Tool-Assisted Specification and Verification of the JavaCard Platform

  • Gilles Barthe
  • Pierre Courtieu
  • Guillaume Dufay
  • Simão Melo de Sousa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2422)

Abstract

Bytecode verification is one of the key security functions of the JavaCard architecture. Its correctness is often cast relatively to a defensive virtual machine that performs checks at run-time, and an offensive one that does not, and can be summarized as stating that the two machines coincide on programs that pass bytecode verification. We review the process of establishing such a correctness statement in a proof assistant, and focus in particular on the problemof automating the construction of an offensive virtual machine and a bytecode verifier from a defensive machine.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    C. Alvarado and Q.-H. Nguyen. ELAN for equational reasoning in COQ. In J. Despeyroux, editor, Proceedings of LFM’00, 2000. Rapport Technique INRIA.Google Scholar
  2. 2.
    D. Aspinall and A. Compagnoni. Heap-bound assembly language. Manuscript, 2001.Google Scholar
  3. 3.
    F. Baader and T. Nipkow. Term Rewriting and All That. Cambridge University Press, 1998.Google Scholar
  4. 4.
    A. Banerjee and D. A. Naumann. Secure Information Flow and Pointer Confinement in a Java-like Language. In Proceedings of CSFW’02. IEEE Computer Society Press, 2002.Google Scholar
  5. 5.
    G. Barthe and P. Courtieu. Efficient Reasoning about Executable Specifications in Coq. In C. Muñoz and S. Tahar, editors, Proceedings of TPHOLs’02, volume 2xxx of Lecture Notes in Computer Science. Springer-Verlag, 2002. To appear.Google Scholar
  6. 6.
    G. Barthe, G. Dufay, M. Huisman, and S. Melo de Sousa. Jakarta: a toolset to reason about the JavaCard platform. In I. Attali and T. Jensen, editors, Proceedings of e-SMART’01, volume 2140 of Lecture Notes in Computer Science, pages 2–18. Springer-Verlag, 2001.Google Scholar
  7. 7.
    G. Barthe, G. Dufay, L. Jakubiec, and S. Melo de Sousa. A formal correspondence between offensive and defensive JavaCard virtual machines. In A. Cortesi, editor, Proceedings of VMCAI’02, volume 2294 of Lecture Notes in Computer Science, pages 32–45. Springer-Verlag, 2002.Google Scholar
  8. 8.
    G. Barthe, G. Dufay, L. Jakubiec, B. Serpette, and S. Melo de Sousa. A Formal Executable Semantics of the JavaCard Platform. In D. Sands, editor, Proceedings of ESOP’01, volume 2028 of Lecture Notes in Computer Science, pages 302–319. Springer-Verlag, 2001.Google Scholar
  9. 9.
    J. van den Berg and B. Jacobs. The LOOP Compiler for Java and JML. In T. Margaria and W. Yi, editors, Proceedings of TACAS’01, volume 2031 of Lecture Notes in Computer Science, pages 299–312, 2001.Google Scholar
  10. 10.
    M. Bezem, J. W. Klop, and R. de Vrijer, editors. Term Rewriting Systems. Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 2002.Google Scholar
  11. 11.
    P. Bieber, J. Cazin, V. Wiels, G. Zanon, P. Girard, and J.-L. Lanet. Electronic Purse Applet Certification. In S. Schneider and P. Ryan, editors, Proceedings of the Workshop on Secure Architectures and Information Flow, volume 32 of Electronic Notes in Theoretical Computer Science. Elsevier Publishing, 2000.Google Scholar
  12. 12.
    A. Bouhoula. Automated theorem proving by test set induction. Journal of Symbolic Computation, 23(1):47–77, January 1997.MATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    L. Casset. Development of an Embedded Verifier for JavaCard ByteCode using Formal Methods. In L.-H. Eriksson and P. A. Lindsay, editors, Proceedings of FME’02, Lecture Notes in Computer Science, 2002. To appear.Google Scholar
  14. 14.
    L. Casset, L. Burdy, and A. Requet. Formal Development of an Embedded Verifier for JavaCard ByteCode. In Proceedings of DSN’02. IEEE Computer Society, 2002.Google Scholar
  15. 15.
    L. Casset and J.-L. Lanet. A Formal Specification of the Java Byte Code Semantics using the B Method. In B. Jacobs, G. T. Leavens, P. Müller, and A. Poetzsch-Heffter, editors, Proceedings of Formal Techniques for Java Programs. Technical Report 251, Fernuniversität Hagen, 1999.Google Scholar
  16. 16.
    Z. Chen. Java Card for Smart Cards: Architecture and Programmer’s Guide. The Java Series. O’Reilly, 2000.Google Scholar
  17. 17.
    Y. Cheon and G. T. Leavens. A Simple and Practical Approach to Unit Testing: The JML and JUnit Way. In B. Magnusson, editor, Proceedings of ECOOP’02, volume 2374 of Lecture Notes in Computer Science, pages 231–255, 2002.Google Scholar
  18. 18.
    Coq Development Team. The Coq Proof Assistant User’s Guide. Version 7.2, January 2002.Google Scholar
  19. 19.
    J. Corbett, M. Dwyer, J. Hatcli., C. Pasareanu, Robby, S. Laubach, and H. Zheng. Bandera: Extracting Finite-state Models from Java Source Code. In Proceedings of ICSE’00, pages 439–448. ACM Press, 2000.Google Scholar
