Verification of Safety Properties in the Presence of Transactions

  • Reiner Hähnle
  • Wojciech Mostowski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3362)


The JavaCard transaction mechanism can ensure that a sequence of statements either is executed to completion or is not executed at all. Transactions make verification of JavaCard programs considerably more difficult, because they cannot be formalised in a logic based on pre- and postconditions. The KeY system includes an interactive theorem prover for JavaCard source code that models the full JavaCard standard including transactions. Based on a case study of realistic size we show the practical difficulties encountered during verification of safety properties. We provide an assessment of current JavaCard source code verification, and we make concrete suggestions towards overcoming the difficulties by design for verification. The main conclusion is that largely automatic verification of realistic JavaCard software is possible provided that it is designed with verification in mind from the start.


Model Check Smart Card Safety Property Sequent Calculus Dynamic Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, P.H.: The KeY tool. Software and Systems Modeling (April 2004), Online First issue, to appear in printGoogle Scholar
  2. 2.
    Beckert, B.: A dynamic logic for the formal verification of JAVA CARD programs. In: Attali, I., Jensen, T. (eds.) JavaCard 2000. LNCS, vol. 2041, pp. 6–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Beckert, B., Giese, M., Habermalz, E., Hähnle, R., Roth, A., Rümmer, P., Schlager, S.: Taclets: a new paradigm for constructing interactive theorem provers. In: Revista de la Real Academia de Ciencias Exactas, Fýsicas y Naturales, Serie A: Matemáticas. Special Issue on Symbolic Computation in Logic and Artificial Intelligence, vol. 98(1) (2004)Google Scholar
  4. 4.
    Beckert, B., Mostowski, W.: A program logic for handling JAVA CARD’s transaction mechanism. In: Pezzé, M. (ed.) FASE 2003. LNCS, vol. 2621, pp. 246–260. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Beckert, B., Schlager, S.: A sequent calculus for first-order dynamic logic with trace modalities. In: Goré, R.P., Leitsch, A., Nipkow, T. (eds.) IJCAR 2001. LNCS (LNAI), vol. 2083, pp. 626–641. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Beckert, B., Schlager, S.: Software verification with integrated data type refinement for integer arithmetic. In: Boiten, E.A., Derrick, J., Smith, G.P. (eds.) IFM 2004. LNCS, vol. 2999, pp. 207–226. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Beckert, B., Schmitt, P.H.: Program verification using change information. In: Proceedings, Software Engineering and Formal Methods (SEFM), Brisbane, Australia, pp. 91–99. IEEE Press, Los Alamitos (2003)Google Scholar
  8. 8.
    Bieber, P., Cazin, J., Wiels, V., Zanon, G., Girard, P., Lanet, J.-L.: Checking secure interactions of Smart Card applets. Journal of Computer Security 10(4), 369–398 (2002)Google Scholar
  9. 9.
    Boyer, R.: Proving theorems about JAVA and the JVM with ACL2. In: Broy, M., Pizka, M. (eds.) Models, Algebras and Logic of Engineering Software, pp. 227–290. IOS Press, Amsterdam (2003)Google Scholar
  10. 10.
    Bretagne, E., Marouani, A.E., Girard, P., Lanet, J.-L.: PACAP purse and loyalty specification v0.4. Technical report, GemPlus (January 2001)Google Scholar
  11. 11.
    Burdy, L., Requet, A., Lanet, J.-L.: JAVA applet correctness: a developer-oriented approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 422–439. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Chen, Z.: JAVA CARD Technology for Smart Cards. Addison Wesley, Reading (2000)Google Scholar
  13. 13.
    Corbett, J.C., Dwyer, M.B., Hatcliff, J., Robby: A language framework for expressing checkable properties of dynamic software. In: Proc. SPIN Software Model Checking Workshop. LNCS, pp. 205–223. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. Technical Report 2004-01, Department of Computing Science, Chalmers University of Technology and Göteborg University (2004)Google Scholar
