On-card Bytecode Verification for Java Card by Leroy, Xavier
HAL Id: hal-01499956
https://hal.inria.fr/hal-01499956
Submitted on 1 Apr 2017
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
On-card Bytecode Verification for Java Card
Xavier Leroy
To cite this version:
Xavier Leroy. On-card Bytecode Verification for Java Card. Smart card programming and security,
proceedings E-Smart 2001, Sep 2001, Cannes, France. pp.150-164, ￿10.1007/3-540-45418-7_13￿. ￿hal-
01499956￿
On-ard Byteode Veriation for Java Card
Xavier Leroy
Trusted Logi
?
5, rue du Bailliage, 78000 Versailles, Frane
Xavier.Leroytrusted-logi.fr
Abstrat. This paper presents a novel approah to the problem of byte-
ode veriation for Java Card applets. Owing to its low memory require-
ments, our veriation algorithm is the rst that an be embedded on
a smart ard, thus inreasing tremendously the seurity of post-issuane
downloading of applets on Java Cards.
1 Introdution
The Java Card arhiteture for smart ards [4℄ bring two major innovations
to the smart ard world: rst, Java ards an run multiple appliations, whih
an ommuniate through shared objets; seond, new appliations, alled ap-
plets, an be downloaded on the ard post issuane. These two features bring
onsiderable exibility to the ard, but also raise major seurity issues. A mali-
ious applet, one downloaded on the ard, an mount a variety of attaks, suh
as leaking ondential information outside (e.g. PINs and seret ryptographi
keys), modifying sensitive information (e.g. the balane of an eletroni purse),
or interfering with other honest appliations already on the ard, ausing them
to malfuntion.
The seurity issues raised by applet downloading are well known in the area
of Web applets, and more generally mobile ode for distributed systems [23, 11℄.
The solution put forward by the Java programming environment is to exeute
the applets in a so-alled \sandbox", whih is an insulation layer preventing
diret aess to the hardware resoures and implementing a suitable aess on-
trol poliy [7℄. The seurity of the sandbox model relies on the following three
omponents:
1. Applets are not ompiled down to mahine exeutable ode, but rather to
byteode for a virtual mahine. The virtual mahine manipulates higher-
level, more seure abstrations of data than the hardware proessor, suh as
objet referenes instead of memory addresses.
2. Applets are not given diret aess to hardware resoures suh as the se-
rial port, but only to a arefully designed set of API lasses and methods
that perform suitable aess ontrol before performing interations with the
outside world on behalf of the applet.
?
This work was performed when the author was full-time at Trusted Logi. He is
urrently aÆliated with INRIA Roquenourt (domaine de Volueau, B.P. 105, 78153
Le Chesnay, Frane) and part-time onsultant for Trusted Logi.
3. Upon downloading, the byteode of the applet is subjet to a stati analysis
alled byteode veriation, whose purpose is to make sure that the ode
of the applet is well typed and does not attempt to bypass protetions 1
and 2 above by performing ill-typed operations at run-time, suh as forging
objet referenes from integers, illegal asting of an objet referene from
one lass to another, alling diretly private methods of the API, jumping
in the middle of an API method, or jumping to data as if it were ode [8,
24, 10℄.
The Java Card arhiteture features omponents 1 and 2 of the sandbox model:
applets are exeuted by the Java Card virtual mahine [22℄, and the Java Card
runtime environment [21℄ provides the required aess ontrol, in partiular
through its \rewall". However, omponent 3 (the byteode verier) is miss-
ing: as we shall see later, byteode veriation as it is done for Web applets is
a omplex and expensive proess, requiring large amounts of working memory,
and therefore believed to be impossible to implement on a smart ard.
Several approahes have been onsidered to palliate the lak of on-ard byte-
ode veriation. The rst is to rely on o-ard tools (suh as trusted ompilers
and onverters, or o-ard byteode veriers) to produe well-typed byteode
for applets. A ryptographi signature then attests the well-typedness of the ap-
plet, and on-ard downloading is restrited to signed applets. The drawbak of
this approah is to extend the trusted omputing base to inlude o-ard om-
ponents. The ryptographi signature also raises deliate pratial issues (how
to deploy the signature keys?) and legal issues (who takes liability for a buggy
applet produed by faulty o-ard tools?).
The seond workaround is to perform type heks dynamially, during the
applet exeution. This is alled the defensive virtual mahine approah. Here,
the virtual mahine not only omputes the results of byteode instrutions, but
also keeps trak of the types of all data it manipulates, and performs additional
safety heks at eah instrution. The drawbaks of this approah is that dy-
nami type heks are expensive, both in terms of exeution speed and memory
requirements (storing the extra typing information takes signiant spae). Ded-
iated hardware an make some of these heks faster, but does not redue the
memory requirements.
