A Structured and High-Level Definition of Java and of its Provably Correct and Secure Implementation on the Java Virtual Machine Egon Börger Dipartimento.

Slides:



Advertisements
Similar presentations
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Advertisements

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Java security (in a nutshell)
Java Virtual Machine (JVM). Lecture Objectives Learn about the Java Virtual Machine (JVM) Understand the functionalities of the class loader subsystem.
1 1 Lecture 14 Java Virtual Machine Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.
Design for Reuse via Structuring Techniques for ASMs Case Study: Decomposing and Layering the Java VM Egon Börger Dipartimento di Informatica, Universita.
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Program Representations. Representing programs Goals.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Lab#1 (14/3/1431h) Introduction To java programming cs425
Slides prepared by Rose Williams, Binghamton University Chapter 1 Getting Started 1.1 Introduction to Java.
VIDE Integrated Environment for Development and Verification of Programs.
Exploiting Abstractions for Specification Reuse Java/C# Case Study Egon Börger in cooperation with R. Stärk, V. Gervasi, G. Fruja Dipartimento di Informatica,
A Structured and High-Level Definition of Java and of its Provably Correct and Secure Implementation on the Java Virtual Machine (The ASM Java/JVM Project)
JVM-1 Java Virtual Machine Reading Assignment: Chapter 1: All Chapter 3: Sections.
Java Virtual Machine (JVM). Lecture Objectives Learn about the Java Virtual Machine (JVM) Understand the functionalities of the class loader subsystem.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.
Programming Languages Structure
Communication in Distributed Systems –Part 2
Lecture 2: Do you speak Java?. From Problem to Program Last Lecture we looked at modeling with objects! Steps to solving a business problem –Investigate.
Unit 061 Java Virtual Machine (JVM) What is Java Virtual Machine? The Class Loader Subsystem Linking oVerification oPreparation oResolution Class Initialization.
1 Further OO Concepts II – Java Program at run-time Overview l Steps in Executing a Java Program. l Loading l Linking l Initialization l Creation of Objects.
1 Software Testing and Quality Assurance Lecture 31 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
Computer Programming-1 CSC 111 Chapter 1 : Introduction.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
Introduction to ASMs Dumitru Roman Digital Enterprise Research Institute
Java Virtual Machine Java Virtual Machine A Java Virtual Machine (JVM) is a set of computer software programs and data structures that use.
Chapter 1 Introduction Dr. Frank Lee. 1.1 Why Study Compiler? To write more efficient code in a high-level language To provide solid foundation in parsing.
CSC3315 (Spring 2009)1 CSC 3315 Programming Languages Hamid Harroud School of Science and Engineering, Akhawayn University
Lecture 10 : Introduction to Java Virtual Machine
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
University of Houston-Clear Lake Proprietary© 1997 Evolution of Programming Languages Basic cycle of improvement –Experience software difficulties –Theory.
Introduction Algorithms and Conventions The design and analysis of algorithms is the core subject matter of Computer Science. Given a problem, we want.
Compiler Construction
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
CPRG 215 Introduction to Object-Oriented Programming with Java Module 1-Introduction to Java Topic 1.1 Basics of Java Produced by Harvey Peters, 2008 Copyright.
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 7 OS System Structure.
Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.
Chapter 1 Section 1.1 Introduction to Java Slides prepared by Rose Williams, Binghamton University Kenrick Mock, University of Alaska Anchorage.
Design Concepts By Deepika Chaudhary.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
A compiler is a computer program that translate written code (source code) into another computer language Associated with high level languages A well.
Concurrency Properties. Correctness In sequential programs, rerunning a program with the same input will always give the same result, so it makes sense.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.
By: Cheryl Mok & Sarah Tan. Java is partially interpreted. 1. Programmer writes a program in textual form 2. Runs the compiler, which converts the textual.
Semantic Analysis II Type Checking EECS 483 – Lecture 12 University of Michigan Wednesday, October 18, 2006.
CS5205Semantics1 CS5205: Foundation in Programming Languages Semantics Static Semantics Dynamic Semantics Operational Semantics Big-step Small-Step Denotational.
Lecture #1: Introduction to Algorithms and Problem Solving Dr. Hmood Al-Dossari King Saud University Department of Computer Science 6 February 2012.
Introduction to Programming 1 1 2Introduction to Java.
RealTimeSystems Lab Jong-Koo, Lim
Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
Types for Programs and Proofs
Lecture 1: Introduction to JAVA
Java programming lecture one
Software Design Methodology
Security in Java Real or Decaf? cs205: engineering software
Programming Languages 2nd edition Tucker and Noonan
Language-based Security
Presentation transcript:

