Research on On-card Bytecode Verifier for Java Cards

Transcription

1 502 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE 2009 Research on On-card Bytecode Veriier or Java Cards Tongyang Wang, Pengei Yu, Jun-jun Wu and Xin-long Ma Institute o Inormation & System Technology,Huazhong Univ. o Sci & Tech.,Wuhan , China yup@vip.qq.com Abstract The bytecode veriication is a key point o the security chain o the Java Platorm. This eature is optional in many embedded devices since the memory requirements o the veriication process and the process capability o hardware are too high. In this paper we propose a veriier that utilizes the logical low graph based cache policy and an improved non stressing type coding method, or the bytecode veriication on the Java card, which remarkably reduces the use o the memory by the scheduling algorithm o the bytecode veriier. O-card pre-processing is unnecessary or the bytecode, hence it is possible to be implemented on card and to prevent any bytecode, which is correct yet not pre-processed, rom being reused by the oncard veriier. This algorithm also eatures strong transportability and easibility with a perect veriication process based on traditional bytecode veriication. The results o the experiments show that this bytecode veriication can be perormed directly on small memory systems. Index Terms java card, bytecode veriication, type deduction, cache scheduling policy I. INTRODUCTION The Java programming language was born in the early 90s in order to meet lexible and highly reliable smart electronic device programming requirements. It is used in a growing number o ields and lately also in the embedded system world. Actually, a Java Card is a Smart Card running a Java Virtual Machine (VM), the Java Card Virtual Machine (JCVM), and it is going to become a secure token in various ields, such as banking and public administration. The JCVM is the core o the Java Card: it is a sotware CPU with a stack based architecture that creates an execution environment between the device and the programs (Java Card Applets). The JCVM guarantees hardware-independence and enorces the security constraints o the sandbox model. In particular, the Java bytecode Veriier is one o the key components o the sandbox model: the Java Card Applets are compiled in a standardized compact code called Java Card bytecode and the Veriier checks the correctness o the code beore it is executed on the JCVM. As Java is a good trans-platorm language, it is easy to download Java applet rom internet to personal computers, and the Java card architecture [1] even allows users to download the applet, once released, to a smart card. However, we have to ace some security problems while enjoying this acility. For example, is the code downloaded online sae? Is there any malicious code attempting to alsiy or even destroy the original applets? What measures should be taken to ensure the applet security? These are some o the outstanding security problems, especially or the smart card, which is widely used in payment, mobile communication and the veriication system, where security requirements are very crucial. To combat the security risks associated with mobile code, Sun has developed a security model or Java in which a central role is played by bytecode veriication, which ensures that no malicious programs are executed by a Java Virtual Machine (JVM). Bytecode veriication takes place when loading a Java class ile and the process veriies that the loaded bytecode program has certain properties that the interpreter s security builds upon. The essential, and nontrivial, part o bytecode veriication is checking type-saety properties o the bytecode, that is, that operands are always applied to arguments o the appropriate type and that there can be no stack overlows or underlows. By checking these properties statically prior to execution, the JVM can saely omit the corresponding runtime checks. In Java language, a model named sandbox [3] is used to solve the security problems or the operational environment o the Java program. The security o the sandbox model relies on the ollowing three aspects: Firstly, the application is not compiled directly into an executable code but a virtual machine-oriented named bytecode. The operation o the virtual machine or data processing is better than the low level hardware processing operation, or example, substituting a memory address with an object, and thus ensuring the basic security. Secondly, a series o well designed and encapsulated API types and methods are required by the application to access hardware, and the old methods, or example, direct hardware access through a serial port, are prohibited. Thirdly, the bytecode o the application undergoes a static analysis called bytecode veriication to ensure the security o the bytecode. Bytecode veriication aims to veriy the downloaded bytecode. Any problems occurring

