Abstract
We present a generic formal security model for operating systems of multiapplicative smart cards. The model formalizes the main security aspects of secrecy, integrity, secure communication between applications and secure downloading of new applications. The model satisfies a security policy consisting of authentication and intransitive noninterference. The model extends the classical security models of Bell/LaPadula and Biba, but avoids the need for trusted processes, which are not subject to the security policy by incorporating such processes directly in the model itself. The correctness of the security policy has been formally proven with the VSE II system.
Augsburg and DFKI research sponsored by the German Information Security Agency (BSI)
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Badger, L., Sterne, D.F., Sherman, D.L., Walker, K.M., Haghighat, S.A.: Practical domain and type enforcement for UNIX. In: 1995 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 66–77 (May 1995), http://www.tis.com/docs/research/secure/secure_dte_Proj2.html
Bell, D.E., LaPadula, L.J.: Secure Computer Sytems: Unified Exposition and Multics Interpretation. Technical Report ESD–TR–75–306, The MITRE Corporation, HQ Electronic Systems Division, Hanscom AFB, MA (March 1976), http://csrc.nist.gov/publications/history/bell76.pdf
Biba, K.J.: Integrity Considerations for Secure Computer Sytems. Technical Report ESD–TR–76–372, The MITRE Corporation, HQ Electronic Systems Division, Hanscom AFB, MA (April 1977)
Boebert, W.E., Kain, R.Y.: A practical alternative to hierarchical integrity policies. In: 8th National Computer Security Conf., Gaithersburg, MD, pp. 18–27. National Computer Security Center and National Bureau of Standards (1985)
Hutter, D., Mantel, H., Rock, G., Stephan, W., Wolpers, A., Balser, M., Reif, W., Schellhorn, G., Stenzel, K.: Vse: Controlling the complexity in formal software developments. In: Hutter, D., Traverso, P. (eds.) FM-Trends 1998. LNCS, vol. 1641. Springer, Heidelberg (1999)
Identification cards - identification cards - interrelated circuit(s) cards with contacts - part 4: Inter-industry commands for interchange. ISO/IEC 7816-4, International Standards Organization (1995)
Information technology - security techniques – evaluation criteria for IT security. ISO/IEC 15408, International Standards Organization (1999), http://csrc.nist.gov/cc
ITSEC. Information Technology Security Evaluation Criteria, Version 1.2. Office for Official Publications of the European Communities, Brussels, Belgium (1991)
Karger, P.A., Austel, V., Toll, D.: A new mandatory security policy combining secrecy and integrity. RC 21717, IBM Research Division, T. J. Watson Research Center, Yorktown Heights, NY, March 15 (2000), http://domino.watson.ibm.com/library/CyberDig.nsf/home
Karger, P.A., Austel, V., Toll, D.: Using a mandatory secrecy and integrity policy on smart cards and mobile devices. In (EUROSMART) Security Conference, Marseille, France, June 13-15, pp. 134–148 (June 2000), RC 21736, Available at http://domino.watson.ibm.com/library/CyberDig.nsf/home
Koob, F., Ullmann, M., Wittmann, S., Schellhorn, G., Reif, W., Schairer, A., Stephan, W.: A generic security model for multiapplicative smart cards – final report of the SMaCOS project (to appear as BSI report)
Lunt, T.F., Neumann, P.G., Denning, D., Schell, R.R., Heckman, M., Shockley, W.R.: Secure distributed data views – vol.1: Security policy and policy interpretation for a class A1 multilevel secure. Technical Report SRI-CSL-88-8, SRI International, Menlo Park, CA (August 1988)
McLean, J.: Security models. In: Marciniak, J. (ed.) Encyclopedia of Software Engineering. Wiley & Sons, Chichester (1994), http://chacs.nrl.navy.mil/publications/CHACS
Organick, E.I.: The Multics System: An Examination of Its Structure. The MIT Press, Cambridge (1972)
Philips semiconductors and IBM research to co-develop secure smart cards: Highly secure operating system and processor, suitable for multiple applications (February 1999), http://www.semiconductors.philips.com/news/content/file_384.html
Rushby, J.: Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report CSL-92-02, SRI International, Menlo Park, CA, (1992), http://www.csl.sri.com/~rushby/reports/csl-92-2.dvi.Z
Schell, R., Tao, T.F., Heckman, M.: Desingning the GEMSOS security kernel for security and performance. In: 8th National Computer Security Conference, Gaithersburg, MD, 30 September - 3 October, pp. 108–119. DoD Computer Security Center and National Bureau of Standards (1985)
Shirley, L.J., Schell, R.R.: Mechanism sufficiency validation by assignment. In: 1981 Symposium on Security and Privacy, Oakland, CA, April 27-29, pp. 26–32. IEEE Computer Society, Los Alamitos (1981)
Sterne, D.F., Benson, G.S.: The controlled application set paradigm for trusted systems. In: 1995 National Information Systems Security Conference, Baltimore, Maryland. National Computer Security Center and National Institute of Standards and Technology (1995), http://www.tis.com/docs/research/secure/secure_dte_proj2.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D. (2000). Verification of a Formal Security Model for Multiapplicative Smart Cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds) Computer Security - ESORICS 2000. ESORICS 2000. Lecture Notes in Computer Science, vol 1895. Springer, Berlin, Heidelberg. https://doi.org/10.1007/10722599_2
Download citation
DOI: https://doi.org/10.1007/10722599_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41031-7
Online ISBN: 978-3-540-45299-7
eBook Packages: Springer Book Archive