Verified lightweight bytecode verification

The Java Virtual Machine (JVM) comprises a typed assembly language, an abstract machine for executing it, and the so-called Bytecode Verifier (BV) for checking the welltypedness of JVM programs. Resource-bounded JVM implementations on smart cards do not provide bytecode verification because of the relatively high space and time consumption. They either do not allow dynamic loading of JVM code at all or rely on cryptographic methods to ensure that bytecode verification has taken place offcard. In order to allow on-card verification, Eva and Kristoffer Rose [21] proposed a (sparse) annotation of JVM code with types to enable a one-pass verification of welltypedness. Roughly speaking, this transforms a type reconstruction problem into a type checking problem, which is easier. More precisely, the type inference problem is a data flow analysis problem that requires an iterative solution, whereas the type checking problem merely needs a single pass to check consistency of the type annotations with the code. Based on these ideas we have extended an existing formalization of the JVM in Isabelle/HOL [18, 12]. Isabelle [16] is a generic theorem prover that can be instantiated with different object logics, and Isabelle/HOL [14], simply typed higher order logic, is the most widely used of these object logics. We will first describe the general idea of bytecode verification and its formalization in Isabelle/HOL. After that we explain how lightweight bytecode verification works, how we formalized it and proved it correct and complete. The full formalization is available on the web [13].