2 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE in the veriication, such as mismatch type, are likely to incur hidden trouble or the security. The above sandbox model can be applied to Java card as well. Beore the applet is downloaded as bytecode, to smart card, it was veriied by the o-card veriier. This veriication method is based on the data type analysis and data overlow analysis during the operation. Bytecode veriication can be perormed o-card or oncard. However, because o the strong memory constraints o the Java Cards, the bytecode veriication is uneasible directly on-card in its standard orm. The bytecode, generated by Java program and veriied by an o-card bytecode veriier, is available in such an open environment as the internet, or users to download. However, the bytecode in this open environment is unreliable because o human alsiication and other actors. A veriication task which is not happened in the real Java card progress is thereore necessary to ensure the security ater the bytecode is downloaded. It can be seen that bytecode veriication plays a critical part in the security o Java card. The problem resulted rom the unreliable environment can be surmounted, i the bytecode veriier is transerred rom o-card to oncard. Subsequently the security o the Java card will be improved deinitely. However, it is very diicult to implement this veriication process on Java card due to the limitation o the smart card itsel. Figure 1 shows the utopian process o Java bytecode veriication. Ater the on-card veriier is inserted into the whole process, the o-card veriier can be kept or removed rom the schema according to the concrete veriication algorithm. O-card processing javac Java Compiler On-card veriier Class ile Veriied applet CAP converter JVM Bytecode Untrusted Applet installer CAP ile On-card processing O-card veriier Veriied Non-deensive CAP ile VM Figure 1. Utopian bytecode veriication schema. II. RELATED WORKS A. Bytecode Veriier rom SUN It is necessary to review the traditional method o standard veriication, as it was irstly implemented by SUN. This traditional bytecode veriier is based on a stack structure, where all the relevant local variables are stored. The traditional Java card veriication interprets each method constituting the applet in an abstract way, aiming to check the control low and data low statistically so that they will not cause any error, or example, overlow or underlow o the stack, incorrect type o variable etc. This algorithm is called type deduction, which is described in Leroy s paper [3] in detail. The algorithm o traditional bytecode veriication, launched by Sun and developed by Gosling and Yellin, can be roughly described as ollows. The veriier consists o a group o type stacks and a corresponding group o local variable arrays. When processing linear codes (without any branch or exceptional processing), the veriier will process each instruction in order. That is, it checks whether the entry is suicient or or match each instruction. While processing codes with branches, it respectively takes olks and joins into account, and employs a data structure called dictionary, which consists o the stacks and local variable types o each corresponding branch or exceptional processing program point. When a branch instruction is analyzed, the branch type stored in the corresponding dictionary must be changed. That is, it is decided by the previous type in the dictionary and the Least Upper Bound, LUB or short, deducted rom this instruction. Once the dictionary entry is changed, the corresponding instruction and the succeeding ones must be reanalyzed until a proper status is achieved. It can be calculated that the time complexity o this algorithm is O(S4), where S stands or the number o instructions o the veriied program, and the space complexity is (3S+3N +3) B, where S stands or the maximum stack space, N or the number o local variables in the method, and B or the number o dierent branches, given 3 bytes are needed to store each type. B. Resource Limitation From the above analysis o the traditional algorithm, it can be concluded that the Java Card Virtual Machine (JCVM) will mainly ace the problem o limitation on the resource, which includes two aspects, namely hardware stress and limited memory space, when we attempt to transer the o-card veriier to an on-card one. On a typical Java card, the RAM space is about 3k-6k, the EEPROM space about 16k-256k, and the CPU 16 or 32 bits. Based on the above discussed space complexity (3S + 3N + 3) B or the algorithm o traditional bytecode veriication, about 3150 bytes are needed or the to-bestored dictionary structure in order to process a moderately complicate bytecode veriication, given S = 5, N = 15, and B = 50. For the present Java card, it is impossible to allocate so many memory space o RAM to support the implementation o this algorithm. In addition, linear increase o the number o branches B in the program will probably lead to linear or even exponential rise on the memory space o dictionary in the algorithm, almost making the bytecode veriication on Java card an impossible task. I the dictionary structure is stored in nonvolatile memory (NVM), such as EEPROM or FLASH, the bytecode veriication will become very slow as it takes too long time (1-10ms) to write data into NVM. Besides, there are limited times or reading and writing o this kind o memory. The typical endurance o NVM is around 300,000, which can not meet the requirements or requent dictionary operations.

