A Proof Carrying Code Framework for Inlined Reference Monitors in Java Bytecode

We propose a lightweight approach for certification of Java bytecode monitor inlining using proof-carrying code. The main purpose of such a framework is to enable development use of monitoring for quality assurance, while minimizing the runtime overhead of monitoring, minimizing the need for changes to the loadand runtime tcb, and eliminating the need for post-shipping code rewrites with the resulting loss of liability. Policies to be enforced are specified in the ConSpec policy specification language which, roughly, express regular sequences of method calls to some fixed API. Proofs are represented as Java class files augmented with logical assertion in Floyd/Hoare logic style: Assertions are associated to each program point as well as to method entry and (exceptional and normal) exit points using standard, JML-style preand post-conditions. Such a proof representation is adequate in our case, as all proofs generated in our framework can be recognized in time linear in the size of the associated program. The basic proof generation strategy is to compare the effects of an actual, untrusted, inliner, with the effects of a trusted “ghost” inliner which is never actually executed, but is nonetheless present for analysis purposes. At time of receiving a program with proof annotations, it is sufficient for the receiver to plug in its own trusted ghost inliner and check the resulting, given, verification conditions, to be sure inlining has been performed correctly, of the correct policy. We have proved correctness of the approach at the Java bytecode level. A prototype implementation has been produced. We finally report on an example based on a J2ME snake game with a simple two-state policy.