Integrated Java Bytecode Verification

AbstractExisting Java verifiers perform an iterative data-flow analysis to discover the unambiguous type of values stored on the stack or in registers. Our novel verification algorithm uses abstract interpretation to obtain definition/use information for each register and stack location in the program, which in turn is used to transform the program into Static Single Assignment form. In SSA, verification is reduced to simple type compatibility checking between the definition type of each SSA variable and the type of each of its uses. Inter-adjacent transitions of a value through stack and registers are no longer verified explicitly. This integrated approach is more efficient than traditional bytecode verification but still as safe as strict verification, as overall program correctness can be induced once the data flow from each definition to all associated uses is known to be type-safe

Bytecode verification on Java smart cards

International audienceThis article presents a novel approach to the problem of bytecode verification for Java Card applets. By relying on prior off-card bytecode transformations, we simplify the bytecode verifier and reduce its memory requirements to the point where it can be embedded on a smart card, thus increasing significantly the security of post-issuance downloading of applets on Java Cards. This article describes the on-card verification algorithm and the off-card code transformations, and evaluates experimentally their impact on applet code size

Formalizing non-interference for a simple bytecode language in Coq

In this paper, we describe the application of the interactive theorem prover Coq to the security analysis of bytecode as used in Java. We provide a generic specification and proof of non-interference for bytecode languages using the Coq module system. We illustrate the use of this formalization by applying it to a small subset of Java bytecode. The emphasis of the paper is on modularity of a language formalization and its analysis in a machine proof

Model-Based Robustness Testing in Event-B Using Mutation

International audienceRobustness testing aims at finding errors in a system under invalid conditions, such as unexpected inputs. We propose a robust-ness testing approach for Event-B based on specification mutation and model-based testing. We assume that a specification describes the valid inputs of a system. By applying negation rules, we mutate the precondition of events to explore invalid behaviour. Tests are generated from the mutated specification using ProB. ProB has been adapted to efficiently process mutated events. Mutated events are statically checked for satisfiability and enability using constraint satisfaction, to prune the transition search space. This has dramatically improve the performance of test generation. The approach is applied to the Java Card bytecode verifier. Large mutated specifications (containing 921 mutated events) can be easily tackled to ensure a good coverage of the robustness test space

CardS4: modal theorem proving on Java smart cards, Journal of Telecommunications and Information Technology, 2002, nr 4

We describe a successful implementation of a theorem prover for modal logic S4 that runs on a Java smart card with only 512 KBytes of RAM and 32 KBytes of EEPROM. Since proof search in S4 can lead to infinite branches, this is “proof of principle” that non-trivial modal deduction is feasible even on current Java cards. We hope to use this prover as the basis of an on-board security manager for restricting the flow of “secrets” between multiple applets residing on the same card, although much work needs to be done to design the appropriate modal logics of “permission” and “obligations”. Such security concerns are the major impediments to the commercial deployment of multi-application smart cards

Flexible Bindings for Type-Safe Embedded Operating Systems.

This paper presents the binding model implemented in Camille, an extensible operating system for resource-limited devices. Modern embedded systems need on the first hand to fully exploit the limited hardware on which they run and on the other hand to dynamically adapt themselves to changes in their runtime environment. Camille is an exokernel which support static customization of components and dynamic loading of system extensions. Dynamic kernel and application adaptation is implemented by an inter-component communication model. This model is based on flexible bindings which permit to fully customize the way components interact with each others. Bindings can be static, virtual or compiled to guarantee performances of inter-component communications. This paper shows that it is possible to build a flexible operating system without sacrificing runtime performances, even for devices as constrained as smart cards. We first present the architecture of the Camille exokernel and the intermediate language Facade into which applications and system components are translated to ease type verification. We then describe the component model implemented in Camille and the inter-component communication scheme based on embedded binding factories. We then details the binding generation process and the various verifications which can be enforced when implementing bindings. We present some experimental results we have obtained when monitoring the performances of our native code generator. Finally, we conclude and discuss the future work we plan to conduct concerning extraction of selected properties from generated code