3 504 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE 2009 All the above mentioned problems make it impossible to successully implement this kind o traditional bytecode veriication on Java card without any modiication to it. C. On-card Solutions Review To solve the problems above, many researchers have made great eorts in the bytecode veriication on Java card, as summarized below. A Digital Signature method [3] uses the digital signature o a trusted third party, thus omitting the bytecode veriication process on Java card. Though not relating to the narrowly deined veriication, this method does not apply to those cases, where there is no trusted third party, or example, an oline one. Lightweight algorithm [5] processes all branches at the o-card stage o veriication, and puts additional inormation into the bytecode. Then the instruction processed at the on-card stage o veriication will become a linear one, because there is no branch, thus reducing the RAM space required by the veriier. However, the volume o bytecode will greatly increase (approximately by 50%) due to the additional inormation attached at o-card stage. Xavier Leroy [4] attempts to make semantic translation at the o-card stage o veriication, so as to uniy all instructions. While veriying the data structure, keep the stacks empty both in the beginning and at the end o processing, thus lowering the space complexity. This algorithm contains less additional inormation than the lightweight algorithm [5] (by approximately 2%). However, this algorithm can not check the initialization o local variables dynamically. Cinzia Bernardeschi [10] described a dynamic algorithm, which processes all branches in the control low graph o the program, and deletes data in the stack ater processing a branch structure beore analyzing the ollowing one. The maximum space complexity o this algorithm depends on the veriication unit with the most branches in the program. PCC method [9] uses NVM to store the data structures corresponding to the bytecode veriication, and this method proves to be practical in experiment. However, it takes much more time than the traditional algorithm as the writing operation o NVM is much slower than that o RAM, though this method does not present any problem with the storage space. An improved PCC method [2] diers rom PCC in that a sot cache severs to try to put the bytecode veriication into RAM, thus saving more time by the virtue o the quick speed o accessing RAM. But no reasonable cache scheduling algorithm is proposed in this method. III. LOGICAL FLOW GRAPH BASED BYTECODE VERIFIER In response to the above-mentioned problems, this article presents a veriier based on the Logical Flow Graph (LFG), together with a corresponding cache scheduling algorithm. The LFG based bytecode veriier proposed in this article is to use NVM as the main memory, storing data types and relevant dictionary, and at the same time employs a part o RAM space as the cache. To solve the problem that it takes long time or NVM to complete writing or erasing operation, this veriier adopts an improved non stressing type encoding method and provides a corresponding cache scheduling policy. In this way, it is possible to build an on-card veriier to execute bytecode veriication. A. Improvement on Non Stressing Type Encoding With the consideration on the perormance o NVM on smart card, this article attempts to improve the non stressing type encoding method proposed by Damien [2], and applies it in our proposed on-card veriier. In traditional bytecode veriication, the data structure o dictionary occupies a very large storage space in the whole veriication process. To ease the space stress, we suggest storing this data structure in NVM. Since it takes quite long time or NVM to complete reading and erasing/writing, it is necessary to minimize the data processing in cache. As the whole process o bytecode veriication is type deduction, when processing complex branches, or example, when two branches converge on one instruction node, LUB can be available through a type comparison ( and logic) between the corresponding types on the two branches. In terms o hardware, this type comparison shows that this processing process involves a large volume o data storage processing via cache, and it also relates to the operation o and logic, which will slow down the whole bytecode veriication. Top int[ ] int 0001 loat[ ] Object 0010 D C loat 0100 E Object[ ] C[ ] D[ ] E[ ] NULL Figure 2. Improved non stressing type encoding The non stressing encoding proposed by Damien sets type encoding according to the type lattice, so that each type corresponds to a group o Boolean data. Since it takes less time or NVM to complete the writing operation than the erasing operation, we can change a certain bit position rom 0 to 1 when several types are combined as one in the lattice, thus obtaining an improved encoding mode. With characteristics o the above mentioned encoding mode taken into account, we represent encoding o dierent levels with Boolean data o dierent lengths according to the type lattice, with the improved non stressing coding shown in Figure 2. This kind o improved coding, compared with original one, reduces the type memory space, and abandons some data when it

