Formalising Java Safety - An overview

We review the existing literature on Java safety, emphasizing formal approaches, and the impact of Java safety on small footprint devices such as smart cards. The conclusion is that while a lot of good work has been done, a more concerted effort is needed to build a coherent set of machine readable formal models of the whole of Java and its implementation. This is a formidable task but we believe it is essential to building trust in Java safety, and thence to achieve ITSEC level 6 or Common Criteria level 7 certification for Java programs. We have tried to avoid technical detail, and focus on the bigger issues. The interested reader may wish to consult some of the many papers that we refer to fill in the details.

[1]  Denis Caromel,et al.  Smart Tools for Java Cards , 2000, CARDIS.

[2]  Richard Jüllig,et al.  Specware: Formal Support for Composing Software , 1995, MPC.

[3]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Pieter H. Hartel,et al.  The Operational Semantics of a Java Secure Processor , 1999, Formal Syntax and Semantics of Java.

[5]  Jean-Louis Lanet,et al.  Electronic Purse Applet Certification: extended abstract , 2000, Electron. Notes Theor. Comput. Sci..

[6]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[7]  Pieter H. Hartel,et al.  LETOS – a lightweight execution tool for operational semantics , 1999 .

[8]  Marcus Oestreicher,et al.  The Advanced Computing Systems Association Object Lifetimes in Java Card , 2022 .

[9]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[10]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[11]  J. S. Moore,et al.  Proving Theorems About Java-Like Byte Code , 1999, Correct System Design.

[12]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[13]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[14]  Denis Caromel,et al.  Smart tools for Java Card , 2000 .

[15]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[16]  JacobsBart,et al.  Reasoning about Java classes , 1998 .

[17]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[18]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[19]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[20]  Tobias Nipkow,et al.  Machine-Checking the Java Specification: Proving Type-Safety , 1999, Formal Syntax and Semantics of Java.

[21]  Geoffrey Smith,et al.  Language Issues in Mobile Program Security , 1998, Mobile Agents and Security.

[22]  D. B. Davis,et al.  Sun Microsystems Inc. , 1993 .

[23]  Tobias Nipkow,et al.  Javalight is type-safe—definitely , 1998, POPL '98.

[24]  George C. Necula,et al.  Efficient representation and validation of proofs , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[25]  Joachim Posegga,et al.  Byte Code Verification for Java Smart Card Based on Model Checking , 1998, ESORICS.

[26]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[27]  Peter Bertelsen,et al.  Dynamic semantics of Java bytecode , 2000, Future Gener. Comput. Syst..

[28]  Jean-Louis Lanet,et al.  FACADE: a typed intermediate language dedicated to smart cards , 1999, ESEC/FSE-7.

[29]  Patrick Borras,et al.  Centaur: the system , 1988, Software Development Environments.

[30]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[31]  Robert D. Cameron,et al.  Proof linking: an architecture for modular verification of dynamically-linked mobile code , 1998, SIGSOFT '98/FSE-6.

[32]  W. Webb,et al.  EMBEDDED JAVA : AN UNCERTAIN FUTURE , 1999 .

[33]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[34]  Ksheerabdhi Krishna,et al.  Secure object sharing in java card , 1999 .

[35]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[36]  Marcus Oestreicher Transactions in Java Card , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[37]  Yuri Gurevich,et al.  Evolving algebras 1993: Lipari guide , 1995, Specification and validation methods.

[38]  Sophia Drossopoulou,et al.  Describing the Semantics of Java and Proving Type Soundness , 1999, Formal Syntax and Semantics of Java.

[39]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[40]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[41]  Ewen Denney,et al.  Correctness of Java Card Method Lookup via Logical Relations , 2000, ESOP.

[42]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.