Skip to main content
SpringerLink
Log in

Analyzing SLE 88 memory management security using Interacting State Machines

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.

We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like noninjective address translation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Atmel, Hitachi Europe, Infineon Technologies, Philips Semiconductors (2001) Smartcard IC Platform Protection Profile, version 1.0, July 2001. http://www.bsi.de/cc/pplist/ssvgpp01.pdf

  2. Atmel, Hitachi Europe, Infineon Technologies, Philips Semiconductors (2002) Smartcard Integrated Circuit Platform Augmentations, version 1.0, March 2002. http://www.bsi.de/cc/pplist/augpp002.pdf

  3. Biba KJ (1977) Integrity considerations for secure computer systems. Technical Report MTR 3153, Mitre Corporation, Bedford, MA

  4. Bell DE, LaPadula L (1973) Secure computer systems: mathematical foundations (NTIS AD-770 768), A mathematical model (NTIS AD-771 543), A refinement of the mathematical model (NTIS AD-780 528). Technical Report MTR 2547, Mitre Corporation, Bedford, MA

    Google Scholar 

  5. (1999) Common Criteria for information technology security evaluation (CC), version 2.1, ISO/IEC 15408

  6. Clark DR, Wilson DR (1987) A comparison of commercial and military computer security policies. In: Symposium on security and privacy. IEEE Press, New York, pp 184–194

  7. Goguen JA, Meseguer J (1982) Security policies and security models. In: Symposium on security and privacy. IEEE Press, New York

  8. Huber F, Schätz B, Schmidt A, Spies K (1996) Autofocus – a tool for distributed systems specification. In: Proceedings FTRTFT’96 – Formal techniques in real-time and fault-tolerant systems. Lecture notes in computer science, vol 1135. Springer, Berlin Heidelberg New York, pp 467–470. See also http://autofocus.in.tum.de/index-e.html

  9. Kuhn T, von Oheimb D (2003) Interacting State Machines for mobility. In: Araki K, Gnesi S, Mandrioli D (eds) Proc. 12th international FME symposium (FM’03). Lecture notes in computer science, vol 2805. Springer, Berlin Heidelberg New York, September 2003. http://ddvo.net/papers/ISMfM.html

  10. Lotz V, Kessler V, Walter G (2000) A formal security model for microprocessor hardware. IEEE Trans Softw Eng 26:702–712

    Article  Google Scholar 

  11. Lynch N, Tuttle M (1989) An introduction to input/output automata. CWI Q 2(3):219–246. http://theory.lcs.mit.edu/tds/papers/Lynch/CWI89.html

  12. Motre S, Teri C (2000) Using B method to formalize the Java Card runtime security policy for a Common Criteria evaluation. In: 23rd national information systems security conference . http://csrc.nist.gov/nissc/2000/proceedings/toc.html

  13. Nanz S (2002) Integration of CASE tools and theorem provers: a framework for system modeling and verification with AutoFocus and Isabelle. Master’s thesis, TU München. http://www.doc.ic.ac.uk/ nanz/publications/csthesis/

  14. Nipkow T, Paulson L, Wenzel M (2002) Isabelle/HOL – A proof assistant for higher-order logic. Lecture notes in computer science, vol 2283. Springer, Berlin Heidelberg New York. http://isabelle.in.tum.de/docs.html

  15. von Oheimb D (2002) Interacting State Machines: a stateful approach to proving security. In: Abdallah AE, Ryan P, Schneider S (eds) Formal aspects of security. Lecture notes in computer science, vol 2629. Springer, Berlin Heidelberg New York, pp 15–32. http://ddvo.net/papers/ISMs.html

  16. von Oheimb D (2004) Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In: Samarati P, Ryan P, Gollmann D, Molva R (eds) Computer Security – ESORICS 2004. Lecture notes in computer science, vol 3193. Springer, Berlin Heidelberg New York. http://ddvo.net/papers/Noninfluence.html

  17. von Oheimb D, Lotz V (2002) Formal security analysis with Interacting State Machines. In: Gollmann D, Karjoth G, Waidner M (eds) Proc. 7th European symposium on research in computer security (ESORICS). Lecture notes in computer science, vol 2502. Springer, Berlin Heidelberg New York, pp 212–228. http://ddvo.net/papers/FSA_ISM.html

  18. von Oheimb D, Lotz V (2003) Generic Interacting State Machines and their instantiation with dynamic features. In: Dong JS, Woodcock J (eds) Formal methods and software engineering (ICFEM). Lecture notes in computer science, vol 2885. Springer, Berlin Heidelberg New York, November 2003, pp 144–166. http://ddvo.net/papers/GenISMs.html

  19. von Oheimb D, Nanz S (2002) ISM Homepage: documentation, sources and distribution. http://ddvo.net/ISM/

  20. Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical Report CS-92-02, SRI International

  21. Schellhorn G, Reif W, Schairer A, Karger P, Austel V, Toll D (2000) Verification of a formal security model for multiapplicative smart cards. In: Cuppens F, Deswarte Y, Gollmann D, Waidner M (eds) Proc. 6th European symposium on research in computer security (ESORICS). Lecture notes in computer science, vol 1895. Springer, Berlin Heidelberg New York

  22. Walter G, Noller J (2003) Infineon Technologies SLE88CX 720P / Security Target. www.bsi.de/???0215???, Version 1.00

Download references

Author information

Authors and Affiliations

  1. Corporate Technology, Siemens AG, 81730, Munich, Germany

    David von Oheimb & Volkmar Lotz

  2. Secure Mobile Solutions, Infineon AG, 81609, Munich, Germany

    Georg Walter

Authors
  1. David von Oheimb
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Volkmar Lotz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Georg Walter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David von Oheimb.

Rights and permissions

Reprints and permissions

About this article

Cite this article

von Oheimb, D., Lotz, V. & Walter, G. Analyzing SLE 88 memory management security using Interacting State Machines. Int J Inf Secur 4, 155–171 (2005). https://doi.org/10.1007/s10207-004-0057-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-004-0057-5

Keywords

Search

Navigation