4 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE is necessary to get LUB o two types. For example, to get the LUB o D and E, just keep the irst 8 bit positions that are the same or D and E. In this way, the and operation in hardware can complete type deduction by abandoning some data. With the cache scheduling policy, which will be described later, this improved type encoding mode is advantageous in that it is only necessary to record the length o the corresponding data type when the data in cache are written back into NVM, which saves the time o writing or erasing operation in NVM, thus reducing time or the whole veriication process. Thereore, the improved non stressing type encoding can be well applied in bytecode veriication on Java card. B. Logical Flow Graph In our proposed bytecode veriier, a cache scheduling policy is used to solve the limited resource problem when doing bytecode veriication based on Logical Flow Graph, LFG or short. Figure 3 shows a simple example o bytecode and the corresponding LFG. Byte code Sample: 01: iload_1 02: iconst_3 03: i_icmpne 10 {ASN(03)=13} 04: aload_0 05: invokevirtual test 06: istore_2 07: jsr : iconst_0 11: iload_1 12: ireturn 13: astore_ v entry =ASN(03) v exit 10 OB2=OB1+01 OB1 Figure 3. Bytecode example and corresponding LFG Deinition 1: LFG (Logical Flow Graph) I a graph G is a logical low graph, then it conorms to the ollowing two conditions: G is a directed graph, where the number o directed paths is greater than 1 ( P( G) 1 ) and the number o nodes is greater than 3 ( VG ( ) 3); There are only one entry node u, the in-degree o which is zero ( Din ( u ) = 0), and only one exit node v, the out-degree o which is zero as well ( Dout () v = 0). The process o bytecode veriication can be imaged as a LFG, where any node u, except or the entry node and the exit one, can be subdivided into a new graph. When all the nodes in LFG can not be subdivided any more, every node in LFG stands or a VM instruction I u and every edge Euv (, ) the dependency between instruction I u and I v. Deinition 2: MN (Master Node) and SN (Slave Node) Supposed uv, V( LFG), i direct path Puv (, ) exists, then u is the MN o v and v is the SN o u. Specially, when e E( LFG) and e= { Euv (,) uv, VLFG ( )}, u is the DMN o v, and v the DSN o u. Otherwise, u is the indirect MN, and v the indirect SN o u. I v is the SN o u and the distance between them is longer than that between any other SN o u and u, u is the associated MN o v, denoted as u = AMN() v, when D ( u) 2 and Din ( v) 2. At the same time, v is the associated SN o u, expressed as v = ASN( u). Deinition 3: OB (Operation Block) Let uv, V( LFG), i path set P ( uv, ) = { Puv i (, ) 1 i n} stands or all the possible directed paths rom u to v, then V w = w 1 j m,w P( u, v) is the set o all ( ) { j j } the nodes located on P (, ) out uv, where w Puv (, ) means that w j is located on Puv (, ). E e = e 1 k q, w P( u, v) Furthermore, ( ) { k k } stands or the set o edges located on P ( uv, ). I v is the associated SN o u, namely v = ASN( u), then graph G = V w, E e is an OB. Supposed that { ( ) ( )} OBs, OB LFG and OBs OB, i a node OB t, which satisies OBs OBt OB can not be ound in LFG, OB is the minimal envelope graph o OB s, represented as OB = MEG ( OBs). When applied to bytecode veriication, an OB in act includes all the nodes which have the same entry and the same exit nodes, which can be considered as a basic veriication and cache unit ater combined with the other linear bytecode nodes or not. C. Bytecode Veriication Based on Cache Scheduling Policy In addition to the non stressing type encoding method, a cache scheduling policy based on LFG is necessary to copy some data rom NVM to RAM during bytecode veriication, and then to substitute the data in RAM through scheduling cache, thus enabling the veriying instruction to extract data rom RAM as more as possible. Beore describing the detailed veriication process, it should be helpul to deine some necessary unctions, namely abstract interpreters (AI), which are based on LFG and play an important role in the process. Every AI includes a state, represented as is,, where i is the value o the program counter and S is the current state o registers and operand stack. Deine type() i to return the label corresponding to the instruction i, targ et( i) to return the targets o instruction i, succ() i to return the successor o instruction i according to LFG and j

