Editing Java virtual machine (section)

===Bytecode verifier===
A basic philosophy of Java is that it is inherently safe from the standpoint that no user program can crash the host machine or otherwise interfere inappropriately with other operations on the host machine, and that it is possible to protect certain methods and data structures belonging to trusted code from access or corruption by untrusted code executing within the same JVM. Furthermore, common programmer errors that often led to data corruption or unpredictable behavior such as accessing off the end of an array or using an uninitialized pointer are not allowed to occur. Several features of Java combine to provide this safety, including the class model, the garbage-collected [[#Heap|heap]], and the verifier.

The JVM verifies all bytecode before it is executed. This verification consists primarily of three types of checks:

* Branches are always to valid locations
* Data is always initialized and references are always type-safe
* Access to private or package private data and methods is rigidly controlled

The first two of these checks take place primarily during the verification step that occurs when a class is loaded and made eligible for use. The third is primarily performed dynamically, when data items or methods of a class are first accessed by another class.

The verifier permits only some bytecode sequences in valid programs, e.g. a [[branch (computer science)|jump (branch) instruction]] can only target an instruction within the same [[method (computer programming)|method]]. Furthermore, the verifier ensures that any given instruction operates on a fixed stack location,<ref>{{cite web |title=The Verification process |url=http://java.sun.com/docs/books/jvms/second_edition/html/ClassFile.doc.html#9766 |work=The Java Virtual Machine Specification |publisher=Sun Microsystems |year=1999 |access-date=2009-05-31 |archive-date=2011-03-21 |archive-url=https://web.archive.org/web/20110321165204/http://java.sun.com/docs/books/jvms/second_edition/html/ClassFile.doc.html#9766 |url-status=live }}</ref> allowing the JIT compiler to transform stack accesses into fixed register accesses. Because of this, that the JVM is a stack architecture does not imply a speed penalty for emulation on [[register machine|register-based architectures]] when using a JIT compiler. In the face of the code-verified JVM architecture, it makes no difference to a JIT compiler whether it gets named imaginary registers or imaginary stack positions that must be allocated to the target architecture's registers. In fact, code verification makes the JVM different from a classic stack architecture, of which efficient emulation with a JIT compiler is more complicated and typically carried out by a slower interpreter. Additionally, the Interpreter used by the default JVM is a special type known as a Template Interpreter, which translates bytecode directly to native, register based machine language rather than emulate a stack like a typical interpreter.<ref>{{Cite web |url=https://openjdk.java.net/groups/hotspot/docs/RuntimeOverview.html#Interpreter |title=HotSpot Runtime Overview - Interpreter|website=OpenJDK|access-date=2021-05-24 |archive-date=2022-05-21 |archive-url=https://web.archive.org/web/20220521024017/https://openjdk.java.net/groups/hotspot/docs/RuntimeOverview.html#Interpreter |url-status=live }}</ref> In many aspects the HotSpot Interpreter can be considered a JIT compiler rather than a true interpreter, meaning the stack architecture that the bytecode targets is not actually used in the implementation, but merely a specification for the intermediate representation that can well be implemented in a register based architecture. Another instance of a stack architecture being merely a specification and implemented in a register based virtual machine is the [[Common Language Runtime]].<ref>{{Cite web|url=https://github.com/dotnet/runtime/issues/4775|title=Why not make CLR register-based? · Issue #4775 · dotnet/runtime|website=GitHub|access-date=2021-05-24|archive-date=2023-04-20|archive-url=https://web.archive.org/web/20230420122729/https://github.com/dotnet/runtime/issues/4775|url-status=live}}</ref>

The original specification for the bytecode verifier used natural language that was incomplete or incorrect in some respects. A number of attempts have been made to specify the JVM as a formal system. By doing this, the security of current JVM implementations can more thoroughly be analyzed, and potential security exploits prevented. It will also be possible to optimize the JVM by skipping unnecessary safety checks, if the application being run is proven to be safe.<ref>{{Cite book |doi=10.1145/320384.320397|chapter=A formal framework for the Java bytecode language and verifier|title=Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications - OOPSLA '99|pages=147–166|year=1999|last1=Freund|first1=Stephen N.|last2=Mitchell|first2=John C.|isbn=978-1581132380|citeseerx=10.1.1.2.4663|s2cid=14302964}}</ref>

====Secure execution of remote code====
A virtual machine architecture allows very fine-grained control over the actions that code within the machine is permitted to take. It assumes the code is "semantically" correct, that is, it successfully passed the (formal) bytecode verifier process, materialized by a tool, possibly off-board the virtual machine. This is designed to allow safe execution of untrusted code from remote sources, a model used by [[Java applet]]s, and other secure code downloads. Once bytecode-verified, the downloaded code runs in a restricted "[[sandbox (computer security)|sandbox]]", which is designed to protect the user from misbehaving or malicious code. As an addition to the bytecode verification process, publishers can purchase a certificate with which to [[digital signature|digitally sign]] applets as safe, giving them permission to ask the user to break out of the sandbox and access the local file system, [[clipboard (software)|clipboard]], execute external pieces of software, or network.

Formal proof of bytecode verifiers have been done by the Javacard industry (Formal Development of an Embedded Verifier for Java Card Byte Code<ref>{{cite web|last1=Casset|first1=Ludovic|last2=Burdy|first2=Lilian|last3=Requet|first3=Antoine|date=10 April 2002|title=Formal Development of an Embedded Verifier for Java Card Byte Code|website=Inria - National Institute for Research in Digital Science and Technology at [[Côte d'Azur University#National_research_organizations|Côte d'Azur University]]|url-status=live|archive-date=3 October 2022|url=http://www-sop.inria.fr/everest/Lilian.Burdy/CBR02dsn.pdf|archive-url=https://web.archive.org/web/20221003184410/http://www-sop.inria.fr/everest/Lilian.Burdy/CBR02dsn.pdf}}</ref>)