Information about http://www.ics.uci.edu/~franz/Site/pubs-pdf/C23.pdf
Enhancing Class Files: A Migration Path to Better Mobile-Code…
Tags: client computer, consequence, dataflow analysis, enhancement, java bytecode, java virtual machine, machine web, michael franz, migration path, mobile code, mobile program, mobile programs, optimizations, recipient, representations, security guarantees, university of california, university of california irvine, value added service, web server,Pages: 2
Language: english
Created: Sat Apr 20 20:56:20 2002
Display cached document
Page 1
Page 2
Enhancing Class Files: A Migration Path to Better Mobile-Code Representations
Michael Franz
University of California, Irvine
franz@uci.edu
Abstract mobile program that falsely claims that such a check is
redundant.
Despite its apparent flaws, the Java Virtual Machine's As a consequence, when Java bytecode is transmitted
bytecode format ("Java bytecode") is the established to another site, each recipient must repeat most of the
standard for distributing mobile programs across the analyses and optimizations that could have been
Internet. Any proposal for an alternative better mobile- performed just once at the origin if a better alternative
code format appears doomed from the start in light of the mobile-code representation had been used instead.
vast amount of already existing Java bytecode. In previous work, we have identified several such
Somewhat surprisingly then, we are building a system alternative mobile code representations [1, 2, 3]. These
in which Java bytecode is supplanted by an "enhanced" alternatives overcome many of the limitations of the Java
alternative representation, in a manner that is completely bytecode language. Moreover, while providing the
invisible to the end-user. The substitution occurs at the identical security guarantees as the Java Virtual Machine,
web server and is provided as a value-added service. they express most of them statically as a well-formedness
When communicating with an enhanced client computer, property of the respective encoding itself. This eliminates
the enhancement-aware server will send it an enhanced the need for an expensive dataflow analysis at the code
class file rather than a standard Java bytecode file. recipient's site, greatly reducing the effort required for
Enhanced clients, on the other hand, can process both code verification.
kinds of class file, but will perform better using the That leaves the question how one would go about
enhanced version. Enhanced class files are generated from replacing the existing Java bytecode on the Internet with
standard Java bytecode as an off-line process at the server. one of these superior formats--considering how much
Java bytecode is actually out there, one would think this
to be an unrealistic proposition. Surprisingly, it is
1. Introduction precisely this problem that we present a solution to.
Java bytecode has become the de facto standard for
transporting mobile code across the Internet. However, it 2. Architecture
is generally acknowledged that Java bytecode is far from
being an ideal mobile code representation--a considerable In our architecture (Figure 1), class files containing
amount of preprocessing is required to convert Java ordinary Java bytecode and "enhanced" class files
bytecode into a representation more amenable to an containing a more advanced intermediate representation
optimizing compiler, and in a dynamic compilation coexist side-by-side. "Enhancement" is offered as a value-
context this preprocessing takes place while the user is added service by certain web servers in this system,
waiting.
Code
Further, due to the need to verify the code's safety Producer
Java Class
upon arrival at the target machine, and also due to the 1 File
specific semantics of the Java Virtual Machine's particular Java Class
File
security scheme, many possible optimizations cannot be Internet
4
performed safely in the source-to-Java bytecode compiler,
JVM Client
but can only be done at the eventual target machine. Enhancement- Internet
Aware Web
For example, information about the redundancy of a Server
4
type check may often be present in the front-end (because
the compiler can prove that the value in question is of the Java Class Enhanced
Enhanced
Class File
2 Enhanced
correct type on every path leading to the check), but this File 3 Class File
Client
fact cannot be communicated safely in the Java bytecode
stream and hence needs to be re-discovered in the just-in- Enhancer
time compiler. By "communicated safely", we mean in
such a way that a malicious third party cannot construct a
Figure 1. Flow of class files through the system
©2002, Michael Franz
the beneficiaries are certain "enhanced" clients. One could format has a substantial advantage, because fewer steps
imagine a situation in which a vendor equips all the and less complex operations are needed (Figure 3) to
workstations on a customer's intranet with enhanced verify and preprocess it into the LIR (a variant of Static
client software while installing an "enhancer" at the Single Assignment Form in this case). The time that has
central server. This would boost performance of day-to- thus been saved (essentially by performing analyses at the
day operations within the corporate intranet, while code producer's site and transmitting the results within
coincidently also benefiting any external enhanced clients the enhanced mobile-code format in a tamper-proof
of the server that might exist additionally, as well as any manner) can then be expended on high-quality code
transactions of internal clients with external enhanced optimization.
servers.