A Structured and High-Level Definition of Java and of its Provably Correct and Secure Implementation on the Java Virtual Machine Egon Börger Dipartimento di Informatica, Universita di Pisa

© Egon Boerger: The ASM Java/JVM Project 2 R. Staerk, J. Schmid, E. Boerger Java and the Java Virtual Machine: Definition, Verification, Validation Java and the Java Virtual Machine: Definition, Verification, Validation Springer-Verlag, see

© Egon Boerger: The ASM Java/JVM Project 3 The Problem Java/JVM claimed by SUN to be a safe and secure, platform independent programming env for Internet: correctness problem for compiler, loader (name space support), verifier, access right checker (security manager), interpreter. Usr. Usr.class Internet Compiler Interpreter LoaderVerifier Preparator Input Output Sys.class JVM insecure Java Run Time Machine

© Egon Boerger: The ASM Java/JVM Project 4 Goal of the ASM Java/JVM Project Abstract (platform independent), rigorous but transparent, modular definition providing basis for mathematical and experimental analysis –Reflecting SUN’s design decisions (faithful ground model) –Offering correct high-level understanding ( to be practically useful for programmers) –Providing rigorous, implementation independent basis for Analysis and Documentation (for designers) through –Mathematical verification –Experimental validation –Comparison of different implementations Implementation (compiln, loading, bytecode verification, security schemes)

© Egon Boerger: The ASM Java/JVM Project 5 Main Result A Structured and High-Level Definition of Java and of its Provably Correct and Secure Implementation on the Java Virtual Machine Theorem. Under explicitly stated conditions, any well-formed and well-typed Java program: upon correct compilation passes the verifier is executed on the JVM executes –without violating any run-time checks –correctly wrt Java source pgm semantics

© Egon Boerger: The ASM Java/JVM Project 6 Language driven decomposition of Java, JVM, compilation JVM I JVM C JVM T JVM E JVM O Java I Java C Java E Java T Java O imperative static class features (procedures) exception handling concurrent threads oo features Split into horizontal language components (conservative extensions) compile

© Egon Boerger: The ASM Java/JVM Project 7 The language driven decomposition of execJava and its submachines execJava = execJava I imperative control constructs execJava C static class features (modules) execJava O oo features execJava E exception handling execJava T concurrent threads execJava I = execJavaExp I expression evaluation execJavaStm I statement execution NB. Grouping similar instructions into one parameterized abstract instr

© Egon Boerger: The ASM Java/JVM Project 8 Theorem: Java is type safe i.e. when a legal well-typed Java pgm is executed: –run-time vals of static/instance fields/array elems are compatible with their declared types –references to objects are in the heap (no dangling pointers) –run-time positions satisfy compile-time constraints (reachable, definitely assigned vars are well-defined local vars with vals of compile-time type,…) –positions of normally completing stms are compile-time normal –evaluated exprs/returned vals have compile-time compatible type –abruptions (jump,return,exc) have compile-time compatible type –stacks do not overflow nor underflow, … Proof: induction on Java ASM runs, based upon a rigorous definition of the rules for definite assignment

© Egon Boerger: The ASM Java/JVM Project 9 Theorem: Correctness of Thread Synchronization in Java Runtime threads are valid threads (of type THREAD). If the execution state of a thread is Not Started, then the thread is not synchronized on any object and is not in the wait set of any object. If the state of a thread is synchronizing, then the thread is not already synchronized on the object it is competing for. If a thread is synchronized on an object, then the object is a valid reference in the heap. If a thread is waiting for an object, then it is synchronized on and is in the wait set of the object (without holding the lock of the object). If a thread has been notified on an object, then it is no longer in the wait set of the object. It is still synchronized on the object, but it does not hold the lock of the object.

