## Bytecode Verification by Model Checking (2003)

### Cached

### Download Links

- [wailoa.informatik.uni-freiburg.de]
- [www.inf.ethz.ch]
- DBLP

### Other Repositories/Bibliography

Venue: | JOURNAL OF AUTOMATED REASONING. SPECIAL |

Citations: | 8 - 0 self |

### BibTeX

@ARTICLE{Basin03bytecodeverification,

author = {David Basin and Stefan Friedrich and Marek Gawkowski},

title = {Bytecode Verification by Model Checking},

journal = {JOURNAL OF AUTOMATED REASONING. SPECIAL},

year = {2003}

}

### OpenURL

### Abstract

Java bytecode verification is traditionally performed using dataflow analysis. We investigate an alternative based on reducing bytecode verification to model checking. First, we analyze the complexity and scalability of this approach. We show experimentally that, despite an exponential worst-case time complexity, model checking type-correct bytecode using an explicit-state on-the-fly model checker is feasible in practice, and we give a theoretical account why this is the case. Second, we formalize our approach using Isabelle/HOL and prove its correctness. In doing so we build on the formalization of the Java Virtual Machine and dataflow analysis framework of Pusch and Nipkow and extend it to a more general framework for reasoning about model-checking based analysis. Overall, our work constitutes the first comprehensive investigation of the theory and practice of bytecode verification by model checking.

### Citations

718 |
Isabelle/HOL — A Proof Assistant for HigherOrder Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...orrect the model-checking approach to bytecode verification. Our theory is constructed using the Isabelle/HOL system, which is a formalization of higher-order logic within the Isabelle theorem prover =-=[19, 20]-=-. To accomplish this task, we build upon the Isabelle/HOL formalizations of the JVM [22, 23] and the abstract verification framework that Nipkow developed for verifying dataflow algorithms for bytecod... |

705 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...oduct of the transition system modeling the method and the transition system representing the properties. This approach has proved adequate for finding type flaws in our tests. Bounded model checking =-=[5]-=- is an interesting possible alternative, as normally the paths to errors are small. 4. Formalizing correctness In the second half of this paper, we present a formal explanation of the correctness of o... |

500 |
Symbolic Model Checking: An Approach to the State Explosion Problem
- McMillan
- 1993
(Show Context)
Citation Context ...ication of safety properties that formalize conditions sufficient for the bytecode’s type safety. These descriptions are translated by code generators into the input language of the SPIN [10] and SM=-=V [16]-=- model checkers. Using our system, we carry out experiments that show that despite an exponential worst-case time complexity, model checking type-correct bytecode is feasible in practice when carried ... |

364 |
The SPIN model checker
- Holzmann
- 1997
(Show Context)
Citation Context ...ally a specification of safety properties that formalize conditions sufficient for the bytecode’s type safety. These descriptions are translated by code generators into the input language of the SPI=-=N [10]-=- and SMV [16] model checkers. Using our system, we carry out experiments that show that despite an exponential worst-case time complexity, model checking type-correct bytecode is feasible in practice ... |

176 | M.: A type system for Java bytecode subroutines
- Stata, Abadi
- 1999
(Show Context)
Citation Context ...and an excellent overview of the area is provided in [14]. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM [7, 8, 24] and defining related type systems =-=[6, 9, 25, 30]-=-. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient conditions for bytecode verifiers to be correct [4,... |

104 | A type system for object initialization in the java bytecode language
- Freund, Mitchell
- 1999
(Show Context)
Citation Context ...and an excellent overview of the area is provided in [14]. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM [7, 8, 24] and defining related type systems =-=[6, 9, 25, 30]-=-. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient conditions for bytecode verifiers to be correct [4,... |

85 |
Data-flow analysis is model checking of abstract interpretations
- Schmidt
- 1998
(Show Context)
Citation Context ...ular, what differences are required in their formalization. In addition, our correctness results have some generality. Since we formalize model checking declaratively, not algorithmically, as done in =-=[27]-=-, our Isabelle/HOL formalization makes a general statement about the correctness of the model-checking approach. This statement is independent of the implemented model-checking algorithm and can be ap... |

62 |
Verified bytecode verifiers
- Klein, Nipkow
- 2003
(Show Context)
Citation Context ... this task, we build upon the Isabelle/HOL formalizations of the JVM [22, 23] and the abstract verification framework that Nipkow developed for verifying dataflow algorithms for bytecode verification =-=[17]-=-. This framework formalizes the notion of a well-typing bcvjar.tex; 1/04/2003; 15:54; p.2sfor bytecode programs and proves that a bytecode verifier is correct (i.e., accepts only programs free of runt... |