Our approah is to hallenge the popular belief that on-ard byteode ver-
iation is unfeasible. In this paper, we desribe a novel byteode veriation
algorithm for Java Card applets that is simple enough and has low enough mem-
ory requirements to be implemented on a smart ard. A distinguishing feature of
this algorithm is to rely on o-ard byteode transformations whose purpose is
to failitate on-ard veriation. Along with auxiliary onsisteny heks on the
CAP le struture, not desribed in this paper for lak of spae, the byteode
verier desribed in this paper is at the heart of the Trusted Logi on-ard CAP
le verier. This produt { the rst and urrently only one of its kind { allows
seure exeution with no run-time speed penalty of non-signed applets on Java
ards.
The remainder of this paper is organized as follows. Setion 2 reviews the
traditional byteode veriation algorithm, and analyzes why it is not suitable
to on-ard implementation. Setion 3 presents our byteode veriation algo-
rithm and how it addresses the issues with the traditional algorithm. Setion
4 desribes the o-ard ode transformations that transform any orret applet
into an equivalent applet that passes on-ard veriation. Setion 5 gives pre-
liminary performane results. Related work is disussed in setion 6, followed by
onluding remarks in setion 7.
2 Traditional Byteode Veriation
In this setion, we review the traditional byteode veriation algorithm devel-
oped at Sun by Gosling and Yellin [8, 24, 10℄.
Byteode veriation is performed on the ode of eah non-abstrat method
in eah lass of the applet. It onsists in an abstrat exeution of the ode of the
method, performed at the level of types instead of values as in normal exeution.
The verier maintains a stak of types and an array assoiating types to registers
(loal variables). These stak and array of registers parallel those found in the
virtual mahine, exept that they ontain types instead of values.
2.1 Straight-Line Code
Assume rst that the ode of the method is straight line (no branhes, no ex-
eption handling). The verier onsiders every instrution of the method ode
in turn. For eah instrution, it heks that the stak before the exeution of the
instrution ontains enough entries, and that these entries are of the expeted
types for the instrution. It then simulates the eet of the instrution on the
stak and registers, popping the arguments, pushing bak the types of the re-
sults, and (in ase of \store" instrutions) updating the types of the registers to
reet that of the stored values. Any type mismath on instrution arguments,
or stak underow or overow, auses veriation to fail and the applet to be
rejeted. Finally, veriation proeeds with the next instrution, until the end
of the method is reahed.
The stak type and register types are initialized to reet the state of the
stak and registers on entrane to the method: the stak is empty; registers
0; : : : ; n  1 holding method parameters and the this argument if any are given
the orresponding types, as given by the desriptor of the method; registers
n; : : : ;m 1 orresponding to uninitialized registers are given the speial type >
orresponding to an undened value.
2.2 Dealing with Branhes
Branh instrutions and exeption handlers introdue forks (exeution an on-
tinue down several paths) and joins (several suh paths join on an instrution)
in the ow of ontrol. To deal with forks, the verier annot in general determine
the path that will be followed at run-time. Hene, it must propagate the inferred
stak and register types to all possible suessors of the forking instrution. Joins
are even harder: an instrution that is the target of one or several branhes or
exeption handlers an be reahed along several paths, and the verier has to
make sure that the types of the stak and the registers along all these paths agree
(same stak height, ompatible types for the stak entries and the registers).
Sun's veriation algorithm deals with these issues in the manner ustom-
ary for data ow analyses. It maintains a data struture, alled a \ditionary",
assoiating a stak and register type to eah program point that is the target
of a branh or exeption handler. When analyzing a branh instrution, or an
instrution overed by an exeption handler, it updates the type assoiated with
the target of the branh in the ditionary, replaing it by the least upper bound
of the type previously found in the ditionary and the type inferred for the
instrution. (The least upper bound of two types is that smallest type that is
assignment-ompatible with the two types.) If this auses the ditionary entry to
hange, the orresponding instrutions and their suessors must be re-analyzed
until a xpoint is reahed, that is, all instrutions have been analyzed at least
one without hanging the ditionary entries. See [10, setion 4.9℄ for a more
detailed desription.
2.3 Performane Analysis
The veriation of straight-line piees of ode is very eÆient, both in time and
spae. Eah instrution is analyzed exatly one, and the analysis is fast (approx-
imately as fast as exeuting the instrution in the virtual mahine). Conerning
spae, only one stak type and one set of register types need to be stored at
any time, and is modied in plae during the analysis. Assuming eah type is
represented by 3 bytes, this leads to memory requirements of 3S + 3N bytes,
where S is the maximal stak size and N the number of registers for the method.