  15. 15.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for JAVA. In: Proc. ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, Berlin, pp. 234–245. ACM Press, New York (2002)CrossRefGoogle Scholar
  16. 16.
    Hähnle, R., Wallenburg, A.: Using a software testing technique to improve theorem proving. In: Petrenko, A., Ulrich, A. (eds.) FATES 2003. LNCS, vol. 2931, pp. 30–41. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
  18. 18.
    Hubbers, E., Poll, E.: Reasoning about card tears and transactions in JAVA CARD. In: Wermelinger, M., Margaria-Steffen, T. (eds.) FASE 2004. LNCS, vol. 2984, pp. 114–128. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Jacobs, B., Marché, C., Rauch, N.: Formal verification of a commercial smart card applet with multiple tools. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004. LNCS, vol. 3116, pp. 241–257. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Jacobs, B., Poll, E.: JAVA program verification at Nijmegen: Developments and perspective. Technical report, University of Nijmegen, 20003. NIII Technical Report NIII-R0316. To appear in the proceedings of International Symposium on Software Security (ISSS 2003)Google Scholar
  21. 21.
    Leino, K.R.M., Stata, R.: Checking object invariants. Technical Note #1997-007, Digital Systems Research Center, Palo Alto, USA (January 1997), Available from,
  22. 22.
    Marché, C., Paulin-Mohring, C., Urbain, X.: The KRAKATOA tool for certification of JAVA/JAVA CARD programs annotated in JML. Journal of Logic and Algebraic Programming 58(1-2), 89–106 (2004), zbMATHCrossRefGoogle Scholar
  23. 23.
    Marlet, R., Mesnil, C.: Demoney: A demonstrative electronic purse – Card specification. Technical Report SECSAFE-TL-007, Trusted Logic S.A. (November 2002)Google Scholar
  24. 24.
    Marlet, R., Métayer, D.L.: Security properties and JAVA CARD specificities to be studied in the SecSafe project. Technical Report SECSAFE-TL-006, Trusted Logic S.A. (August 2001)Google Scholar
  25. 25.
    Meyer, B.: Applying Design by Contract. IEEE Computer 25(10), 40–51 (1992)Google Scholar
  26. 26.
    Meyer, J., Müller, P., Poetzsch-Heffter, A.: The Jive system—implementation description (2000), Available from,
  27. 27.
    Mostowski, W.: Rigorous development of JAVA CARD applications. In: Clarke, T., Evans, A., Lano, K. (eds.) Proc. Fourth Workshop on Rigorous Object- Oriented Methods, London (2002), Available from,
  28. 28.
    Pratt, V.R.: Semantical considerations on Floyd-Hoare logic. In: Proceedings, 18th Annual IEEE Symposium on Foundation of Computer Science (1977)Google Scholar
  29. 29.
    Rodrýguez-Carbonell, E., Kapur, D.: Automatic generation of polynomial loop invariants for imperative programs (November 2003), Available from,
  30. 30.
    Stenzel, K.: Verification of JAVA CARD Programs. Technical report 2001-5, Institut für Informatik. Universität Augsburg, Germany (2001)Google Scholar
  31. 31.
    Sun Microsystems, Inc. JAVA CARD 2.2 Application Programming Interface (2002)Google Scholar
  32. 32.
    Sun Microsystems, Inc. JAVA CARD 2.2 Runtime Environment Specification (2002)Google Scholar
  33. 33.
    Sun Microsystems, Inc. JAVA CARD 2.2 Virtual Machine Specification (2002)Google Scholar
  34. 34.
    Trentelman, K., Huisman, M.: Extending JML specifications with temporal logic. In: Kirchner, H., Ringeissen, C. (eds.) AMAST 2002. LNCS, vol. 2422, pp. 334–348. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    von Oheimb, D.: Analyzing JAVA in Isabelle/HOL. PhD thesis, Institut für Informatik, Technische Universität München (January 2001)Google Scholar
  36. 36.
    Ziemann, P., Gogolla, M.: An OCL extension for formulating temporal constraints. Technical Report 1/03, Universität Bremen, Fachbereich für Mathematik und Informatik (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Reiner Hähnle
    • 1
  • Wojciech Mostowski
    • 1
  1. 1.Department of Computing ScienceChalmers University of TechnologyGöteborgSweden

Personalised recommendations