Platform Independent Timing of Java Virtual Machine Bytecode Instructions

The accurate measurement of the execution time of Java bytecode is one factor that is important in order to estimate the total execution time of a Java application running on a Java Virtual Machine. In this paper we document the difficulties and solutions for the accurate timing of Java bytecode. We also identify trends across the execution times recorded for all imperative Java bytecodes. These trends would suggest that knowing the execution times of a small subset of the Java bytecode instructions would be sufficient to model the execution times of the remainder. We first review a statistical approach for achieving high precision timing results for Java bytecode using low precision timers and then present a more suitable technique using homogeneous bytecode sequences for recording such information. We finally compare instruction execution times acquired using this platform independent technique against execution times recorded using the read time stamp counter assembly instruction. In particular our results show the existence of a strong linear correlation between both techniques.     

Java字节码的水印嵌入

通过Internet发布的Java程序正面临着严重的未授权使用，这是因为Java源代码被编译成可重用的class文件，而这些class文件很容易就被反编译成Java源文件。提出一种在Java的class文件中嵌入数字水印的技术，它可以有效地保证开发者对该程序的版权。该水印嵌入对程序的使用者来说是透明的，而对程序的开发者来说，可以轻易地找出未经授权的非法的程序使用。     

一种Java字节码优化框架

Soot是一种用于优化、审查Java字节码的独立工具,也是一个在字节码上开发优化和变换的框架。为指导用户在Soot上快速开展工作,该文总结Soot的主要数据结构、流程及优化框架的组织管理,并通过实例剖析Soot的工作流程和实现机制,简述了Soot的扩展方法及已有应用。     

A Space-Aware Bytecode Verifier for Java Cards

The bytecode verification is a key point of the security chain of the Java Platform. This feature is optional in many embedded devices since the memory requirements of the verification process are too high. In this paper we propose a verification algorithm that remarkably reduces the use of the memory by performing the verification during multiple specialized passes. The algorithm reduces the type encoding space by operating on different abstractions of the domain of types. The results of the experiments show that this bytecode verification can be performed directly on small memory systems.     

Bytecode fault injection for Java software

Developers using third party software components need to test them to satisfy quality requirements. In the past, researchers have proposed fault injection testing approaches in which the component state is perturbed and the resulting effects on the rest of the system are observed. Non-availability of source code in third-party components makes it harder to perform source code level fault injection. Even if Java decompilers are used, they do not work well with obfuscated bytecode. We propose a technique that injects faults in Java software by manipulating the bytecode. Existing test suites are assessed according to their ability to detect the injected faults and improved accordingly. We present a case study using an open source Java component that demonstrates the feasibility and effectiveness of our approach. We also evaluate the usability of our approach on obfuscated bytecode.     

A Type System for the Java Bytecode Language and Verifier

The Java Virtual Machine executes bytecode programs that may have been sent from other, possibly untrusted, locations on the network. Since the transmitted code may be written by a malicious party or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier to check the code for type errors before it is run. As illustrated by reported attacks on Java run-time systems, the verifier is essential for system security. However, no formal specification of the bytecode verifier exists in the Java Virtual Machine Specification published by Sun. In this paper, we develop such a specification in the form of a type system for a subset of the bytecode language. The subset includes classes, interfaces, constructors, methods, exceptions, and bytecode subroutines. We also present a type checking algorithm and prototype bytecode verifier implementation, and we conclude by discussing other applications of this work. For example, we show how to extend our formal system to check other program properties, such as the correct use of object locks. This revised version was published online in August 2006 with corrections to the Cover Date.     

Bytecode verification on Java smart cards

This article presents a novel approach to the problem of bytecode verification for Java Card applets. By relying on prior off‐card bytecode transformations, we simplify the bytecode verifier and reduce its memory requirements to the point where it can be embedded on a smart card, thus increasing significantly the security of post‐issuance downloading of applets on Java Cards. This article describes the on‐card verification algorithm and the off‐card code transformations, and evaluates experimentally their impact on applet code size. Copyright © 2002 John Wiley & Sons, Ltd.     

Java字节码的水印嵌入

通过Internet发布的Java程序正面临着严重的未授权使用。这是因为Java源代码被编译成可重用的class文件．这些class文件甚至很容易就被反编译成Java源文件。在本文中．我们提出一种在Java的class文件中嵌入数字水印的技术。通过在class文件中嵌入以数字水印形式存在的开发者的签名．可以有效的保证开发者对该程序的版权。我们的水印嵌入对程序的使用者来说是透明的，而对程序的开发者来说．可以轻易的找出未经授权的非法的程序使用。     

一种新的Java智能卡上字节码校验算法

Java智能卡上的字节码校验是保障Java卡安全的重要手段。但是,由于Java智能卡本身的空间和运算器的限制,传统的字节码校验算法无法在Java智能卡上实现。为了解决此问题,本文在分析了现有方法的特点和不足的基础上提出了一种基于有向分枝图和缓存策略的字节码校验算法。效率分析和实践表明,该算法是一种可以在Java智能卡上实现
现的高效算法。     

Experiments in Cost Analysis of Java Bytecode

Recently, we proposed a general framework for the cost analysis of Java bytecode which can be used for measuring resource usage. This analysis generates, at compile-time, cost relations which define the cost of programs as a function of their input data size. The purpose of this paper is to assess the practicality of such cost analysis by experimentally evaluating a prototype analyzer implemented in Ciao. With this aim, we approximate the computational complexity of a set of selected benchmarks, including both well-known algorithms which have been used to evaluate existing cost analyzers in other programming paradigms, and other benchmarks which illustrate object-oriented features. In our evaluation, we first study whether the generated cost relations can be automatically solved. Our experiments show that in some cases the inferred cost relations can be automatically solved by using the Mathematica system, whereas, in other cases, some prior manipulation is required for the equations to be solvable. Moreover, we experimentally evaluated the running time of the different phases of the analysis process. Overall, we believe our experiments show that the efficiency of our cost analysis is acceptable, and that the obtained cost relations are useful in practice since, at least in our experiments, it is possible to get a closed form solution.     

