Formal Aspects of Computing

, Volume 20, Issue 1, pp 5–19 | Cite as

The certification of the Mondex electronic purse to ITSEC Level E6

  • Jim Woodcock
  • Susan Stepney
  • David Cooper
  • John Clark
  • Jeremy Jacob
Original Article


Ten years ago the Mondex electronic purse was certified to ITSEC Level E6, the highest level of assurance for secure systems. This involved building formal models in the Z notation, linking them with refinement, and proving that they correctly implement the required security properties. The work has been revived recently as a pilot project for the international Grand Challenge in Verified Software. This paper records the history of the original project and gives an overview of the formal models and proofs used.


Certification Correctness Electronic finance Grand challenges Grand Challenge in Verified Software ITSEC Level E6 Mondex Refinement Security Smart cards Theorem proving Verification Verified Software Repository Z notation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. BJP+06a.
    Banach R, Jeske C, Poppleton M, Stepney S (2006) Retrenching the purse: finite exception logs, and validating the small. 30th Annual IEEE/NASA Software engineering workshop. Columbia, April 2006Google Scholar
  2. BJP+06b.
    Banach R, Jeske C, Poppleton M, Stepney S (2006) Retrenching the purse: hashing injective CLEAR codes, and security properties. In: 2nd International symposium on leveraging applications of formal methods, verification and validation (ISoLA 2006). Cyprus, November 2006. IEEE, 2006Google Scholar
  3. BJP+07.
    Banach R, Jeske C, Poppleton M, Stepney S (2007) Retrenching the purse: the balance enquiry quandary, and generalised and (1,1) forward refinements. Fundam Inform 77:1–41MathSciNetGoogle Scholar
  4. BP98.
    Banach R, PoppletonM(1998)Retrenchment: an engineering variation on refinement B-98. Lecture notes in computer science, vol 1393. Springer, HeidelbergGoogle Scholar
  5. BPJ+05a.
    Banach R, Poppleton M, Jeske C, Stepney S (2005) Retrenchment and the Mondex electronic purse (extended abstract). In: Proceedings 12th international workshop on abstract state machines (ASM’05). Paris, March 2005Google Scholar
  6. BPJ+05b.
    Banach R, Poppleton M, Jeske C, Stepney S (2005) Retrenching the purse: finite sequence numbers and the tower pattern. In: Proceedings FM05. Lecture notes in computer science, vol 3582. Springer, Heidelberg, pp 382–398Google Scholar
  7. BSC94.
    Barden R, Stepney S, Cooper D (1994) Z in Practice. BCS Practitioners Series. Prentice Hall, Englewood CliffsGoogle Scholar
  8. BoD05.
    Boiten EA, Derrick J (2005) Formal program development with approximations. ZB 2005. Lecture notes in computer science, vol 3455. Springer, Heidelberg, pp 374–392Google Scholar
  9. Bur02.
    Burton S (2002) Automated testing of high integrity test suites from graphical specifications. Ph.D. thesis. Department of Computer science, University of YorkGoogle Scholar
  10. CSC05.
    Clark JA, Stepney S, Chivers H (2005) Breaking the model: finalisation and a taxonomy of security attacks. REFINE 2005, Surrey. Electron Notes Theor Comput Sci 137(2):225–242CrossRefGoogle Scholar
  11. CSW02.
    Cooper D, Stepney S, Woodcock J (2002) derivation of Z refinement proof rules: forwards and backwards rules incorporating input/output refinement. Technical report YCS-2002-347, December, University of YorkGoogle Scholar
  12. CoCURL.
  13. DeB01.
    Derrick J, Boiten E (2001) Refinement in Z and Object-Z. Springer, HeidelbergMATHGoogle Scholar
  14. Dun03.
    Dunne S (2003) Introducing backwards refinement into B. In: ZB2003: third international conference of B and Z Users, Turku, June 2003. Lecture notes in computer science, vol 2651, Springer, Heidlberg, pp 178–196Google Scholar
  15. FHD90.
    Flynn M, Hoverd T, Brazier D (1990) Formaliser—an interactive support tool for Z. Z UserWorkshop. In: Proceedings of the 4th annual Z user meeting, workshops in computing, Springer, Hiedelberg, pp 128–141Google Scholar
  16. GCH97.
    E6: Use of formality discussion. G3A Tape No 68. Unclassified. Government Communications Headquarters (GCHQ). 22 October 1997Google Scholar
  17. HHH+87.
    Hoare CAR, Hayes IJ, He J, Morgan C, Roscoe AW, Sanders JW et al (1987) The laws of programming. Commun ACM. 30Google Scholar
  18. HHS86.
    Jifeng H, Hoare CAR, Sanders JW (1986) Data refinement refined: resume. ESOP 86. Lecture notes in computer science, vol 213. Springer, Heidelberg, pp 187–196Google Scholar
  19. ITS91.
    Information Technology Security Evaluation Criteria (ITSEC): Preliminary Harmonised Criteria. Document COM(90) 314, Version 1.2. Commission of the European Communities. June 1991Google Scholar
  20. Jac92.
    Jacob JL (1992) Basic theorems about security. J Comput Secur 1(4):385–411Google Scholar
  21. SCP+03.
    Srivratanakul J, Clark J, Polack F, Stepney S (2003) Challenging formal specifications with mutation: a CSP security example. 12th IEEE Asia Pacific Software Engineering Conference (APSEC)Google Scholar
  22. SCW00.
    Stepney S, Cooper D, Woodcock J (2000) An electronic purse: specification, refinement, and proof. Technical monograph PRG-126, Oxford University Computing Laboratory, July 2000Google Scholar
  23. SCW98.
    Stepney S, Cooper D, Woodcock J (1998) More powerful Z data refinement: pushing the state of the art in industrial refinement. In: ZUM ’98: 11th international conference of Z users, Berlin, September 1998. Lecture notes in computer science, vol 1493. Springer, Heidelberg, pp 284–307Google Scholar
  24. SFT03.
    Stepney S, Polack F, Toyn I (2003) Patterns to guide practical refactoring: examples targetting promotion in Z. In: ZB2003: third international conference of B and Z Users, Turku, June 2003. Lecture notes in computer science, vol 2651. Springer, Heidelberg, pp 20–39Google Scholar
  25. Spi92a.
    Spivey JM (1992) The Z Notation: a reference manual, 2nd edn.
  26. Spi92b.
    Spivey JM (1992) The fUZZ Manual. Computer Science Consultancy, 2nd edn. Prentice Hall, Englewood CliffGoogle Scholar
  27. Ste01.
    Stepney S (2001) New horizons in formal methods. The Computer Bulletin, pp 24–26. BCS, January 2001Google Scholar
  28. Ste98.
    Stepney S (1998) A tale of two proofs. BCS-FACS third Northern formal methods workshop, Ilkley, September 1998. Electronic Workshops in ComputingGoogle Scholar
  29. WoD96.
    Woodcock J, Davies J (1996) Using Z: specification, refinement, and proof. Prentice Hall, Englewood CliffMATHGoogle Scholar

Copyright information

© British Computer Society 2007

Authors and Affiliations

  • Jim Woodcock
    • 1
  • Susan Stepney
    • 1
  • David Cooper
    • 1
  • John Clark
    • 1
  • Jeremy Jacob
    • 1
  1. 1.Department of Computer ScienceUniversity of YorkHeslingtonUK

Personalised recommendations