Abstract
The Java Card API provides a framework of classes and interfaces that hides the details of the underlying smart card interface, thus relieving developers from going through the swamps of microcontroller programming. This allows application developers to concentrate most of their effort on the details of application, assuming proper use of the Java Card API calls regarding (i) the correctness of the methods’ invocation targets and their arguments and (ii) temporal safety, i.e. the requirement that certain method calls have to be used in certain orders. Several characteristics of the Java Card applets and their multiple-entry-point program structure make it possible for a potentially unhandled exception to reach the invoked entry point. This contingency opens a possibility to leave the applet in an unpredictable state that is potentially dangerous for the application’s security. Our work introduces automatic static program analysis as a means for the early detection of misused and therefore dangerous API calls. The shown analyses have been implemented within the FindBugs bug detector, an open source framework that applies static analysis functions on the applet bytecode.
Chapter PDF
Similar content being viewed by others
References
Burdy, L., Requet, A., Lanet, J.L.: Java applet correctness: a developer-oriented approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, Springer, Heidelberg (2003)
Beckert, B., Mostowski, W.: A program logic for handling Java Card’s transaction mechanism. In: Pezzé, M. (ed.) FASE 2003. LNCS, vol. 2621, pp. 246–260. Springer, Heidelberg (2003)
Marché, C., Paulin-Mohring, C., Urbain, X.: The KRAKATOA tool for certification of JAVA/JAVACARD programs annotated in JML. Journal of Logic and Algebraic Programming 58(1-2), 89–106 (2004)
Meyer, J., Poetzsch-Heffter, A.: An architecture for interactive program provers. In: Schwartzbach, M.I., Graf, S. (eds.) TACAS 2000. LNCS, vol. 1785, pp. 63–77. Springer, Heidelberg (2000)
Jacobs, B., Marche, C., Rauch, N.: Formal verification of a commercial smart card applet with multiple tools. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004. LNCS, vol. 3116, pp. 241–257. Springer, Heidelberg (2004)
Van den Berg, J., Jacobs, B.: The LOOP compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001)
Breunesse, C.B., Catano, N., Huisman, M., Jacobs, B.: Formal methods for smart cards: an experience report. Science of Computer Programming 55, 53–80 (2005)
The Java Verifier project, http://www.inria.fr/actualites/inedit/inedit36_partb.en.html
Catano, N., Huisman, M.: Formal specification and static checking of Gemplus’s electronic purse using ESC/Java. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 272–289. Springer, Heidelberg (2002)
Meijer, H., Poll, E.: Towards a full formal specification of the JavaCard API. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 165–178. Springer, Heidelberg (2001)
Spinellis, D., Louridas, P.: A framework for the static verification of API calls. Journal of Systems and Software 80(7), 1156–1168 (2007)
The FindBugs project (last access: Febuary 21, 2008), http://findbugs.sourceforge.net/
Hovemeyer, D., Pugh, W.: Finding bugs is easy. SIGPLAN Notices 39(12), 92–106 (2004)
Dahm, M.: Byte code engineering with the BCEL API. Technical Report B-17-98, Freie University of Berlin, Institute of Informatics (2001)
Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Proc. of the ACM SIGPLAN 2002 Conf. on Programming Language Design and Implementation (PLDI), pp. 57–68 (2002)
Hampapuram, H., Yang, Y., Das, M.: Symbolic path simulation in path-sensitive dataflow analysis. In: Proc. of 6th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE), pp. 52–58 (2005)
Dhurjati, D., Das, M., Yang, Y.: Path-sensitive dataflow analysis with iterative refinemet. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 425–442. Springer, Heidelberg (2006)
The SAFE (Scalable And Flexible Error detection) project (last access: 21st of Febuary 2008) , http://www.research.ibm.com/safe/
Strom, R.E., Yemini, S.: Typestate: A programming language concept for enhancing software reliability. IEEE Trans. on Software Engineering 12(1), 157–171 (1986)
Fink, S., Yahav, E., Dor, N., Ramalingam, G., Geay, E.: Effective typestate verification in the presence of aliasing. In: Proc. of the Int. Symp. on Software Testing and Analysis (ISSTA), pp. 133–144 (2006)
Chugunov, G., Fredlund, L.-A., Gurov, D.: Model checking of multi-applet Java Card Applications. In: Proc. of the 5th Smart Card Research and Advanced Application Conf. (CARDIS) (2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Almaliotis, V., Loizidis, A., Katsaros, P., Louridas, P., Spinellis, D. (2008). Static Program Analysis for Java Card Applets. In: Grimaud, G., Standaert, FX. (eds) Smart Card Research and Advanced Applications. CARDIS 2008. Lecture Notes in Computer Science, vol 5189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85893-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-85893-5_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85892-8
Online ISBN: 978-3-540-85893-5
eBook Packages: Computer ScienceComputer Science (R0)