java外文文献

ComputerCommunications23(2000)1594±1605*,M.DebbabiLSFMResearchGroup,DepartmentofComputerScience,LavalUniversity,SainteFoy,Que.,CanadaG1K7P4AbstractJavaisanidealplatformforimplementingmobilecodesystems,notonlybecauseofitsportabilitybutalsobecauseitisdesignedwithsecurityinmind.UntrustedJavaprogramscanbestaticallyanalyzedandvalidated.Theprogram'sbehavioristhenmonitoredtopreventpotentiallymaliciousoperations.StaticanalysisofuntrustedclassesiscarriedoutbyacomponentoftheJavavirtualmachinecalledtheveri®er.Themostcomplexpartoftheveri®cationprocessisthedata¯owanalysis,whichisperformedoneachmethodinordertoensuretype-safety.Thispaperclari®esindetailoneofthetrickyaspectsofthedata¯owanalysis:theveri®cationofobjectinitialization.Wepresentandexplaintherulesthatneedtobeenforcedandwethenshowhowveri®erimplementationscanenforcethem.Rulesforobjectcreationrequire,amongotherthings,thatuninitializedobjectsneverbeusedbeforetheyareinitialized.Constructorsmustproperlyinitializetheirthisargumentbeforetheyareallowedtoreturn.Thispaperalsodealswithinitializationfailures(indicatedbyexceptions):theobjectbeinginitializedmustbediscarded,andconstructorsmustpropagateinitializationfailures.q2000ElsevierScienceB.V.Allrightsreserved.Keywords:Javabytecode;Objectinitialization;Data¯owanalysis;staticanalysis;javasecurity1.IntroductionTheJavaarchitectureisparticularlywell-suitedforimplementingmobilecodesystems.Amobilecodearchi-tectureallowsacomputertofetchaprogram(orpartsofaprogram)fromanetworksourceandexecuteitlocally.However,securityisacriticalaspectofmobilecodearchi-tectures.Theveryessenceofmobilecodeistoexecuteaprogramthatoriginatesfromaremotesource.Thisisinher-entlydangerousbecauseitisnotknownwhatactionsthatprogramwilltake.Byexecutingthemobilecode,weareallowingittoperformoperationsonourmachineandwearegivingitaccesstoourlocalresources.Javaisespeciallywell-suitedforimplementingmobilecodesystemsforthreereasons:²Javasourceiscompiledintoaplatform-independentintermediateformcalledJavabytecode.Javabyte-codeistheninterpretedbytheJVM(Javavirtualmachine).ThismakesJavabytecodecompletelyportable,whichmeansapieceofJavacodeincompiledformshouldrunonanyreceivingmachine.qTheresearchreportedinthispaperhasbeensupportedbytheNationalScienceandEngineeringResearchCouncil(NSERC),theFondspourlaformationdechercheursetl'aideaÁlarecherche(FCAR),andtheDefenseResearchEstablishmentValcartier(DREV),DepartmentofNationalDefense.*Correspondingauthor.Tel.:_1-41-8656-7035;fax:_1-41-8656-2324.E-mailaddress:doyon@ift.ulaval.ca(S.Doyon).²Itisdynamicallylinked:theJVMwillloadclassesfromdifferentnetworksourcesastheyareneededandwilllinkthemintotheprogramwhileitruns.²TheJavaarchitectureisbuiltwithsecurityinmind:itsdesignmakesitpossibletoenforcesuf®cientsecuritytomakemobilecodesafeandpractical.Currently,themostpopularmanifestationofJavamobilecodeisapplets.AJVM(bytecodeinterpreter)isincor-poratedinwebbrowsers.Webpagescanthenincludelinksthatpointtothecompiled(bytecode)formofprogramswhicharecalledapplets.Theappletcanthenbeloadedbythebrowserandexecutedlocallywithnospecialeffortontheuser'spart.Theveri®erisakeycomponentoftheJavasecurityarchi-tecture.ItsroleistoexaminecompiledclassesastheyareloadedintotheJVMinordertoensurethattheyarewell-formedandvalid.Itchecksthatthecoderespectsthesyntaxofthebytecodelanguageandthatitrespectsthelanguagerules.AnothercomponentoftheJavasecurityarchitecture,calledthesecuritymanager,monitorsaccesstosystemresourcesandservices.Thesecuritymanagerisasecuritylayer,whichgoesontopoftheveri®erandreliesonitseffectiveness.Themostcomplexstepoftheveri®cationprocessperformedbytheveri®errequiresrunningadata¯owanaly-sisonthebodyofeachmethod.Thereareafewparticularlytrickyissuesregardingthedata¯owanalysis.Inthispaper,wefocusontheissuesrelatingtotheinitializationof0140-3664/00/$-seefrontmatterq2000ElsevierScienceB.V.Allrightsreserved.PII:S0140-3664(00)00245-0S.Doyon,M.Debbabi/ComputerCommunications23(2000)1594±16051595newobjects:²Issuesrelatingtoobjectcreation:Anewobjectiscreatedintwosteps:spaceisallocatedforthenewobject,andthenitisinitialized.Whenperformingthedata¯owanalysis,theveri®ermustensurethatcertainrulesarerespected:theconstructorusedtoinitializeanobjectmustbeappropriate,anobjectmustnotbeusedbeforeitisinitialized,anobjectmustnotbeinitializedmorethanonceandinitializationfailures(indicatedbyexceptions)mustbehandledproperly.²Issuesrelatingtoconstructors:Theconstructorisrespon-sibleforinitializinganewobject.The®rstpartoftheconstructor'sworkperformsinitializationfromatypingpointofview,whichimpliesdirectlyorindirectlycallingaconstructorfromthesuperclass.Therestoftheconstructorperformsapplication-speci®cinitialization.Theveri®ermustensurethataconstructorproperlyiniti-alizesthecurrentobjectbeforeitreturns,thatitdoesnotusethecurrentobjectinanywaybeforecallingthesuper-classconstructorandthatitpropagatesanyinitializationfailureoccurringinthesuperclassconstructor.TheOf®cialdocumentationontheveri®er,providedin(Ref.