60 | Program analysis as model checking of abstract interpretations
- Schmidt, Steffen
(Show Context)
Citation Context .... Namely, different kinds of program analysis can be performed by fixpoint computations and these computations can either be carried out by specialized algorithms or by general purpose model checkers =-=[27, 28]-=-. Moreover, both static analysis and model checking generally reason about abstractions of programs, e.g., abstracting the operational model by identifying data. While static analysis techniques have ... |

52 | A formal formal specification of Java Virtual Machine instructions
- Qian
- 1999
(Show Context)
Citation Context ...ave been proposed for type checking bytecode and an excellent overview of the area is provided in [14]. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM =-=[7, 8, 24]-=- and defining related type systems [6, 9, 25, 30]. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient co... |

48 |
Low level security in Java
- Yellin
- 1995
(Show Context)
Citation Context ...download and locally execute programs. To combat the security risks associated with mobile code, Sun has developed a security model for Java in which a central role is played by bytecode verification =-=[15, 31]-=-, which ensures that no malicious programs are executed by a Java Virtual Machine (JVM). Bytecode verification takes place when loading a Java class file and the process verifies that the loaded bytec... |

46 | Java byte-code verification: an overview
- Leroy
- 2013
(Show Context)
Citation Context ... type safety and IT security. A number of different 5 bcvjar.tex; 1/04/2003; 15:54; p.5s6 approaches have been proposed for type checking bytecode and an excellent overview of the area is provided in =-=[14]-=-. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM [7, 8, 24] and defining related type systems [6, 9, 25, 30]. Most relevant to our work is the research... |

41 | A Formal Framework for the Java Bytecode Language and Verifier
- Freund, Mitchell
- 1999
(Show Context)
Citation Context ...ave been proposed for type checking bytecode and an excellent overview of the area is provided in [14]. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM =-=[7, 8, 24]-=- and defining related type systems [6, 9, 25, 30]. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient co... |

41 |
P.Urcyczyn: An Analysis of ML-Typability
- Kfoury
- 1990
(Show Context)
Citation Context ...explicit-state, on-the-fly model checker like SPIN. The situation here is similar to type checking in functional programming languages like ML, where the typability problem for terms is DEXPTIME hard =-=[11]-=-, yet the worstcase complexity is not a problem in practice. In addition, we investigate this theoretically and explain the practical advantages of the modelchecking approach. The second development i... |

39 | µJava: Embedding a programming language in a theorem prover - Nipkow, Oheimb, et al. - 2000 |

37 | Proving the soundness of a java bytecode verifier specification in isabelle/hol
- Pusch
- 1999
(Show Context)
Citation Context ... the Isabelle/HOL system, which is a formalization of higher-order logic within the Isabelle theorem prover [19, 20]. To accomplish this task, we build upon the Isabelle/HOL formalizations of the JVM =-=[22, 23]-=- and the abstract verification framework that Nipkow developed for verifying dataflow algorithms for bytecode verification [17]. This framework formalizes the notion of a well-typing bcvjar.tex; 1/04/... |

27 | fixpoint iteration for Java bytecode verification
- Qian, Standard
- 2000
(Show Context)
Citation Context ...and an excellent overview of the area is provided in [14]. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM [7, 8, 24] and defining related type systems =-=[6, 9, 25, 30]-=-. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient conditions for bytecode verifiers to be correct [4,... |

22 |
The defensive Java virtual machine specification
- Cohen
- 1997
(Show Context)
Citation Context ...ave been proposed for type checking bytecode and an excellent overview of the area is provided in [14]. Most of this work is theoretically oriented and is concerned with formalizing models of the JVM =-=[7, 8, 24]-=- and defining related type systems [6, 9, 25, 30]. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient co... |

21 |
Isabelle - A Generic Theorem Prover (with a contribution by T
- Paulson
- 1994
(Show Context)
Citation Context ...orrect the model-checking approach to bytecode verification. Our theory is constructed using the Isabelle/HOL system, which is a formalization of higher-order logic within the Isabelle theorem prover =-=[19, 20]-=-. To accomplish this task, we build upon the Isabelle/HOL formalizations of the JVM [22, 23] and the abstract verification framework that Nipkow developed for verifying dataflow algorithms for bytecod... |

19 | C.: Towards Effective Model Checking
- Ruys
- 2001
(Show Context)
Citation Context ...nsition system and it checks that the assertion, which states the correctness property, holds at each state. This approach is a simple and efficient way to formalize an invariance property in Promela =-=[26]-=- and has the practical advantage that temporal formulae need not be translated separately to automata. Figure 5 shows the correctness properties for our sample bytecode. For example, for the recursive... |

18 | Simple Verification Technique for Complex Java Bytecode Subroutines
- Coglio
- 2002
(Show Context)
Citation Context |