In pratie, 100 bytes of RAM suÆe. Notie that a similar amount of spae is
needed to exeute an invoation of the method; thus, if the ard has enough
RAM spae to exeute the method, it also has enough spae to verify it.
Veriation in the presene of branhes is muh more ostly. Instrutions may
need to be analyzed several times in order to reah the xpoint. Experiene shows
that few instrutions are analyzed more than twie, and many are still analyzed
only one, so this is not too bad. The real issue is the memory spae required to
store the ditionary. If B is the number of distint branh targets and exeption
handlers in the method, the ditionary oupies (3S + 3N + 3)  B bytes (the
three bytes of overhead per ditionary entry orrespond to the PC of the branh
target and the stak height at this point). A moderately omplex method an
have S = 5, N = 15 and B = 50, for instane, leading to a ditionary of size
3450 bytes. This is too large to t omfortably in RAM on urrent generation
Java ards.
Storing the ditionary in persistent rewritable memory (EEPROM or Flash)
is not an option, beause veriation performs many writes to the ditionary
when updating the types it ontains (typially, several hundreds, even thousands
of writes for some methods), and these writes to persistent memory take time (1-
10 ms eah); this would make on-ard veriation too slow. Moreover, problems
may arise due to the limited number of write yles permitted on persistent
memory.
3 Our Veriation Algorithm
3.1 Intuitions
The novel byteode veriation algorithm that we desribe in this paper follows
from a areful analysis of the shortomings of Sun's algorithm, namely that a
opy of the stak type and register type is stored in the ditionary for eah
branh target. Experiene shows that ditionary entries are quite often highly
redundant. In partiular, it is very often the ase that stak types stored in
ditionary entries are empty, and that the type of a given register is the same in
all or most ditionary entries.
These observations are easy to orrelate with the way urrent Java ompilers
work. Conerning the stak, all existing ompilers use the stak only for evalu-
ating expressions, but never store the values of Java loal variables on the stak.
Consequently, the stak is empty at the beginning and the end of every state-
ment. Sine most branhing onstruts in the Java language work at the level of
statements, the branhes generated when ompiling these onstruts naturally
our in the ontext of an empty stak. The only exeption is the onditional ex-
pression e
1
? e
2
: e
3
, whih indeed generates a branh on a non-empty stak.
As regards to registers, Java ompilers very often alloate a distint JCVM reg-
ister for eah loal variable in the Java soure. This register is naturally used
with only one type, that of the delaration of the loal variable.
Of ourse, there is no guarantee that the JCVM ode given to the verier
will enjoy the two properties mentioned above (stak is empty at branh points;
registers have only one type throughout the method), but these two properties
hold often enough that it is justied to optimize the byteode verier for these
two onditions.
One way to proeed from here is to design a data struture for holding the
ditionary that is more ompat when these two onditions hold. For instane,
the \stak is empty" ase ould be represented speially, and dierential enod-
ings ould be used to redue the ditionary size when a register has the same
type in many entries.
We deided to take a more radial approah and require that all JCVM
byteode aepted by the verier is suh that
{ Requirement R1: the stak is empty at all branh instrutions (after pop-
ping the branh arguments, if any), and at all branh target instrutions
(before pushing its results). This guarantees that the stak is onsistent be-
tween the soure and the target of any branh (sine it is empty at both
ends).
{ Requirement R2: eah register has only one type throughout the method
ode. This guarantees that the types of registers are onsistent between
soure and target of eah branh (sine they are onsistent between any
two instrutions, atually).
To avoid rejeting orret JCVM ode that happens not to satisfy these two
requirements, we will rely on a general o-ard ode transformation that trans-
forms orret JCVM ode into equivalent ode meeting these two additional
requirements. The transformation is desribed in setion 4. We rely on the fat
that the violations of requirements R1 and R2 are infrequent to ensure that the
ode transformations are minor and do not ause a signiant inrease in ode
size.
3.2 The Algorithm
Given the two additional requirements R1 and R2, our byteode veriation
algorithm is a simple extension of the algorithm for verifying straight-line ode
outlined in setion 2.1. As previously, the only data struture that we need is
one stak type and one array of types for registers. As previously, the algorithm
proeeds by examining in turn every instrution in the method, in ode order,
and reeting their eets on the stak and register types. The omplete pseudo-
ode for the algorithm is given in Fig. 1. The signiant dierenes with straight-
line ode veriation are as follows.
