We propose an integration of field access rights into the Java type system
such that those access permission checks which are now performed dynamicall
y (at run time), can instead be done statically, i.e. checked by the Java c
ompiler and rechecked (at link time) by the bytecode verifier. We explain h
ow this can be extended to remove all dynamic checks of field read access r
ights, completely eliminating the overhead of get methods for reading the v
alue of a field. Improvements include using fast static lookup instead of d
ynamic dispatch for field access (without requiring a sophisticated inlinin
g analysis), the space required by get methods is avoided, and denial-of-se
rvice attacks on field access is prevented. We sketch a formalization of ad
ding field access to the bytecode verifier which will make it possible to p
rove that the change is safe and backwards compatible. Copyright (C) 2001 J
ohn Wiley & Sons, Ltd.