Several flows of class files are identified in Figure 1: Java Class
File
verify
(complex)
"lift"
bytecode
optimize
HIR
"lower"
HIR to
to HIR LIR
all class files originate in the standard Java bytecode select
format and are placed on a server for hosting (1). Some optimize
LIR
native
instructions
Executable
Code
of the hosting servers will provide an enhancer that will Enhanced verify
(simple)
transpose
into LIR
Class File
input an ordinary Java bytecode file (2) and generate an
enhanced class file from it (3). Client computers
negotiate with every server they connect to; if an Figure 3. Enhanced class files require significantly
enhancement-aware server detects an enhanced client, it reduced effort for verification and code generation;
will send it an enhanced class file if one is available; when compilation time is constrained, this means that
otherwise, it will send the standard Java bytecode file (4). better code can be generated in equal available time
An enhanced client, on the other hand, can process
both regular Java bytecode files as well as enhanced class Acknowledgement
files (Figure 2). This enables it to communicate with all
servers on the Internet. If it is communicating with an The mobile-code research described here is a joint effort
enhancement-unaware web server, or if no enhanced class of a large research group, incorporating contributions from
file is available on an enhancement-aware server, then it Wolfram Amme, Matthew Beers, Niall Dalton, Michael Franz,
will fall back onto the classic Java bytecode format. If an Peter H. Fröhlich, Vivek Haldar, Peter S. Housel, Chandra
enhanced class file is available, then it will be used Krintz, Jeffery v. Ronne, Christian H. Stork, Ning Wang, and
instead, resulting in a higher level of performance. Sergiy Zhenochin.
Parts of this effort are sponsored by the National Science
Foundation under grant CCR-9901689, and by the Defense
Advanced Research Projects Agency (DARPA) and Air Force
Java Class
Regular Web File Research Laboratory, Air Force Materiel Command, USAF,
Server under agreement number F30602-99-1-0536.
Internet
References
[1] W. Amme, N. Dalton, P. Fröhlich, V. Haldar, P. S. Housel, J.
Enhanced v. Ronne, Ch. H. Stork, S. Zhenochin, and M. Franz. "Project
Enhancement- Client transPROse: Reconciling Mobile-Code Security With
Aware Web Enhanced Execution Efficiency", in The Second DARPA Information
Server Class File
Survivability Conference and Exposition (DISCEX II),
Anaheim, California, June 2001
Figure 2. Enhanced clients can run both ordinary [2] W. Amme, N. Dalton, J. v. Ronne, and M. Franz, "SafeTSA:
JVM class files as well as enhanced class files A Type Safe and Referentially Secure Mobile-Code
Representation Based on Static Single Assignment Form", i n
In our prototype implementation [4] of an enhanced Proceedings of the 2001 ACM Sigplan Conference o n
client, we augmented an existing dynamically optimizing Programming Language Design and Implementation (PLDI
2001), Snowbird, Utah, June 2001.
Java virtual machine with the necessary extensions
enabling it to also process enhanced class files in our own [3] Ch. H. Stork, V. Haldar, M. Beers, and M. Franz, Tamper-
SafeTSA mobile-code format [2]. In our implementation, Proof Annotations, By Construction, Technical Report
the two formats actually share the identical low-level code 02-10, Department of Information and Computer Science,
generator that translates from a low-level intermediate Unversity of California, Irvine, March 2002.
representation (LIR) to the final native instruction stream,
resulting in comparable final code quality for the two [4] W. Amme, J. v. Ronne, and M. Franz, Using the SafeTSA
formats when compilation time is unbounded. Representation to Boost the Performance of an Existing Java
The key point, however, is that compilation time in Virtual Machine, Technical Report 06/02, Lehrstuhl
dynamic-compilation environments is hardly ever Softwaretechnik, Institut für Informatik, Friedrich-Schiller-
Universität Jena, Germany, March 2002.
unbounded. In this situation, the enhanced class file