5 506 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE 2009 outst () i to denote the unction o the standard veriier that generates the ater-state o instruction i. Specially, there are two other unctions regarding cache scheduling should be deined. One is writecache( S ), which represents that the current state S and the stack will be written into the cache when the instruction i does not hit the data in the cache, which is substituted according to the FIFO (First In, First Out) policy. Otherwise, i instruction i hit the data in the cache, the veriication will be done in this cache. The other is writeback ( S ), which represents that the veriier will write the current state and the stack back to the NVM, when the current instruction is veriied. Based on these deinitions, the detailed bytecode veriication process is described below. Step 1.initialization All the control nodes corresponding to instructions with i or switch are analyzed according to the structure o LFG, to search the ASN o every node. The additional message indicating the positions o these nodes and the number o branches or each veriication unit will be stored in the dictionary structure. Step 2.veriystr The instruction i will be veriied as the traditional way and the instruction j is predecessor o i, i it is not a control node or an ASN. I the instruction i does not hit the data in the cache, the data structure corresponding to instruction i will be put in the RAM, and the dictionary corresponding to instruction i in the cache. The state is, is transerred to succ(), i outst(, i. This step can be described as below. veriystr ( i, ={ writecache (, is, succi ( ), outstis (, ) i ASN( j), type( i) {i, switch}} Step 3.inunit When the control node (instructions with i and switch ) is veriied, the veriier inds the ASN corresponding to it. Then the NVM puts the instruction and the related stack in the RAM. The dictionary corresponding to the instruction is written in the Cache including the present state S to the ASN (i the space o the Cache is not large enough, the size o the data which is written in the Cache is equal to the size o the Cache). Then, veriy them. The state < is, > is transerred to <target( i), outst( I, S )>. This step can be described as below: inunit( i, ={ writecache( S,S min{ ipd ( j), i+ N} ), is, target( i), outstis (, ) i ASN( j), typei ( ) {i, switch} } Step 4.outunit When the ASN is veriied, the veriier judges whether all the branches is veriied (C is equal to 0 or not). I yes, all the control node-related node data, which can be substituted in the ollowing veriication, will be released rom the RAM. The related structure o the current instruction is put into the RAM to be veriied and the dictionary is put into the Cache. The state is, is transerred to <succ( i),outst( I, > and the state outst( is, ) is rewritten into the NVM. This process can be stated as below. outunit( i, ={ writecache(, i, S succ( i), outst ( i,, writeback ( outst ( i, i= ASN( j), typei ( ) {i, switch}, c= 0 } Step5.branch When the ASN is veriied, it should be determined whether all the branches are veriied (C is equal to 0 or not). I no, the writecache( is, ) is executed. When the instruction is not hit, the veriier substitutes the data in Cache and veriies it in the RAM. The state< is, > is transerred to <target( j),outst( i, S )>. Then the veriication jumps to the next branch. branch( i, ={ writecaches ( ), is, target( j), outstis (, ), c i= ASN( j), typei ( ) {i, switch}, c 0 } Step6.end When the exit node EXIT is veriied, the veriication process inishes. The state success stands or the veriication is completed successully. end( i, ={ i, S success i = EXIT } The low chart o this Cache scheduling algorithm is as shown in Figure 4. preprocess START veriystr( i, EXIT Y End( i, END N N type(i) {i,switch} Y inunit( i, i = ASN( j) outunit( i, Y C=0 N branch( i, Y N Figure 4. Flow chart o Cache scheduling algorithm As a whole, in this scheduling algorithm, the part between the olks and joins o each branch (OB) is veriied in the RAM and the veriication result is put into the Cache. In this way, it can greatly beneit rom the

6 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE time advantage o RAM and the space advantage o NVM. IV. RESULT AND ANALYSIS A. Compare to the traditional algorithm Because the traditional algorithm puts all the data in RAM, the space complexity is (3S+3N +3) B. In our algorithm, the space complexity on RAM depends on the part with most branches in the LFG. Assume C as the maximum number o branches between the total control nodes and the corresponding ASN, then the corresponding space complexity o RAM will be (3S + 3N + 3) C, C < B. B. Compare to the improved PCC algorithm The veriication process can be described and analyzed in detail, with the ollowing bytecodes in Figure 3 as an example. In the beginning, the veriication program