State Machines which one may view as code written in an abstract programming language, can be applied to other virtual machines and to other programming languages as well. The target readers are practitioners---programmers, implementors, standardizers, lecturers, students---who need for their work a complete, correct, and at the same time transparent definition, and an executable model of the language and of the virtual machine underlying its intended implementation. As a consequence, in our models for the language and the machine, we first of all try to directly and faithfully reflect, in a complete way, as far as possible without becoming inconsistent, and in an unambiguous yet for the human reader graspable way, the intuitions and design decisions which are expressed in the reference manuals [18, 23] and underlie the current implementations of the language and the machine. We clarify various ambiguities and inconsistencies we discovered in the manuals and in the implementations, concerning fundamental notions like legal Java program, legal bytecode, verifiable bytecode, etc. Our analysis of the JVM bytecode verifier, which we relate to the static analysis of the Java parser (rules of definite assignment and reachability analysis), goes beyond the work of Stata and Abadi [34], Qian [27, 28], Freund and Mitchell [16], and O'Callahan [26]. 1.1 The goals of the book 3 In this introduction, we give an overview of the general goals of the book, its contents, the structuring techniques we use for decomposing Java and the JVM, and the literature we used. For additional information on the book and updates made after its publication, see the Home Page of Jbook at http://www.inf.ethz.ch/~jbook. 1.1 The goals of the book Our main goal is not to write an introduction to progr...

Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

Dynamic linking supports flexible code deployment: partially linked code links further code on the fly, as needed; and thus, end-users receive updates automatically. On the down side, each program run may link different versions of the same code, possibly causing subtle errors which mystify end-users.

The Java Virtual Machine executes bytecode programs that may have been sent from other, possibly untrusted, locations on the network. Since the transmitted code may be written by a malicious party or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier to check the code for type errors before it is run. As illustrated by reported attacks on Java run-time systems, the verifier is essential for system security. However, no formal specification of the bytecode verifier exists in the Java Virtual Machine Specification published by Sun. In this paper, we develop such a specification in the form of a type system for a subset of the bytecode language. The subset includes classes, interfaces, constructors, methods, exceptions, and bytecode subroutines. We also present a type checking algorithm and prototype bytecode verifier implementation, and we conclude by discussing other applications of this work. For example, we show how to extend our formal system to check other program properties, such as the correct use of object locks.

Dynamic linking, as in Java and C#, allows users to execute the most recent versions of software without re-compilation or re-linking. Dynamic linking is guided by type names stored in the bytecode.

Abstract not found

Bytecode verification is the main mechanism to enforce type safety in the Java Virtual Machine. Since Java security is based on type safety, inadequacies and ambiguities in the official specification of bytecode verification can lead to incorrect implementations where security can be broken. This paper analyzes the specification and proposes concrete improvements. The goal of this work is to increase the understanding, assurance, and usability of the Java platform.

Distributed language features form an important part of modern objectoriented programming. In spite of their prominence in today's computing environments, the formal semantics of distributed primitives for object-oriented languages have not been well-understood, in contrast to their sequential part. This makes it difficult to perform rigorous analysis of their behaviour and develop formally founded safety methodologies. As a first step to rectify this situation, we present an operational semantics and typing system for a Java-like core language with primitives for distribution. The language captures the crucial but often hidden concerns involved in distributed objects, including object serialisation, dynamic class downloading and remote method invocation. We propose several invariant properties that describe important correctness conditions for distributed runtime behaviour. These invariants also play a fundamental role in establishing type safety, and help bound the design space for extensions to the language. The semantics of the language are constructed modularly, allowing straightforward extension, and this is exploited by adding primitives for direct code distribution to the language: thunk passing. Typing rules for the new primitives are developed using the invariants as an analysis tool, with type soundness ensuring that their inclusion does not violate safety guarantees.

Millions of programmers use ECMA CLI-compliant languages like VB.NET and C#. The resulting bytecode can be executed on several CLI implementations, such as those from Microsoft and the open-source Mono organisation. While assemblies are the standard unit of deployment, no standard exists for the process of finding and loading assemblies at run-time.

The contribution of the paper is twofold. First, we define a toy language, called MCL, which provides a very abstract view of the mechanism of dynamic class loading with multiple loaders as in Java. The aim is to study this feature in isolation, allowing a better understanding; moreover, this also shows a stratified approach, which, differently from the Java approach based on reflection, distinguishes between the language at the user level and the configuration language. This approach is less flexible but allows to statically check type safety, hence provides an intermediate solution between the rigid approach based only on the class path and that which allows loaders to depend on execution of user applications, which can be intricate and error-prone. The second contribution is related to a recent stream of work aiming at defining simple and powerful calculi providing a common foundation for systems supporting dynamic reconfiguration. We use MCL as an extended case-study, by defining an encoding in one of these kernel calculi, and prove the correctness of the translation. 1