{ When heking a branh instrution, after popping the types of the argu-
ments from the stak, the verier heks that the stak is empty, and rejets
the ode otherwise. When heking an instrution that is a branh target,
the verier heks that the stak is empty. (If the instrution is a JSR target
or the start of an exeption handler, it heks that the stak onsists of one
entry of type \return address" or the exeption handler's lass, respetively.)
This ensures requirement R1.
{ When heking a \store" instrution, if  is the type of the stored value (the
top of the stak before the \store"), the type of the register stored into is not
replaed by  , but by the least upper bound of  and the previous type of the
register. This way, register types aumulate the types of all values stored
into them, thus progressively determining the unique type of the register as
it should apply to the whole method ode (requirement R2).
{ Sine the types of registers an hange following the type-heking of a
\store" instrution as desribed above, and therefore invalidate the type-
heking of instrutions that load and use the stored value, the type-heking
of all the instrutions in the method body must be repeated until the register
types are stable. This is similar to the xpoint omputation in Sun's verier.
{ The dataow analysis starts, as previously, with an empty stak type and
register types orresponding to method parameters set to the types indiated
in the method desriptor. Loals not orresponding to parameters are set to
? (the subtype of all types) instead of > (the supertype of all types) for
reasons that are explained in setion 3.4 below.
Global variables:
N
r
number of registers
N
s
maximal stak size
r[N
r
℄ array of types for registers
s[N
s
℄ stak type
sp stak pointer
hg ag reording whether r hanged.
Set sp 0
Set r[0℄; : : : ; r[n   1℄ to the types of the method arg.
Set r[n℄; : : : ; r[N
r
  1℄ to ?
Set hg true
While hg:
Set hg false
For eah instrution i of the method, in ode order:
If i is the target of a branh instrution:
If sp 6= 0 and the previous instrution falls through, error
Set sp 0
If i is the target of a JSR instrution:
If the previous instrution falls through, error
Set s[0℄ retaddr and sp 1
If i is a handler for exeptions of lass C:
If the previous instrution falls through, error
Set s[0℄ C and sp 1
If two or more of the ases above apply, error
Determine the types a
1
; : : : ; a
n
of the arguments of i
If sp < n, error (stak underflow)
For k = 1; : : : ; n: If s[sp  n  k   1℄ is not subtype of a
k
, error
Set sp sp  n
Determine the types r
1
; : : : ; r
m
of the results of i
If sp+m > N
s
, error (stak overflow)
For k = 1; : : : ;m: Set s[sp+ k   1℄ r
k
Set sp sp+m
If i is a store to register number n:
Determine the type t of the value written to the register
Set r[n℄ lub(t; r[n℄)
If r[n℄ hanged, set hg true
If i is a branh instrution and sp 6= 0, error
End for eah
End while
Verifiation sueeds
Fig. 1. The veriation algorithm
The orretness of our verier was formally proved using the Coq theorem prover.
More preisely, we developed a mehanially-heked proof that any ode that
passes our verier does not ause any run-time type error when run through a
type-level abstrat interpretation of a defensive JCVM.
3.3 Performane Analysis
Our veriation algorithm has the same low memory requirements as straight-
line ode veriation: 3S + 3N bytes of RAM suÆe to hold the stak and
register types. In pratie, it ts omfortably in 100 bytes of RAM. The memory
requirements are independent of the size of the method ode, and of the number
of branh targets.
Time behavior is similar to that of Sun's algorithm: several passes over the
instrutions of the method may be required; experimentally, most methods need
only two passes (the rst determines the types of the registers and the seond
heks that the xpoint is reahed), and quite a few need only one pass (when all
registers are parameters and they keep their initial type throughout the method).
3.4 Initialization of Registers
Unlike Sun's, our veriation algorithm annot guarantee that registers are ini-
tialized (stored into) before use. The reason is that sine we have only one set of
register types for the whole method, we annot analyze preisely the situation
where a register is initialized on one branh of a onditional and not on the other
branh.
The JVM and JCVM speiations do not require the virtual mahine to
initialize non-parameter registers on entry to a method. Hene, a method that
reads (using the ALOAD instrution) from suh a register before having stored a
valid value in it ould obtain an unspeied bit pattern (whatever data happens
to be in RAM at the loation of the register) and use it as an objet referene.
This is a serious seurity threat.
