Formal Certification of Android Bytecode

Android is an operating system that has been used in a majority of mobile devices. Each application in Android runs in an instance of the Dalvik virtual machine, which is a register-based virtual machine (VM). Most applications for Android are developed using Java, compiled to Java bytecode and then translated to DEX bytecode using the dx tool in the Android SDK. In this work, we aim to develop a type-based method for certifying non-interference properties of DEX bytecode, following a methodology that has been developed for Java bytecode certification by Barthe et al. To this end, we develop a formal operational semantics of the Dalvik VM, a type system for DEX bytecode, and prove the soundness of the type system with respect to a notion of non-interference. We then study the translation process from Java bytecode to DEX bytecode, as implemented in the dx tool in the Android SDK. We show that an abstracted version of the translation from Java bytecode to DEX bytecode preserves the non-interference property. More precisely, we show that if the Java bytecode is typable in Barthe et al’s type system (which guarantees non-interference) then its translation is typable in our type system. This result opens up the possibility to leverage existing bytecode verifiers for Java to certify non-interference properties of Android bytecode.

💡 Research Summary

The paper addresses the problem of certifying information‑flow security, specifically non‑interference, for Android applications at the level of DEX bytecode. Android apps are typically written in Java, compiled to JVM bytecode, and then transformed into DEX bytecode by the dx tool in the Android SDK. Existing non‑interference type systems have been developed for Java source code and for JVM bytecode, but there is no formal framework that directly reasons about DEX, which runs on the register‑based Dalvik/ART virtual machine.

The authors make three major contributions. First, they define a formal operational semantics for the Dalvik VM. A machine state consists of a program counter, a register file, and a heap. The semantics covers ordinary instructions (load, store, arithmetic, conditional jumps, method invocations) as well as exception throwing and handling. By modeling exceptions explicitly, the semantics can capture both direct data flows (through registers) and indirect flows (through control dependencies).

Second, based on this semantics they introduce a security‑typed system for DEX. Each register and each heap object is annotated with a security label drawn from a lattice L. The type rules propagate labels through each instruction, enforce a “safe control‑dependence region” (CDR) that tracks when the program is executing under a high‑security context, and maintain a security environment that records the current label at each program point. The system is proved sound: any DEX program that type‑checks is guaranteed to satisfy non‑interference with respect to the given policy, i.e., low‑security inputs cannot influence high‑security outputs.

Third, the paper studies the concrete translation performed by the dx tool. The translation is abstracted as a mapping from JVM stack‑based instructions to DEX register‑based instructions, performed block‑wise. The authors formalize a stack‑to‑register mapping, a block correspondence, and a reconstruction of exception handlers in the target code. They then prove a preservation theorem: if a JVM program is typable in the Barthe et al. non‑interference type system, then its dx‑generated DEX counterpart is typable in the newly defined DEX type system. The proof shows that label propagation, CDR safety, and security environments are preserved under the translation, even for exception handling and indirect flows.

By establishing this preservation result, the work enables the reuse of existing Java bytecode verification tools for Android. A developer can type‑check the original Java bytecode (or JVM bytecode) with a mature verifier, run the standard dx compilation, and be assured that the resulting DEX bytecode inherits the same non‑interference guarantees.

The paper also discusses related work, highlighting differences with projects such as Cassandra (which uses an abstract Dalvik language without exceptions) and various static analysis tools for Android (e.g., TrustDroid, ScanDroid). Unlike those, the present approach works directly on the real DEX language, includes exception handling, and provides a formal proof of property preservation across the actual compiler used in practice.

Finally, the authors outline a prototype implementation plan: apply a Barthe‑style type checker to Java bytecode, invoke dx to obtain DEX, and then run their DEX type checker. Preliminary examples demonstrate that violations of non‑interference (e.g., leaking a high‑label value to a low‑label sink) cause the DEX type checker to reject the program, confirming the practical relevance of the theory.

In summary, the paper delivers a rigorous, end‑to‑end framework for certifying information‑flow security of Android applications, bridging the gap between Java‑level verification and the actual bytecode executed on devices, and opening the way for certified app stores and trustworthy Android ecosystems.