Tamper-Proof Annotations, By Construction

Current mobile-code formats require veri cation by the code recipient to guard against potentially malicious actions of an incoming mobile program. Such veri cation is needed even when a mobile program originated in a \safe" language such as Java, because the transmission might have been corrupted by an adversary. We describe an alternative approach based on a family of mobile code formats that simply don't allow illegal programs to be represented in the rst place. In such an inherently safe format, any given bit-sequence of suÆcient length is guaranteed to map back to a legal program in the original encoding domain, which in our prototype is Java. Hence, any incoming program that meets trivial well-formedness criteria is guaranteed to be legal and no code veri cation is necessary. Our method enables the tamper-proof transport of performance enhancing annotations along with the program. In our current implementation, we are able to perform escape analysis at the code producer's side and can encode the results of this analysis in a manner that cannot be falsi ed in transit. Interestingly, adding annotations increases encoding density since it reduces the number of valid choices that need to be represented, so that the addition of the annotations comes at almost no space cost. While our current implementation focuses on Java, the method is completely generic and can be adapted easily to other domains. To demonstrate this point, we were able to authors are listed in alphabetical order build an additional encoder for Oberon in less than a week.