There are two ways to avoid this threat. One is to verify register initialization
(no reads before a store) statially, as part of the byteode verier. The other is
to rely on the virtual mahine to initialize, on entry to a method, all registers
that are not method parameters to the bit-pattern representing the null objet
referene. This way, inorret ode that perform a read before write on a register
does not break type safety: all instrutions operating on objet referenes test
for the null referene and raise an exeption if appropriate; integer instrutions
an operate on arbitrary bit patterns without breaking type safety. (A dynami
hek must be added to the RET instrution, however, so that a RET on a register
initialized to null will fail instead of jumping blindly to the null ode address.)
Clearing registers on method entrane is inexpensive, and it is our under-
standing that several implementations of the JCVM already do it (even if the
speiation does not require it) in order to redue the life-time of sensitive data
stored on the stak. In summary, register initialization is a rare example of a type
safety property that is easy and inexpensive to ensure dynamially in the virtual
mahine. Hene, we hose not to ensure it statially by byteode veriation.
Sine the bit pattern representing null is a orret value of any JCVM type
(short, int, array and referene types, and return addresses), it semantially
belongs to the type ? that is subtype of all other JCVM types. Hene, assuming
initialization to null in the virtual mahine, it is semantially orret to as-
sign the initial type ? to registers that are not parameters, like our veriation
algorithm does.
3.5 Subroutines
Subroutines are shared ode fragments built from the JSR and RET instrutions
and used for ompiling the try. . . finally onstrut in partiular [10℄. Subrou-
tines ompliate Sun-style byteode veriation tremendously. The reason is that
a subroutine an be alled from dierent ontexts, where registers have dierent
types; heking the type-orretness of subroutine alls therefore requires that
the veriation of the subroutine ode be polymorphi with respet to the types
of the registers that the subroutine body does not use [10, setion 4.9.6℄. This
requires a omplementary ode analysis that identies the method instrutions
that belong to subroutines, and math them with the orresponding JSR and
RET instrutions. See [19, 17℄ for formalizations of this approah.
All these ompliations (and potential seurity holes) disappear in our byte-
ode veriation algorithm: sine it ensures that a register has the same type
throughout the method ode, it ensures that the whole method ode, inluding
subroutines, is monomorphi with respet to the types of all registers. Hene,
there is no need to verify the JSR and RET instrutions in a speial, polymorphi
way: JSR is treated as a regular branh that also pushes a value of type \return
address" on the stak; and RET is treated as a branh that an go to any in-
strution that follows a JSR in the urrent method. No omplementary analysis
of the subroutine struture is required.
4 O-ard Code Transformations
As explained in setion 3.1, our on-ard verier aepts only a subset of all
type-orret applets: those whose ode satises the two additional requirements
R1 (stak is empty at branh points) and R2 (registers have unique types). To
ensure that all orret applets pass veriation, we ould ompile them with a
speial Java ompiler that generates JVM byteode satisfying requirements R1
and R2, for instane by expanding onditional expressions e
1
? e
2
: e
3
into
if. . . then. . . else statements, and by assigning distint register to eah soure-
level loal variable.
Instead, we found it easier and more exible to let applet developers use
a standard Java ompiler and JavaCard onverter of their hoie, and perform
an o-ard ode transformation on the ompiled ode to produe an equivalent
Java
ompiler
CAP
onverter
CAP
transformer
On-ard
verier
Applet
installer
Non-defensive
VM
Java soure
Class le
CAP le
Transformed CAP le
Veried
CAP le
Veried
applet
Trusted omputing base
O-ard proessing On-ard proessing
Fig. 2. Arhiteture of the system
ompiled ode that satises the additional requirements R1 and R2 and an
therefore pass the on-ard verier (see Fig. 2).
Two main transformations are performed: stak normalization (to ensure
that the stak is empty at branh points) and register realloation (to ensure
that a given register is used with only one type).
4.1 Stak Normalization
The idea underlying stak normalization is quite simple: whenever the original
ode ontains a branh with a non-empty stak, we insert stores to fresh regis-
ters before the branh, and loads from the same registers at the branh target.
This eetively empties the stak into the fresh registers before the branh, and
restore the stak to its initial state after the branh. Consider for example the
following Java statement: C.m(b ? x : y);. It ompiles down to the JCVM
ode fragment shown below on the left.
sload Lb sload Lb
ifeq lbl1 ifeq lbl1
sload Lx sload Lx
goto lbl2 sstore Ltmp
lbl1: sload Ly goto lbl2
lbl2: invokestati C.m lbl1: sload Ly
sstore Ltmp
lbl2: sload Ltmp
invokestati C.m
Here, Lx, Ly and Lb are the numbers for the registers holding x, y and b. The
result of type inferene for this ode indiates that the stak is non-empty aross
the goto to lbl2: it ontains one entry of type short. Stak normalization
therefore rewrites it into the ode shown above on the right, where Ltmp is the
number of a fresh, unused register. The sstore Ltmp before goto lbl2 empties
the stak, and the sload Ltmp at lbl2 restore it before proeeding with the
invokestati. Sine the sload Ly at lbl1 falls through the instrution at lbl2,
we must treat it as an impliit jump to lbl2 and also insert a sstore Ltmp
between the sload Ly and the instrution at lbl2.