  20. 20.
    K. Crary and G. Morrisett. Type structure for low-level programming languages. In J. Wiedermann, P. van Emde Boas, and M. Nielsen, editors, Proceedings of ICALP’99, volume 1644 of Lecture Notes in Computer Science, pages 40–54, 1999.Google Scholar
  21. 23.
    S. N. Freund and J. C. Mitchell. The type systemfor object initialization in the Java bytecode language. ACM Transactions on Programming Languages and Systems, 21(6):1196–1250, November 1999.CrossRefGoogle Scholar
  22. 24.
    E. Giménez and O. Ly. Formal modeling and verification of the java card security architecture: from static checkings to embedded applet execution, 2002. Talk delivered at the Verificard’02 meeting, Marseille, 7–9 January 2002. Slides available at http://www-sop.inria.fr/lemme/verificard/2002/programme.html.
  23. 25.
    P. Hartel and L. Moreau. Formalizing the Safety of Java, the Java Virtual Machine and Java Card. ACM Computing Surveys, 33(4):517–558, December 2001.CrossRefGoogle Scholar
  24. 28.
    G. Klein and T. Nipkow. Verified bytecode verifiers. Theoretical Computer Science, 2002. Submitted.Google Scholar
  25. 29.
    Gemplus Research Labs. Java Card Common Criteria Certification Using Coq. Technical Report, 2001.Google Scholar
  26. 30.
    J.-L. Lanet and A. Requet. Formal Proof of Smart Card Applets Correctness. In J.-J. Quisquater and B. Schneier, editors, Proceedings of CARDIS’98, volume 1820 of Lecture Notes in Computer Science, pages 85–97. Springer-Verlag, 1998.Google Scholar
  27. 31.
    C. Laneve. A Type Systemfor JVM Threads. Theoretical Computer Science, 200x. To appear.Google Scholar
  28. 32.
    K. R. M. Leino. Extended Static Checking: A Ten-Year Perspective. In R. Wilhelm, editor, Informatics-10 Years Back, 10 Years Ahead, volume 2000 of Lecture Notes in Computer Science, pages 157–175, 2001.Google Scholar
  29. 33.
    X. Leroy. Java bytecode verification: an overview. In G. Berry, H. Comon, and A. Finkel, editors, Proceedings of CAV’01, volume 2102 of Lecture Notes in Computer Science, pages 265–285. Springer-Verlag, 2001.Google Scholar
  30. 34.
    X. Leroy. On-card bytecode verification for Java card. In I. Attali and T. Jensen, editors, Proceedings e-Smart 2001, volume 2140, pages 150–164. Springer-Verlag, 2001.Google Scholar
  31. 35.
    X. Leroy, D. Doligez, J. Garrigue, D. Rémy, and J. Vouillon. The Objective Caml system, release 3.00, 2000.Google Scholar
  32. 36.
    G. C. Necula. Proof-carrying code. In Proceedings of POPL’97, pages 106–119. ACM Press, 1997.Google Scholar
  33. 37.
    T. Nipkow. Verified Bytecode Verifiers. In F. Honsell and M. Miculan, editors, Proceedings of FOSSACS’01, volume 2030 of Lecture Notes in Computer Science, pages 347–363. Springer-Verlag, 2001.Google Scholar
  34. 38.
    T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic, volume 2283 of Lecture Notes in Computer Science. Springer-Verlag, 2002.MATHGoogle Scholar
  35. 39.
    J. Posegga and H. Vogt. Byte Code Verification for Java Smart Cards Based on Model Checking. In J.-J. Quisquater, Y. Deswarte, C. Meadows, and D. Gollmann, editors, Proceedings of the ESORICS’98, volume 1485 of Lecture Notes in Computer Science, pages 175–190. Springer-Verlag, 1998.Google Scholar
  36. 40.
    A. Requet. A B Model for Ensuring Soundness of a Large Subset of the Java Card Virtual Machine. In S. Gnesi, I. Schieferdecker, and A. Rennoch, editors, Proceedings of FMICS’00, pages 29–46, 2000.Google Scholar
  37. 41.
    N. Shankar, S. Owre, and J. M. Rushby. The PVS Proof Checker: A Reference Manual. Computer Science Laboratory, SRI International, February 1993. Supplemented with the PVS2 Quick Reference Manual, 1997.Google Scholar
  38. 42.
    R. Stata and M. Abadi. A type systemfor Java bytecode subroutines. ACM Transactions on Programming Languages and Systems, 21(1):90–137, January 1999.CrossRefGoogle Scholar
  39. 43.
    Sun Microsystems, Inc., Palo Alto/CA, USA. Java Card Platform Security, 2001. Technical White Paper.Google Scholar
  40. 44.
    Sun Microsystems, Inc., Palo Alto/CA, USA. Java Card 2.2 Application Programming Interface (API), 2002.Google Scholar
  41. 45.
    Sun Microsystems, Inc., Palo Alto/CA, USA. Java Card 2.2 Runtime Environment (JCRE) Specification, 2002.Google Scholar
  42. 46.
    Sun Microsystems, Inc., Palo Alto/CA, USA. Java Card 2.2 Virtual Machine Specification, 2002.Google Scholar
  43. 47.
    K. N. Swadi and A. W. Appel. Typed machine language and its semantics. Manuscript, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Gilles Barthe
    • 1
  • Pierre Courtieu
    • 1
  • Guillaume Dufay
    • 1
  • Simão Melo de Sousa
    • 1
  1. 1.INRIA Sophia-AntipolisFrance

Personalised recommendations