Reasoning about safety properties in a JVM-like environment

Type-based protection mechanisms in a JVM-like environment must be administrated by the code consumer at the bytecode level. Unfortunately, formulating a sound static type system for the full JVM bytecode language can be a daunting task. It is therefore counter-productive for the designer of a bytecode-level type system to address the full complexity of the VM environment in the early stage of design. In this work, a lightweight modeling tool, Featherweight JVM, is proposed to facilitate the early evaluation of bytecode-level, type-based protection mechanisms. In the style of Security Automata, Featherweight JVM is an event model that tracks interprocedural access events generated by a JVM-like environment. The effect of deploying a typebased protection mechanism can be modeled by a safety policy that restricts the event sequences produced by the VM model. To evaluate the effectiveness of the protection mechanism, security theorems in the form of state invariants can then be proven in the policy-guarded VM model. This paper provides first evidence on the utility of this approach in providing early feedback to the designer of type-based protection mechanisms for JVM-like environments. 1