(Alloating fresh temporary registers suh as Ltmp for eah branh target
needing normalization may seem wasteful. Register realloation, as desribed in
setion 4.2, is able to \pak" these variables, along with the original registers of
the method ode, thus minimizing the number of registers really required.)
By lak of spae, we omit a detailed presentation of the atual stak normal-
ization transformation. It follows the approah outlined above, with some extra
ompliations due to branh instrutions that pop arguments o the stak, and
also to the fat that a branh instrution needing normalization an be itself the
target of another branh instrution needing normalization.
4.2 Register Realloation
The seond ode transformation performed o-ard onsists in re-alloating reg-
isters (i.e. hange the register numbers) in order to ensure requirement R2: a
register is used with only one type throughout the method ode. This an al-
ways be ahieved by \splitting" registers used with several types into several
distint registers, one per use type. However, this an inrease markedly the
number of registers required by a method.
Instead, we use a more sophistiated register realloation algorithm, derived
from the well-known algorithms for global register alloation via graph olor-
ing. This algorithm tries to redue the number of registers by reusing the same
register as muh as possible, i.e. to hold soure variables that are not live si-
multaneously and that have the same type. Consequently, it is very eetive at
reduing ineÆienies in the handling of registers, either introdued by the stak
normalization transformation, or left by the Java ompiler.
Consider the following example (original ode on the left, result of register
realloation on the right).
sonst_1 sonst_1
sstore 1 sstore 1
sload 1 sload 1
sonst_2 sonst_2
sadd sadd
sstore 2 sstore 1
new C new C
astore 1 astore 2
... ...
In the original ode, register 1 is used with two types: rst to hold values of
type short, then to hold values of type C. In the transformed ode, these two
roles of register 1 are split into two distint registers, 1 for the short role and 2
for the C role. In parallel, the realloation algorithm noties that, in the original
ode, register 2 and the short role of register 1 have disjoint live ranges and
have the same type. Hene, these two registers are merged into register 1 in the
transformed ode. The end result is that the number of registers stays onstant.
The register realloation algorithm is essentially idential to Briggs' variant
of Chaitin's graph oloring alloator [3, 1℄, with additional type onstraints re-
eting requirement R2. More preisely, we add edges in the interferene graph
between live ranges that do not have the same prinipal type, thus guaranteeing
that they will be assigned dierent registers.
5 Experimental Results
5.1 O-ard Transformation
The table below shows results obtained by transforming 6 pakages from Sun's
Java Card development kit.
Pakage Code size (bytes) Resident size (bytes) Registers
Orig. Transf. Inr. Orig. Transf. Inr.
java.lang 92 91 -1% 320 319 -0.3% 0.0%
javaard.framework 4047 4142 +2.3% 5393 5488 +1.8% +0.3%
om.sun.javaard.HelloWorld 100 99 -1% 220 219 -0.5% 0.0%
om.sun.javaard.JavaPurse 2558 2531 -1% 3045 3018 -0.8% -8.3%
om.sun.javaard.JavaLoyalty 207 203 -1.9% 365 361 -1% 0.0%
om.sun.javaard.installer 7043 7156 +1.6% 8625 8738 +1.3% -7.5%
Total 14047 14222 +1.2% 17968 18143 +0.9% -4.2%
The ode size inrease aused by the transformation is almost negligible: the
size of the Method omponent inreases by 1.2%; the resident size (total size of
all omponents that remain on the ard after installation) inreases by 0.9%.
The requirements in registers globally dereases by about 4%.
To test a larger body of ode, we used a version of the o-ard transformer
that works over Java lass les (instead of Java Card CAP les) and transformed
all the lasses from the Java Runtime Environment version 1.2.2, that is, about
1.5 Mbyte of JVM ode. The results are very similar: ode size inreases by 0.7%;
registers derease by 1.3%.
The transformer performs lean-up optimizations (branh tunneling, register
oalesing) whose purpose is to redue ineÆienies introdued by other trans-
formations. These optimizations are also quite eetive at reduing ineÆienies
left by the Java ompiler, resulting in ode size dereases of up to 1.9% for
some pakages. Similarly, the paking of registers atually redues the maximal
number of registers in most pakages.
5.2 On-ard Verier
We present here preliminary results obtained on an implementation of our byte-
ode verier running on a Linux PC. A proper on-ard implementation is in
progress, but we are not in a position to give results onerning this implemen-
tation.
Byteode veriation proper (ensuring that method ode is type-safe), writ-
ten in ANSI C, ompiles down to 11 kilobytes of Intel IA32 ode, and 9 kilobytes
of Atmel AVR ode. A proof-of-onept reimplementation in hand-written ST7
assembly ode ts in 4.5 kilobytes of ode.
In addition to verifying the byteode of methods, our implementation also
heks the strutural onsisteny of CAP le omponents. Sine the CAP le
format is extremely omplex [22, hapter 6℄, CAP le onsisteny heking takes
a whopping 12 kilobytes of Intel IA32 ode. However, when integrating the ver-
ier with an atual Java Card VM, many of these onsisteny heks beome
redundant with heks already performed by the VM or the installer, or useless
beause they apply to CAP le information that the VM ignores. Programming
triks suh as table-driven automata an also be used to redue further the ode
size of onsisteny heking, at some expense in exeution speed.
The PC implementation of the verier, running on a 500 Mhz Pentium III,
takes approximately 1.5 ms per kilobyte of byteode. Extrapolating this gure
to a typial 8-byte smartard proessor (e.g. 8051 at 5 Mhz), we estimate that an
on-ard implementation should take less than 1 seond per kilobyte of byteode,
or about 2 seonds to verify an applet the size of JavaPurse. Notie that the
verier performs no EEPROM writes and no ommuniations, hene its speed
benets linearly from higher lok rates or more eÆient proessor ores.
Conerning the number of iterations required to reah the xpoint in the
byteode veriation algorithm, the 6 pakages we studied ontain 7077 JCVM
instrutions and require 11492 alls to the funtion that analyzes individual
instrutions. This indiates that eah instrution is analyzed 1.6 times on average
before reahing the xpoint. This gure is surprisingly low; it shows that a
\perfet" veriation algorithm that analyzes eah instrution exatly one, suh
as [18℄, would only be 38% faster than ours.
6 Related Work
The work most losely related to ours is the lightweight byteode veriation
of Rose and Rose [18℄, also found in the KVM arhiteture [20℄ and in [9℄.
Inspired by proof-arrying ode [12℄, lightweight byteode veriation onsists
in sending, along with the ode to be veried, pre-omputed stak and register
types for eah branh target. Veriation then simply heks the orretness of
these pre-omputed types, using a simple variant of straight-line veriation,
instead of inferring them by xpoint iteration, as in Sun's verier.
The interest for an on-ard verier is twofold. The rst is that xpoint it-
eration is avoided, thus making the verier faster. (As mentioned at the end
of setion 5.2, the performane gain thus obtained is modest.) The seond is
that the stak and register types at branh targets an be stored temporarily in
EEPROM, sine they do not need to be updated repeatedly during veriation.
The RAM requirements of the verier beome similar to those of our verier:
only the urrent stak type and register type need to be kept in RAM.
There are two problems with Rose and Rose's lightweight byteode veria-
tion. One is that it urrently does not deal with subroutines, more speially
with polymorphi typing of subroutines as desribed in setion 3.5. Subroutines
are part of the JCVM speiation, and ould be useful as a general ode sharing
devie for reduing byteode size. The seond issue is the size of the \ertiate",
that is, the pre-omputed stak and register types that aompany the ode. Our
experiments indiate that, using a straightforward representation, ertiates are
about the same size as the ode. Even with a more omplex, ompressed repre-
sentation, ertiates are still 20% of the ode size. Hene, signiant free spae
in EEPROM is required for storing temporarily the ertiates during the veri-
ation of large pakages. In ontrast, our veriation tehnology only requires
at most 1{2% of extra EEPROM spae.
Challenged by the lak of preision in the referene publiations of Sun's
verier [8, 24, 10℄, many researhers have published rational reonstrutions, for-
malizations, and formal proofs of orretness of various subsets of Sun's verier
[5, 16, 15, 17, 6, 13℄. These works were inuential in understanding the issues, un-
overing bugs in Sun's implementation of the verier, and generating ondene
in the algorithm. Unfortunately, most of these works address only a subset of the
verier. In partiular, none of them proves the orretness of Sun's polymorphi
typing of subroutines in the presene of exeptions.
A dierent approah to byteode veriation was proposed by Posegga [14℄
and further rened by Brisset [2℄. This approah is based on model heking
of a type-level abstrat interpretation of a defensive Java virtual mahine. It
trivializes the problem with polymorphi subroutines and exeptions, but is very
expensive (time and spae exponential in the size of the method ode), thus is
not suited to on-ard implementation.
7 Conlusions
The novel byteode veriation algorithm desribed in this paper is perfetly
suited to on-ard implementation, due to its low RAM requirements. It is su-
perior to Rose and Rose's lightweight byteode veriation in that it handles
subroutines, and requires muh less additional EEPROM spae (1{2% of the
ode size vs. 20{100% for lightweight byteode veriation).
On-ard byteode veriation is the missing link in the Javaard vision of
multi-appliation smart ards with seure, eÆient post-issuane downloading
of applets. We believe that our byteode verier is a ruial enabling tehnology
for making this vision a reality.
Referenes
1. P. Briggs, K. D. Cooper, and L. Torzon. Improvements to graph oloring register
alloation. ACM Trans. Prog. Lang. Syst., 16(3):428{455, 1994.
2. P. Brisset. Vers un verieur de byteode Java ertie. Seminar given at Eole
Normale Superieure, Paris, Ot 2nd 1998.
3. G. J. Chaitin. Register alloation and spilling via graph oloring. SIGPLAN
Noties, 17(6):98{105, 1982.
4. Z. Chen. Java Card Tehnology for Smart Cards: Arhiteture and Programmer's
Guide. The Java Series. Addison-Wesley, 2000.
5. R. Cohen. The defensive Java virtual mahine speiation. Tehnial report,
Computational Logi In., 1997.
6. S. N. Freund and J. C. Mithell. A type system for objet initialization in the Java
byteode language. ACM Trans. Prog. Lang. Syst., 22(5), 2000.
7. L. Gong. Inside Java 2 platform seurity: arhiteture, API design, and implemen-
tation. The Java Series. Addison-Wesley, 1999.
8. J. A. Gosling. Java intermediate byteodes. In Pro. ACM SIGPLAN Workshop
on Intermediate Representations, pages 111{118. ACM, 1995.
9. G. Grimaud, J.-L. Lanet, and J.-J. Vandewalle. FACADE { a typed intermediate
language dediated to smart ards. In Software Engineering - ESEC/FSE '99,
volume 1687 of LNCS, pages 476{493. Springer-Verlag, 1999.
10. T. Lindholm and F. Yellin. The Java Virtual Mahine Speiation. The Java
Series. Addison-Wesley, 1999. Seond edition.
11. G. MGraw and E. Felten. Seuring Java. John Wiley & Sons, 1999.
12. G. C. Neula. Proof-arrying ode. In POPL'97, pages 106{119. ACM Press, 1997.
13. T. Nipkow. Veried byteode veriers. In Foundations of Software Siene and
Computation Strutures (FOSSACS'01). Springer-Verlag, 2001. To appear.
14. J. Posegga and H. Vogt. Java byteode veriation using model heking. In
Workshop Fundamental Underpinnings of Java, 1998.
15. C. Push. Proving the soundness of a Java byteode verier speiation in Is-
abelle/HOL. In W. R. Cleaveland, editor, TACAS'99, volume 1579 of LNCS, pages
89{103. Springer-Verlag, 1999.
16. Z. Qian. A formal speiation of Java virtual mahine instrutions for objets,
methods and subroutines. In J. Alves-Foss, editor, Formal syntax and semantis
of Java, volume 1523 of LNCS. Springer-Verlag, 1998.
17. Z. Qian. Standard xpoint iteration for Java byteode veriation. ACM Trans.
Prog. Lang. Syst., 22(4):638{672, 2000.
18. E. Rose and K. Rose. Lightweight byteode veriation. InWorkshop Fundamental
Underpinnings of Java, 1998.
19. R. Stata and M. Abadi. A type system for Java byteode subroutines. ACM Trans.
Prog. Lang. Syst., 21(1):90{137, 1999.
20. Sun Mirosystems. Java 2 platform miro edition tehnology for reating mobile
devies. White paper, 2000.
21. Sun Mirosystems. Java Card 2.1.1 runtime environment speiation, 2000.
22. Sun Mirosystems. Java Card 2.1.1 virtual mahine speiation, 2000.
23. G. Vigna, editor. Mobile Agents and Seurity. Number 1419 in Leture Notes in
Computer Siene. Springer-Verlag, 1998.
24. F. Yellin. Low level seurity in Java. In Pro. 4th World Wide Web Conferene,
pages 369{379. O'Reilly, 1995.