Java Bytecode Verification: Algorithms and Formalizations

Bytecode verification is a crucial security component for Java applets, on the Web and on embedded devices such as smart cards. This paper reviews the various bytecode verification algorithms that have been proposed, recasts them in a common framework of dataflow analysis, and surveys the use of proof assistants to specify bytecode verification and prove its correctness. This revised version was published online in August 2006 with corrections to the Cover Date.     

基于混合模式的Java卡字节码优化器

Java卡是一种基于Java语言的智能卡。因为智能卡的空间和处理器速度的约束,一个应用程序在Java卡上运行时面临的最大问题是存储空间的不足和对程序执行时间的严格限制。因此,对下载到卡中的字节码进行优化是十分必要的。本文提出了一种综合使用扩展指令集和分段压缩算法的Java卡字节码优化器的设计方案,通过对字节码文件的优化,可得到占用空间较少且没有降低执行速率的字节码文件。     

一种使用CFT的Java卡内字节码校验算法

Java卡字节码校验是构成Java卡安全体系结构的重要组成部分.而传统的Java卡字节码校验由于Java智能卡资源的限制,无法在卡内进行.本文通过对控制流程图和类型推导的分析,提出了基于控制流程树的Java卡卡外翻译过程和卡内校验器算法,详细描述了CFT迁移机理并对于基于CFT的Java卡内字节码校验算法和可行性进行了分析与实践.     

Java Bytecode Transformations for Efficient, Portable CPU Accounting

Resource management is essential to build reliable middleware and to host potentially untrusted software components. Resource accounting allows to study and optimize program performance and to charge users for the resource consumption of their deployed components, while resource control can limit the resource consumption of components in order to prevent denial-of-service attacks. In the approach presented here, program transformations enable resource management in Java-based environments, even though the underlying runtime system may not expose information concerning the resource consumption of applications. We present a fully portable program transformation scheme to enhance standard Java runtime systems with mechanisms for CPU management. We implemented several optimizations in order to reduce the overhead of our CPU accounting scheme. Detailed performance measurements quantify this overhead and show the impact of various optimizations.     

Towards Verification of Well-Formed Transactions in Java Card Bytecode

Using transactions in Java Card bytecode programs can be rather tricky and requires special attention from the programmer in order to work around some of the limitations imposed and to avoid introducing serious run-time errors due to inappropriate use of transactions.In this paper we present a novel analysis that combines control and data flow analysis with an analysis that tracks active transactions in a Java Card bytecode program. We formally prove the correctness of the analysis and show how it can be used to solve the above problem of guaranteeing that transactions in a Java Card bytecode program are well-formed and thus do not give rise to run-time errors.     

jContractor: Introducing Design-by-Contract to Java Using Reflective Bytecode Instrumentation

Design by Contract is a software engineering practice that allows semantic information to be added to a class or interface to precisely specify the conditions that are required for its correct operation. The basic constructs of Design by Contract are method preconditions and postconditions, and class invariants. This paper presents a detailed design and implementation overview of jContractor, a freely available tool that allows programmers to write “contracts' as standard Java methods following an intuitive naming convention. Preconditions, postconditions, and invariants can be associated with, or inherited by, any class or interface. jContractor performs on-the-fly bytecode instrumentation to detect violation of the contract specification during a program's execution. jContractor's bytecode engineering technique allows it to specify and check contracts even when source code is not available. jContractor is a pure Java library providing a rich set of syntactic constructs for expressing contracts without extending the Java language or runtime environment. These constructs include support for predicate logic expressions, and referencing entry values of attributes and return values of methods. Fine grain control over the level of monitoring is possible at runtime. Since contract methods are allowed to use unconstrained Java expressions, in addition to runtime verification they can perform additional runtime monitoring, logging, and analysis.     

BAT2XML: XML-based Java Bytecode Representation

The creation, transformation and analysis of bytecode is widespread. Nevertheless, several problems related to the reusability and comprehensibility of the results and tools exist. In particular, the results of tools for bytecode analysis are usually represented in proprietary tool dependent ways, which makes it hard to build more sophisticated analysis on top of the results generated by tools for lower-level analysis.Furthermore, intermediate results, such as e.g., the results of basic control flow and dataflow analysis, are usually not explicitly represented at all; though, required by many more sophisticated analysis. This lack of a common format, for the well structured representation of the (intermediate) results of code analysis, makes the creation of new tools or the integration of the results generated by different tools costly and ineffective.To solve the highlighted problems, we propose a higher-level XML-based representation of Java bytecode which is designed as a common platform for the creation and transformation of bytecode and explicitly enables the integration of arbitrary information generated by different tools for static code analysis.