Java bytecode provides a portable representation for programs that allows executable content to be embedded in web pages, transferred across a network, and executed on a remote user's machine. Features like these provide many new opportunities for developers, but special precautions must be taken to protect users from badly-behaved programs, which might otherwise destroy valuable data or compromise their privacy. To avoid such problems, bytecode programs from untrusted sources must be veriied before they are used. If a program passes, then it should be well-behaved, and should not be able to subvert the other security mechanisms of the Java platform. However, if a program fails, then it will be rejected. Clearly, to be sure that it is eeective, we need a precise way to understand bytecode veriication. This paper describes the main features of a formal speciication for Java bytecode that allows us to reason about the correctness of Java implementations , and to guarantee safety properties of veriied bytecode. The key to our approach is to model individual bytecode instructions, and their compositions , as appropriately typed functions in a fairly standard functional language. This gives us a exible way to build up and extend the instruction set. In addition, it enables us to describe bytecode veriication as a well-understood form of type inference, which guarantees that execution of veriied programs will not \go wrong."