models of memory management , 1995, FPCA '95.

[129]  Mitchell Wand,et al.  VLISP: A verified implementation of Scheme , 1995, LISP Symb. Comput..

[130]  Joachim Posegga,et al.  System Description: card TAP: The First Theorem Prover on a Smart Card , 1998, CADE.

[131]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[132]  Robert Cartwright,et al.  Compatible genericity with run-time types for the Java programming language , 1998, OOPSLA '98.

[133]  Bart Jacobs,et al.  Formal Specification and Verification of JavaCard's Application Identifier Class , 2000, Java Card Workshop.

[134]  Mark P. Jones The Functions of Java Bytecode , 1998 .

[135]  Susan Eisenbach,et al.  Formal underpinnings of Java , 1998, OOPSLA Addendum.

[136]  Sabine Glesner,et al.  Using many-sorted natural semantics to specify and generate semantic analysis , 1998, Systems Implementation 2000.

[137]  J. S. Moore,et al.  ACL2: an industrial strength version of Nqthm , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[138]  Robert O'Callahan,et al.  A simple, comprehensive type system for Java bytecode subroutines , 1999, POPL 1999.

[139]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[140]  Peter Bertelsen,et al.  Dynamic semantics of Java bytecode , 2000, Future Gener. Comput. Syst..

[141]  Daniel Le Métayer,et al.  Security and dynamic class loading in Java: a formalisation , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[142]  Tobias Nipkow,et al.  Verified lightweight bytecode verification , 2001, Concurr. Comput. Pract. Exp..

[143]  Egon Börger,et al.  Java and the Java Virtual Machine: Definition, Verification, Validation , 2001 .

[144]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[145]  Philip J. Hatcher,et al.  Compiling Multithreaded Java Bytecode for Distributed Execution (Distinguished Paper) , 2000, Euro-Par.

[146]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[147]  Atsushi Igarashi,et al.  On Inner Classes , 2002, Inf. Comput..

[148]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[149]  Pieter H. Hartel,et al.  The Operational Semantics of a Java Secure Processor , 1999, Formal Syntax and Semantics of Java.

[150]  James Gosling The Java Language Specification - Second Edition , 2000 .

[151]  Pieter H. Hartel,et al.  LETOS – a lightweight execution tool for operational semantics , 1999, Softw. Pract. Exp..

[152]  Marcus Oestreicher,et al.  The Advanced Computing Systems Association Object Lifetimes in Java Card , 2022 .

[153]  Didier Rémy,et al.  Type checking records and variants in a natural extension of ML , 1989, POPL '89.

[154]  Manuel Serrano Control flow analysis: a functional languages compilation paradigm , 1995, SAC '95.

[155]  Prof. Dr. Robert F. Stärk,et al.  Java and the Java Virtual Machine , 2001, Springer Berlin Heidelberg.

[156]  Stephen N. Freund,et al.  A formal framework for the Java bytecode language and verifier , 1999, OOPSLA '99.

[157]  Masami Hagiya,et al.  Careful Analysis of Type Spoofing , 1999, Java-Informations-Tage.

[158]  Gardiner S. Stiles Safe and Verifiable Design of Multithreaded Java Programs with CSP and FDR , 1998 .

[159]  Jong-Deok Choi,et al.  A framework for interprocedural optimization in the presence of dynamic class loading , 2000, PLDI '00.

[160]  Urs Hölzle,et al.  Removing unnecessary synchronization in Java , 1999, OOPSLA '99.

[161]  Zhenyu Qian,et al.  Toward a provably-correct implementation of the JVM bytecode verifier , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[162]  Richard Jüllig,et al.  Specware: Formal Support for Composing Software , 1995, MPC.

[163]  Andrew C. Myers,et al.  Parameterized types for Java , 1997, POPL '97.

[164]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[165]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[166]  Joachim Posegga,et al.  Java Bytecode Verification by Model Checking , 1999, CAV.

[167]  Robert D. Cameron,et al.  Proof linking: an architecture for modular verification of dynamically-linked mobile code , 1998, SIGSOFT '98/FSE-6.

[168]  David von Oheimb,et al.  Mujava: embedding a programming language in a theorem prover , 1999 .

[169]  Jean-Louis Lanet,et al.  Formal Proof of Smart Card Applets Correctness , 1998, CARDIS.

[170]  Egon Börger,et al.  Defining the Java Virtual Machine as Platform for Provably Correct Java Compilation , 1998, MFCS.

[171]  Martin C. Rinard,et al.  Compositional pointer and escape analysis for Java programs , 1999, OOPSLA '99.

[172]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[173]  Wolfram Schulte,et al.  Modular design for the Java virtual machine architecture , 2000 .

[174]  Peter H. Welch Java threads in the light of occam/CSP , 1997 .

[175]  Eva Coscia,et al.  A Proposal for a Semantics of a Subset of Multi-Threaded "Good" Java Programs , 1998 .

[176]  Marcus Oestreicher Transactions in Java Card , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[177]  Allen Goldberg,et al.  A specification of Java loading and bytecode verification , 1998, CCS '98.

[178]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[179]  Steven J. Greenwald,et al.  Towards Formalizing the Java Security Architecture of JDK 1.2 , 1998, ESORICS.

[180]  Li Gong Secure Java Class Loading , 1998, IEEE Internet Comput..

[181]  Zhenyu Qian,et al.  A formal specification of Java class loading , 2000, OOPSLA '00.

[182]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[183]  Dexter Kozen Efficient Code Certification , 1998 .

[184]  Phillip M. Yelland,et al.  A compositional account of the Java virtual machine , 1999, POPL '99.

[185]  Frank S. de Boer,et al.  Proof-Outlines for Threads in Java , 2000, CONCUR.

[186]  Ksheerabdhi Krishna,et al.  Secure object sharing in java card , 1999 .

[187]  Alexandru Nicolau,et al.  Annotating the Java Bytecodes in Support of Optimization , 1997, Concurr. Pract. Exp..

[188]  Barry Hayes Finalization in the Collector Interface , 1992, IWMM.

[189]  Masami Hagiya,et al.  Formalization and Analysis of Class Loading in Java , 2002, High. Order Symb. Comput..

[190]  Xiaowei Shen,et al.  Improving the Java memory model using CRF , 2000, OOPSLA '00.

[191]  Sophia Drossopoulou,et al.  Java Exceptions Throw No Surprises , 2000 .

[192]  Tommy Thorn,et al.  Programming languages for mobile code , 1997 .

[193]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .