Skip to main content
SpringerLink
Log in

Tool-Assisted Specification and Verification of Typed Low-Level Languages

  • Published:
Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

Bytecode verification is one of the key security functions of several architectures for mobile and embedded code, including Java, Java Card, and .NET. Over the past few years, its formal correctness has been studied extensively by academia and industry, using general-purpose theorem provers. The objective of our work is to facilitate such endeavors by providing a dedicated environment for establishing the correctness of bytecode verification within a proof assistant.

The environment, called Jakarta, exploits a methodology that casts the correctness of bytecode verification relatively to a defensive virtual machine that performs checks at run-time and to an offensive one that does not; it can be summarized as stating that the two machines coincide on programs that pass bytecode verification. Such a methodology has been used successfully to prove the correctness of the Java Card bytecode verifier and may potentially be applied to many similar problems. One definite advantage of the methodology is that it is amenable to automation. Indeed, Jakarta automates the construction of an offensive virtual machine and a bytecode verifier from a defensive machine, and the proofs of correctness of the bytecode verifier.

We illustrate the principles of Jakarta on a simple low-level language extended with subroutines and discuss its usefulness to proving the correctness of the Java Card platform.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alvarado, C. and Nguyen, Q.-H.: elan for equational reasoning in coq, in J. Despeyroux (ed.), Proceedings of LFM'00, Rapport Technique INRIA, 2000.

  2. Andronick, J., Chetali, B. and Ly, O.: Using Coq to verify Java Card applet isolation properties, in D. Basin and B. Wolff (eds.), Proceedings of TPHOLs'03, Lecture Notes in Comput. Sci. 2758, Springer-Verlag, 2003, pp. 335–351.

  3. Baader, F. and Nipkow, T.: Term Rewriting and All That, Cambridge University Press, 1998.

  4. Barthe, G. and Courtieu, P.: Efficient reasoning about executable specifications in Coq, in V. Carreño, C. Muñoz and S. Tahar (eds.), Proceedings of TPHOLs'02, Lecture Notes in Comput. Sci. 2410, Springer-Verlag, 2002, pp. 31–46.

  5. Barthe, G. and Dufay, G.: A tool-assisted framework for certified bytecode verification, in Proceedings of FASE'04, Lecture Notes in Comput. Sci. 2984, Springer-Verlag, 2004, pp. 99–113.

  6. Barthe, G., Dufay, G., Jakubiec, L. and Melo de Sousa, S.: A formal correspondence between offensive and defensive javacard virtual machines, in A. Cortesi (ed.), Proceedings of VMCAI'02, Lecture Notes in Comput. Sci. 2294, Springer-Verlag, 2002, pp. 32–45.

  7. Barthe, G., Dufay, G., Jakubiec, L., Serpette, B. and Melo de Sousa, S.: A formal executable semantics of the JavaCard platform, in D. Sands (ed.), Proceedings of ESOP'01, Lecture Notes in Comput. Sci. 2028, Springer-Verlag, 2001, pp. 302–319.

  8. Barthe, G. and Rezk, T.: Non-interference for a JVM-like language, in M. Fähndrich (ed.), Proceedings of TLDI'05, ACM Press, 2005. To appear.

  9. Barthe, G. and Stratulat, S.: Using implicit induction techniques for the validation of the JavaCard platform, in R. Nieuwenhuis (ed.), Proceedings of RTA'03, Lecture Notes in Comput. Sci. 2706, Springer-Verlag, 2003, pp. 337–351.

  10. Betarte, G., Chetali, B., Giménez, E., Loiseaux, C. and Ly, O.: Formal modeling and verification of the Java Card security architecture: From static checkings to embedded applet execution, in Proceedings of ESMART'02, 2002.

  11. Bezem, M., Klop, J. W. and de Vrijer, R. (eds.): Term Rewriting Systems, Cambridge Tracts in Theoretical Computer Science, Cambridge University Press, 2003.

  12. Börger, E. and Stärk, R.: Abstract State Machines – A Method for High-Level System Design and Analysis, Springer-Verlag, 2003.

  13. Borovanský, P., Cirstea, H., Dubois, H., Kirchner, C., Kirchner, H., Moreau, P.-E., Ringeissen, C. and Vittek, M.: The Elan V3.4. Manual, 2000.

  14. Borras, P., Clément, D., Despeyroux, Th., Incerpi, J., Kahn, G., Lang, B. and Pascual, V.: Centaur: The system, in Proceedings of the ACM SIGSOFT/SIGPLAN Software Engineering Symposium on Practical Software Development Environments, ACM Press, 1988, pp. 14–24.

  15. Bouhoula, A.: Automated theorem proving by test set induction, J. Symbolic Comput. 23(1) (January 1997), 47–77.

    Article  MATH  MathSciNet  Google Scholar 

  16. Bundy, A.: The use of explicit plans to guide proofs, in Proceedings of CADE-9, Lecture Notes in Comput. Sci. 310, Springer-Verlag, 1988, pp. 111–120.

  17. Coq Development Team: The Coq Proof Assistant User's Guide. Version 8.0, January 2004.

  18. Cousot, P. and Cousot, R.: Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints, in Proceedings of POPL'77, ACM Press, 1977, pp. 238–252.

  19. Crary, K. and Morrisett, G.: Type structure for low-level programming languages, in J. Wiedermann, P. van Emde Boas and M. Nielsen (eds.), Proceedings of ICALP'99, Lecture Notes in Comput. Sci. 1644, 1999, pp. 40–54.

