Proofing: Efficient SSA-based Java Verification

Verification is essential for assuring the integrity of a Java virtual machine when executing untrusted code. Existing verifiers decide whether or not a given bytecode program is safe. In contrast, we introduce the concept of proofing. Proofing does not change the semantics of programs that would have passed the original bytecode verifier. For programs that would have failed verification, our algorithm will either reject them, or transform them into programs (of unspecified semantics) that are guaranteed to be safe. During proofing, the original JVM code is transformed into an internal representation based on Static Single Assignment Form (SSA). We show that proofing without the SSA construction has linear complexity. Thus, SSA-based mobile-code frameworks can perform verification by using proofing, at the prize of an overhead that is only linear in the size of the program. Information and Computer Science University of California, Irvine Proofing: Efficient SSA-based Java Verification Andreas Gal, Christian W. Probst, and Michael Franz Department of Computer Science University of California, Irvine Irvine, CA, 92697 {gal, probst, franz}@uci.edu Abstract. Verification is essential for assuring the integrity of a Java virtual machine when executing untrusted code. Existing verifiers decide whether or not a given bytecode program is safe. In contrast, we introduce the concept of proofing. Proofing does not change the semantics of programs that would have passed the original bytecode verifier. For programs that would have failed verification, our algorithm will either reject them, or transform them into programs (of unspecified semantics) that are guaranteed to be safe. During proofing, the original JVM code is transformed into an internal representation based on Static Single Assignment Form (SSA). We show that proofing without the SSA construction has linear complexity. Thus, SSA-based mobile-code frameworks can perform verification by using proofing, at the prize of an overhead that is only linear in the size of the program. Verification is essential for assuring the integrity of a Java virtual machine when executing untrusted code. Existing verifiers decide whether or not a given bytecode program is safe. In contrast, we introduce the concept of proofing. Proofing does not change the semantics of programs that would have passed the original bytecode verifier. For programs that would have failed verification, our algorithm will either reject them, or transform them into programs (of unspecified semantics) that are guaranteed to be safe. During proofing, the original JVM code is transformed into an internal representation based on Static Single Assignment Form (SSA). We show that proofing without the SSA construction has linear complexity. Thus, SSA-based mobile-code frameworks can perform verification by using proofing, at the prize of an overhead that is only linear in the size of the program.