18 | Formalizing the Java Virtual Machine in Isabelle/HOL
- Pusch
- 1998
(Show Context)
Citation Context ... the Isabelle/HOL system, which is a formalization of higher-order logic within the Isabelle theorem prover [19, 20]. To accomplish this task, we build upon the Isabelle/HOL formalizations of the JVM =-=[22, 23]-=- and the abstract verification framework that Nipkow developed for verifying dataflow algorithms for bytecode verification [17]. This framework formalizes the notion of a well-typing bcvjar.tex; 1/04/... |

15 | Byte code verification for Java smart cards based on model checking
- Posegga, Vogt
(Show Context)
Citation Context ...ead of by the runtime environment. One of our original motivations for this work was to investigate whether model checking could be used as an alternative in this domain, along the lines suggested in =-=[21]-=-. We can now answer this question positively. Third, our correctness results also help to clarify the general relationship between bytecode verification by dataflow analysis and bytecode verification ... |

14 | Verified Bytecode Subroutines
- Klein, Wildmoser
- 2003
(Show Context)
Citation Context ...30]. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient conditions for bytecode verifiers to be correct =-=[4, 7, 12, 13, 17, 18, 22, 23]-=-. As we will explain in detail in Section 5, our formal theory builds upon the work and theories of Pusch [23], Nipkow [17], and Klein [12, 13] who formalized a model of the JVM in Isabelle/HOL as wel... |

9 | A Coq formalization of a type checker for object initialization in the Java virtual machine
- Bertot
- 2000
(Show Context)
Citation Context ...30]. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient conditions for bytecode verifiers to be correct =-=[4, 7, 12, 13, 17, 18, 22, 23]-=-. As we will explain in detail in Section 5, our formal theory builds upon the work and theories of Pusch [23], Nipkow [17], and Klein [12, 13] who formalized a model of the JVM in Isabelle/HOL as wel... |

8 | Bytecode model checking: An experimental analysis
- Basin, Friedrich, et al.
(Show Context)
Citation Context ...ier [3] for model checking bytecode programs based on a subset of the JVM. The system reported on here represents a further development of these ideas (superseding the preliminary work reported on in =-=[1, 2]-=-) and our experiments are the first large-scale effort to apply model checking to bytecode verification and to study its practical significance. The Java language and the JVM have both been the focus ... |

6 | Verified bytecode model checkers
- Basin, Friedrich, et al.
- 2002
(Show Context)
Citation Context ...ier [3] for model checking bytecode programs based on a subset of the JVM. The system reported on here represents a further development of these ideas (superseding the preliminary work reported on in =-=[1, 2]-=-) and our experiments are the first large-scale effort to apply model checking to bytecode verification and to study its practical significance. The Java language and the JVM have both been the focus ... |

4 |
Java Byte Code Verification by Model Checking
- Basin, Friedrich, et al.
- 1999
(Show Context)
Citation Context ... in principle, this approach could work for a subset of the JVM. This was the starting point for the development of our system and together with Posegga and Vogt we built our first prototype verifier =-=[3]-=- for model checking bytecode programs based on a subset of the JVM. The system reported on here represents a further development of these ideas (superseding the preliminary work reported on in [1, 2])... |

3 | 2001, ‘Java bytecode verification is not possible
- Stärk, Schmid
- 2001
(Show Context)
Citation Context ...e verifier and the Java Virtual Machine either ambiguous or underspecified. Bytecode verification by model checking is also more complete than the conventional approach. As Stärk and Schmid point out=-= [29], -=-there are Java programs whose compiled bytecode is type-correct that are not accepted by Sun’s bytecode verifier. The classes of programs that they define (based on calling subroutines in different ... |

1 |
Nipkow: 2002, ‘Verified Bytecode Verifiers
- Klein, T
(Show Context)
Citation Context ...30]. Most relevant to our work is the research on formally proving the soundness of various approaches to bytecode verification or verifying sufficient conditions for bytecode verifiers to be correct =-=[4, 7, 12, 13, 17, 18, 22, 23]-=-. As we will explain in detail in Section 5, our formal theory builds upon the work and theories of Pusch [23], Nipkow [17], and Klein [12, 13] who formalized a model of the JVM in Isabelle/HOL as wel... |

1 |
The Java Virtual Machine Specification, No. 1102 in The Java Series
- Lindholm, Yellin
- 1997
(Show Context)
Citation Context ...download and locally execute programs. To combat the security risks associated with mobile code, Sun has developed a security model for Java in which a central role is played by bytecode verification =-=[15, 31]-=-, which ensures that no malicious programs are executed by a Java Virtual Machine (JVM). Bytecode verification takes place when loading a Java class file and the process verifies that the loaded bytec... |