Reasoning about safety properties in a JVM-like environment

Type-based protection mechanisms in a JVM-like environment must be administrated by the code consumer at the bytecode level. Unfortunately, formulating a sound static type system for the full JVM bytecode language can be a daunting task. It is therefore counter-productive for the designer of a bytecode-level type system to address the full complexity of the VM environment in the early stage of design. In this work, a lightweight modelling tool, Featherweight JVM, is proposed to facilitate the early evaluation of bytecode-level, type-based protection mechanisms and, specifically, their ability to enforce security-motivated stack invariants and confinement properties. Rather than modelling the execution of a specific bytecode stream, Featherweight JVM is a nondeterministic event model that captures all the possible access event sequences that may be generated by a JVM-like environment when well-typed bytecode programs are executed. The effect of deploying a type-based protection mechanism can be modelled by a safety policy that constrains the event sequences produced by the VM model. To evaluate the effectiveness of the protection mechanism, security theorems in the form of state invariants can then be proved in the policy-guarded VM model. To demonstrate the utility of the proposed approach, Vitek et al.'s Confined Types has been formulated as a safety policy for the Featherweight JVM, and a corresponding confinement theorem has been established. To reduce class loading overhead, a capability-based reformulation of Confined Types is then studied, and is shown to preserve the confinement theorem. This paper thus provides first evidence on the utility of Featherweight JVM in providing early feedback to the designer of type-based protection mechanisms for JVM-like environments. (c) 2007 Elsevier B.V. All rights reserved.