  20. Delahaye, D.: A tactic language for the system Coq, in M. Parigot and A. Voronkov (eds.), Proceedings of LPAR'00, Lecture Notes in Comput. Sci. 1955, Springer-Verlag, 2000, pp. 85–95.

  21. Filliâtre, J.-C.: Why: A multi-language multi-prover verification tool, Research Report 1366, LRI, Université Paris Sud, March 2003.

  22. Freund, S. N. and Mitchell, J. C.: The type system for object initialization in the Java bytecode language, ACM Transactions on Programming Languages and Systems 21(6) (November 1999), 1196–1250.

    Article  Google Scholar 

  23. Gordon, A. D. and Syme, D.: Typing a multi-language intermediate code, in Proceedings of POPL'01, ACM Press, 2001, pp. 248–260.

  24. Hartel, P.: LETOS – a lightweight execution tool for operational semantics, Software – Practice and Experience 29(5) (September 1999), 1379–1416.

    Article  Google Scholar 

  25. Hartel, P. and Moreau, L.: Formalizing the safety of Java, the Java virtual machine and Java Card, ACM Computing Surveys 33(4) (December 2001), 517–558.

    Article  Google Scholar 

  26. JavaCard Technology: http://java.sun.com/products/javacard.

  27. Klein, G. and Nipkow, T.: Verified bytecode verifiers, Theoret. Comput. Sci. 298(3) (April 2002), 583–626.

    Article  MathSciNet  Google Scholar 

  28. Klein, G. and Wildmoser, M.: Verified bytecode subroutines, J. Automated Reasoning 30(3–4) (December 2003), 363–398.

    Article  MATH  Google Scholar 

  29. Lanet, J.-L. and Requet, A.: Formal proof of smart card applets correctness, in J.-J. Quisquater and B. Schneier (eds.), Proceedings of CARDIS'98, Lecture Notes in Comput. Sci. 1820, Springer-Verlag, 1998, pp. 85–97.

  30. Laneve, C.: A type system for JVM threads, Theoret. Comp. Sci. 290(1) (October 2002), 741–778.

    Article  MathSciNet  Google Scholar 

  31. Leroy, X., Java bytecode verification: An overview, in G. Berry, H. Comon and A. Finkel (eds.), Proceedings of CAV'01, Lecture Notes in Comput. Sci. 2102 Springer-Verlag, 2001, pp. 265–285.

  32. Leroy, X.: Java bytecode verification: Algorithms and formalizations, J. Automated Reasoning 30(3–4) (December 2003), 235–269.

    Article  MATH  MathSciNet  Google Scholar 

  33. Leroy, X., Doligez, D., Garrigue, J., Rémy, D. and Vouillon, J.: The Objective Caml system, release 3.00, 2000.

  34. Moore, J. S., Krug, R., Liu, H. and Porter, G.: Formal models of Java at the JVM level. A survey from the ACL2 perspective, in S. Drossopoulou (ed.), Proceedings of Formal Techniques for Java Programs, 2001.

  35. Nguyen, Q.-H., Kirchner, C. and Kirchner, H.: External rewriting for skeptical proof assistants, J. Automated Reasoning 29(3–4) (2002), 309–336.

    Article  MathSciNet  MATH  Google Scholar 

  36. Nielson, F., Nielson, H. R. and Hankin, C.: Principles of Program Analysis, Springer-Verlag, 1999.

  37. Nipkow, T.: Verified bytecode verifiers, in F. Honsell and M. Miculan (eds.), Proceedings of FOSSACS'01, Lecture Notes in Comput. Sci. 2030, Springer-Verlag, 2001, pp. 347–363.

  38. Petersson, M.: Compiling natural semantics, Ph.D. thesis, Linköping University, 1995.

  39. Slind, K.: Reasoning about terminating functional programs, Ph.D. thesis, TU Münich, 1999.

  40. Stärk, R., Schmid, J. and Börger, E.: Java and the Java Virtual Machine – Definition, Verification, Validation, Springer-Verlag, 2001.

  41. Stata, R. and Abadi, M.: A type system for Java bytecode subroutines, ACM Transactions on Programming Languages and Systems 21(1) (January 1999), 90–137.

    Article  Google Scholar 

  42. Syme, D. and Gordon, A. D.: Automating type soundness proofs via decision procedures and guided reductions, in M. Baaz and A. Voronkov (eds.), Proceedings of LPAR'02, Lecture Notes in Comput. Sci. 2514, Springer-Verlag, 2002, pp. 418–434.

  43. Terrasse, D.: Vers un environnement d'aide au développement de preuves en sémantique naturelle, Ph.D. thesis, Ecole Nationale des Ponts et Chaussées, 1995.

  44. van Deursen, A., Heering, J. and Klint, P. (eds.), Language Prototyping: An Algebraic Specification Approach, AMAST Series in Computing, World Scientific, 1996.

Download references

Author information

Authors and Affiliations

  1. INRIA Sophia Antipolis, France

    Gilles Barthe

  2. Université d'Orléans, France

    Pierre Courtieu

  3. University of Ottawa, Canada

    Guillaume Dufay

  4. Universidade da Beira Interior, Portugal

    Simão Melo de Sousa

Authors
  1. Gilles Barthe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pierre Courtieu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guillaume Dufay
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Simão Melo de Sousa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gilles Barthe.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Barthe, G., Courtieu, P., Dufay, G. et al. Tool-Assisted Specification and Verification of Typed Low-Level Languages. J Autom Reasoning 35, 295–354 (2005). https://doi.org/10.1007/s10817-005-0084-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-005-0084-6

Keywords

Search

Navigation