searches all control nodes, indicated by 3 in the igure, and the corresponding ASN (3) =10. The number o branches o a veriication unit is recorded as C=2.Veriication begins rom where START is indicated, and the dictionary is empty. The corresponding data in RAM are null, and instructions are scheduled in order rom NVM and stored in the corresponding status stacks. When veriication comes to the irst control instruction, which is 03: i_icmpne10, the instruction enters an OB, and the corresponding successor status is written into RAM until it reaches 13: astore_3. The veriier reads out corresponding status rom RAM and veriies this veriication unit. When veriication reaches 13 or the irst time, C=1, and not all the branches have been veriied. Then the veriication program returns to the entry control node 3 to continue veriication until it reaches the ASN o the control node. Ater the analysis, the program saves the entry status and input status into Cache, and all data o this OB in RAM can be substituted in the ollowing veriication. The veriication program implements operation in this way until it reaches the node indicated by END, then veriication inishes. The ollowing is an analysis o the above presented bytecodes. Assume 8 or the number o instruction stack structures that can be stored in RAM. Based on the algorithm o improved PCC [2], relevant data are called every time by the program low. When veriication starts rom node 1, relevant inormation o nodes 1-8 will be written into Cache, and both veriication nodes 2 and 3 are hit. When node 10 is not hit upon veriication, inormation o this node will be written into Cache and substitute node 1 based on the principle o First in, irst out. Similarly, i none o the nodes 11, 12, 13, 3, 4, 5, 6, 7 and 13 is hit upon veriication, the substituted nodes will be respectively 2, 3, 4, 5, 6, 7, 8, 10 and 11. See Table 1 or the hit status. Table 1 is based on the above-analyzed Improved PCC algorithm and the substitution policy introduced in this article. TABLE I. COMPARISON BETWEEN IMPROVED PCC ALGORITHM AND THE POLICY MENTIONED IN THIS ARTICLE ( STANDS FOR HIT WHILE FOR NOT HIT ) Label o nodes Improved PCC algorithm Our algorithm According to the data in the table, obviously the hit rate is approximately 23.08% or improved PCC algorithm, while it is approximately 92.31% or the scheduling algorithm introduced in this article, which means the hit rate can be greatly improved with the Cache scheduling policy introduced in this article. It is normal and reasonable or improvement o the hit rate since the scheduling algorithm in this article ollows the LFG, that is, the scheduling ollows the veriication process. It is improved on the complicated scheduling algorithm. However, since this scheduling algorithm process is similar to the low process, the program can guarantee its implementation without occupying large extra memory space while implementing the Cache scheduling policy during the veriication process. A comparison o the time or substitution between the algorithm introduced in this article and that with the algorithm o improved PCC shall be given or the Cache o dierent lengths because the time is aected by the size o the Cache block. Figure 5 and Figure 6 present these comparisons. In Figure 5, the real line represents a curve o the time or substitution with the algorithm introduced in this article, and the dotted line represents that with the algorithm o improved PCC. We suppose the time that write in one block o the Cache is T. The vertical axis in Figure 6 represents the ratio o time or substitution with the algorithm introduced in this article to that with the algorithm o improved PCC. The horizontal axis in both igures represents the size o the Cache block. As shown in the igures, the algorithm introduced in this article is most eicient when the size o the Cache block coincides with that o the OB in the LFG. The shorter the size o the Cache, the more obvious improvement the algorithm introduced in this article will make on eiciency o the substitutional time o the Cache. The longer the size o the Cache, the more service eiciency the algorithm introduced in this article will make. The less the traic o data exchange between