© Egon Boerger: The ASM Java/JVM Project 10 Theorem: Correctness of Thread Synchronization in Java (Cont’d) A thread cannot be in the wait set of two different objects. If a thread has terminated normally or abruptly, then it does not hold the lock of any object. If a thread holds the lock of an object, then the lock counter of the object is exactly the number of occurrences of the object in the list of synchronized objects of the thread. It is not possible that at the same time, two different threads hold the lock of the same object. If the lock counter of an object is greater than zero, then there exists a thread which holds the lock of the object. … PROOF. Induction on Java ASM runs.

© Egon Boerger: The ASM Java/JVM Project 11 Security Driven JVM Decomposition trustfulVM : defines the execution functionality incrementally from language layered submachines execVM, switchVM defensiveVM : defines the constraints to be checked, in terms of trustfulVM execution, from the language layered submachine check; calls trustfulVM for execution diligentVM : checks the constraints at link-time, using a language layered submachine verifyVM; calls trustfulVM for execution verifyVM built up from language layered submachines check, propagateVM, succ

© Egon Boerger: The ASM Java/JVM Project 12

© Egon Boerger: The ASM Java/JVM Project 13 Stepwise refinement of trustfulVM execVM switch = Noswitch switchVM yes no execVM and switchVM incrementally extended (language driven) trustfulVM I = execVM I  execVM C  execVM O  execVM E  execVM N  execVM D following the language extensions switchVM C  switchVM E  switchVM D reflecting meth call/return, class initialization, capturing exceptions no execVM N yes isNative (meth)

© Egon Börger: Decomposing & Layering JVM 14 Stepwise refinement of defensiveVM check incrementally extended, language layered as for trustfulVM i.e. check I extended by check C extended by check O extended by check E extended by check N extended by check D no report failure switch = Noswitch yes trustfulVM validCodeIndex & check yes no trustfulVM N check N yes isNative (meth)

© Egon Börger: Decomposing & Layering JVM 15 Bytecode Type Assignments Link-time verifiable type assignments (conditions) extracted from checking function of the Defensive VM Main problem: return addresses of Jsr(s ), reached using Ret(x) Soundness Theorem: If P satisfies the type assignment conditions, then Defensive VM executes P without violating any run-time check. Proof by induction on runs of the Defensive VM Completeness Theorem: Bytecode generated by compile from a legal Java program does have type assignments. Inductive proof introduces certifying compiler assigning to each byte code instr also a type frame, which then can be shown to constitute a type assignment for the compiled code

© Egon Börger: Decomposing & Layering JVM 16 Stepwise refinement of diligentVM I,C,O,E trustfulVM verifyVM built out of langg layered check, succ, propagate switchVM C in trustfulVM is refined to also link classes before their initialization, where the linking submachine triggers verifyVM no set next meth up for verification yes some meth still to be verified curr meth still to be verified verifyVM yes report failure no

© Egon Boerger: The ASM Java/JVM Project 17 Stating rigorously and proving the Correctness of compiling from Java to JVM With respect to the ASM models for Java and JVM, and wrt the definition of compile from Java to JVM code, including the exception table, the execution of P in Java and the execution of compile(P) in Trustful VM are equivalent (in a sense made precise), for arbitrary pgms P. PROOF. By induction on the runs of the Java/JVM ASMs, using the type safety theorem. NB. This inlcudes the correctness of exception handling see Boerger E., Schulte W., A Practical Method for Specification and Analysis of Exception Handling -- A Java/JVM Case Study. IEEE Transactions of Software Engineering, Vol.26, No.10, October 2000 (Special Issue on Exception Handling, eds. D.Perry, A.Romanovsky, A.Tripathi).

© Egon Boerger: The ASM Java/JVM Project 18 Validating Java, JVM, compile AsmGofer: ASM programming system, extending TkGofer to execute ASMs (with Haskell definable external fcts)AsmGofer Provides step-by-step execution, with GUIs to support debugging of Java/JVM programs. Allows for the executable ASM models of Java/JVM: –to execute the Java source code P (no counterpart in SUN env) –to compile Java pgms P to bytecode compile(P) (in textual representation, using JASMIN to convert to binary class format) –to execute the bytecode programs compile(P) E.g. our Bytecode Verifier rejects Saraswat’s program Developed by Joachim Schmid, available at

© Egon Boerger: The ASM Java/JVM Project 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.