Using Coq to Verify Java CardTM Applet Isolation Properties

  • June Andronick
  • Boutheina Chetali
  • Olivier Ly
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2758)


This paper reports on the use of the Coq proof assistant for the formal verification of applet isolation properties in Java Card technology. We focus on the confidentiality property. We show how this property is verified by the card manager and the APIs, extending our former proof addressing the Java Card virtual machine. We also show how our verification method allows to complete specifications and to enhance the secure design of the platform. For instance, we describe how the proof of the integrity puts the light on a known bug. Finally, we present the benefits of the use of high order modelling to handle the complexity of the system, to prove security properties and eventually to construct generic re-usable proof architectures.


Theorem Proving Smart Card Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andronick, J., Chetali, B., Ly, O.: Formal Verification of the Confidentiality Property in Java CardTM Technology. Submitted at Journal of Logic and Algebraic ProgrammingGoogle Scholar
  2. 2.
    Barthe, G., Dufay, G., Huisman, M., de Sousa, S.M.: Jakarta: a Toolset to Reason about the JavaCard Platform. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 2–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Barthe, G., Dufay, G., Jakubiec, L., de Sousa, S.M.: A Formal Correspondence between Offencive and Defensive JavaCard Virtual Machine. In: Cortesi, A. (ed.) VMCAI 2002. LNCS, vol. 2294, pp. 32–45. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Barthe, G., Dufay, G., Jakubiec, L., Serpette, B., de Sousa, S.M.: A Formal Executable Semantics of the JavaCard Platform. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 302–319. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Betarte, G., Chetali, B., Gimenez, E., Loiseaux, C.: Formavie: Formal Modelling and Verification of the JavaCard 2.1.1 Security Architecture. In: E-SMART 2002, pp. 213–231 (2002)Google Scholar
  6. 6.
    Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer’s Guide. Addison Wesley, Reading (2000)Google Scholar
  7. 7.
    Dam, M., Giambiagi, P.: Confidentiality for Mobile Code: The Case of a Simple Payment Protocol. In: 13th IEEE Computer Security Foundations Workshop, July 2000, pp. 233–244. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  8. 8.
    Goguen, J.A., Meseguer, J.: Security Policy and Security Models. In: Proc. of the 1982 Symposium on Security and Privacy, pp. 11–20. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
  9. 9.
    Goguen, J.A., Meseguer, J.: Unwinding and interference control. In: Proc. of the 1982 Symposium on Security and Privacy, pp. 75–86. IEEE Computer Society Press, Los Alamitos (1984)Google Scholar
  10. 10.
    McGrow, G., Felten, E.: Securing Java: Getting Down to Business with Mobile Code. John Wiley & Sons, Chichester (1999)Google Scholar
  11. 11.
    Sun Microsystems. Java Card 2.1.1 Specification (2000),
  12. 12.
    Sun Microsystems. Java Card 2.2 API Specification (2002),
  13. 13.
    Müller, P., Poetzsch-Heffter, A.: A Type System for Checking Applet Isolation in Java Card. In: Drossopoulou, S., et al. (eds.) Proceedings of FTfJP 2001 (2001)Google Scholar
  14. 14.
    Oaks, S.: Java Security. O’Reilly, Sebastopol (1998)Google Scholar
  15. 15.
    Poll, E., Hartel, P., de Jong, E.: A Java Reference Model of Transacted Memory for Smart Cards. In: Fifth Smart Card Research and Advanced Application Conf, CARDIS 2002 (2002) (to appear), See
  16. 16.
    Poll, E., van den Berg, J., Jacobs, B.: Formal specification of the Java Card API in JML: the APDU class. Computer Networks 36(4), 407–421 (2001)CrossRefGoogle Scholar
  17. 17.
    The Coq Development Team LogiCal Project. The Coq Proof Assistant Reference Manual,
  18. 18.
    Rushby, J.: Noninterference, transitivity, and channel-control security policies (December 1992)Google Scholar
  19. 19.
    van den Berg, J., Jacobs, B.: The LOOP compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    van den Berg, J., Jacobs, B., Poll, E.: Formal Specification and Verification of JavaCard’s Application Identifier Class. In: Proceedings of the Java Card 2000 Workshop (2000),
  21. 21.
    Venners, B.: Inside the Java Virtual Machine. McGraw-Hill, New York (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • June Andronick
    • 1
  • Boutheina Chetali
    • 1
  • Olivier Ly
    • 1
  1. 1.Schlumberger Systems – Advanced Research on Smart CardsFrance

Personalised recommendations