7 508 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE 2009 Cache and NVM, the more there will be data veriied in Cache. Thereore, the dierence between algorithms will become insigniicant. The time or substitution 13 T 1 T The algorithm in this article Improved PPC algorithm Cache size Figure 5. The time or substitution between the algorithm introduced in this article and that with the algorithm o improved PCC or Cache o dierent length ratio Cache size Figure 6. Ratio o time with the algorithm introduced in this article to that with the algorithm o improved PCC As or the time o the algorithm, the whole veriication process consumes the traditional veriication time plus the time or the Cache scheduling algorithm, with the process o the Cache scheduling algorithm taken into account. The algorithm introduced in this article try to avoid the writing and reading problems o NVM by converting the writing and erasing operations o NVM into reading operation in the improved non stressing encoding mode, thus removing the bottleneck in the time o reading and writing with NVM. For the operation o writing into RAM necessary the scheduling algorithm, the whole veriication process consumes the traditional veriication time and the time or the Cache scheduling algorithm, based on the analysis o the time complexity, and as the processor reads and accesses data in a short time, the time complexity O( o the added veriication time T with the Cache scheduling algorithm is completely acceptable, compared with the time complexity o the traditional veriication algorithm O(S4). In addition, it will not take more than 0.2 or RAM to write in a bit data. Based on such time complexity, it can be guaranteed that the veriication process can be completed within the time acceptable to users with enough veriication space as mentioned above or the whole veriication process. C. Guarantee o the Algorithm Correctness The ollowing aspects can guarantee correctness o the veriication program. First, the basic principle o veriication is the algorithm o traditional veriication, which guarantees that the veriication has been testiied and proved correct in terms o algorithm. Second, the memory capacity o NVM guarantees the algorithm o traditional veriication, thus avoiding veriication ailure caused by any ault as a result o insuicient memory capacity during the veriication process. Last, the Cache scheduling policy and the improved non stressing encoding guarantee reliable veriication in terms o time. Based on the comparison between the abovementioned algorithm o improved PCC and the analysis o time complexity, we can draw a conclusion that this scheduling algorithm is better or the bytecode veriication on Java card. V. CONCLUSION This article designs a mode o bytecode veriication on Java card based on the Cache scheduling algorithm. In this mode, the bytecode veriication can be implemented completely on Java card through Cache, without being restricted by limitation o the Java card itsel. Another reason or preerence o this scheduling algorithm is that any preprocessing is unnecessary or the bytecode, that is, any bytecode, which is correct yet not pre-processed, will not been reused by the veriier. Through data scheduling o NVM and RAM, this algorithm realizes a perect veriication process based on traditional bytecode veriication, eaturing strong transportability and easibility. ACKNOWLEDGMENT Instructions and supervisions rom Pro. Xinang Zhang, constructive suggestions rom Xinlong Ma and Mingwei Fang, and collaborations o Tongyang Wang and Jun-jun Wu are grateully acknowledged. REFERENCES [1] Zhiqun Chen. Java Card Technology or Smart Cards: Architecture and Programmer s Guide. Addison Wesley Longman Publishing co., Inc., [2] Damien Deville. Building an impossible veriier on a Java Card. In USENIX Workshop on Industrial Experiences with Systems Sotware(WIESS 02), [3] X.Leroy. Java bytecode veriication: algorithms and ormalizations. Journal on automated reasoning, 30, [4] X.Leroy. Bytecode veriication on Java Smart card. Sotware Practice & Experience, 32: , [5] Rose E, Rose K. Lightweight bytecode veriication. In Workshop Fundamental Underpinnings o Java, 1998.

8 JOURNAL OF COMPUTERS, VOL. 4, NO. 6, JUNE [6] Joachim Posegga and Harad Vogt. Java bytecode veriication using model checking. In 26th symposium Principles o Programming Languages, pages ACM Press, [7] Raymie Stata and Martín Abadi. A Type system or Java bytecode subroutines. ACM Transactions on Programming Languages and System, 21(1): , [8] Virtual Machine Speciication. Java Card TM Platorm, Version Sun Microsystems, Inc, [9] George C.Necula. Proo-carrying code. In 24th symposium Principles o programming Language, pages ACM Press, [10] C. Bernardeschi, L. Martini, and P. Masci. Java bytecode veriication with dynamic structures. International Conerence on Sotware Engineering and Applications (SEA), Cambridge, MA, USA, Tongyang Wang(1963-), male, Wuhan Hubei, Institute o Inormation & System Technology, Huazhong Univ. o Sci & Tech. associate proessor, Ph.D, Research in Embedded System, CAD. Pengei Yu(1981-), male, Chibi Hubei, Institute o Inormation & System Technology, Huazhong Univ. o Sci & Tech. Ph.D Candidate, Research in Embedded System, Trusted Computing, Secured Portable Storage, Inormation Security. Jun-jun Wu(1972-), male, Wuhan Hubei, Institute o Inormation & System Technology, Huazhong Univ. o Sci & Tech. associate proessor, Ph.D, Research in Inormation Security, Embedded System, CAD.