Industrial Use of Formal Methods for a High-Level Security Evaluation

  • Boutheina Chetali
  • Quang-Huy Nguyen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5014)


This paper presents an effective use of formal methods for the development and for the security certification of smart card software. The approach is based on the Common Criteria’s methodology that requires the use of formal methods to prove that a product implements the claimed security level. This work led to the world-first certification of a commercial Java Card TM product involving all formal assurances needed to reach the highest security level. For this certification, formal methods have been used for the design and the implementation of the security functions of the Java Card system embedded in the product. We describe the refinement scheme used to meet the Common Criteria’s requirements on formal models and proofs. In particular, we show how to build the proof that the implementation ensures the security objectives claimed in the security specification. We also provide some lessons learned from this important application of formal methods to the smart cards industry.


Virtual Machine State Machine Formal Method Smart Card Security Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The Coq Development Team. The Coq Proof Assistant.,
  2. 2.
    Sun Microsystems. Java Card 2.2 Virtual Machine Specification (2002),
  3. 3.
    Sun Microsystems. Java Card 2.2 Runtime Environment Specification (2002),
  4. 4.
    Sun Microsystems. Java Card 2.2 Application Programming Interface (2002),
  5. 5.
    Nguyen, Q.-H., Chetali, B.: Certifying Native Java Card API by Formal Refinement. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 313–328. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Andronick, J., Nguyen, Q.-H.: Certifying an Embedded Remote Method Invocation Protocol. In: Proc. of the 23th ACM Symposium on Applied Computing (SAC 2008), pp. 352–359. ACM Press, New York (2008)CrossRefGoogle Scholar
  7. 7.
    Sun Microsystems. Java Card System Protection Profile Collection - Version 1.1 (2003),
  8. 8.
    Bundesam für Sicherheit der Informationstechnik (BSI). Evualuation methodology for CC assurance classes for EAL5+, June, Version 1.00. Ref. AIS34 (2004)Google Scholar
  9. 9.
    Andronick, J., Chetali, B., Ly, O.: Using Coq to Verify Java Card Applet Isolation Properties. In: Basin, D., Wolff, B. (eds.) TPHOLs 2003. LNCS, vol. 2758, pp. 335–351. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Bert, D., Boulmé, S., Potet, M.-L., Requet, A., Voisin, L.: Adaptable Translator of B Specifications to Embedded C Programs. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 94–113. Springer, Heidelberg (2003)Google Scholar
  11. 11.
    Andronick, J., Chetali, B., Paulin-Mohring, C.: Formal Verification of Security Properties of Smart Card Embedded Source Code. In: Fitzgerald, J.S., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 302–317. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Leroy, X.: Formal certification of a compiler back-end or: programming a compiler with a proof assistant. In: Procs. of POPL 2006, pp. 42–54. ACM Press, New York (2006)CrossRefGoogle Scholar
  13. 13.
    Blazy, S., Dargaye, Z., Leroy, X.: Formal verification of a c compiler front-end. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006. LNCS, vol. 4085, pp. 460–475. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Barthe, G., Dufay, G.: Formal Methods for Smartcard Security. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 133–177. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Hartel, P.H., Moreau, L.: Formalising the Safety of Java, the Java Virtual Machine and Java Card. ACM Computing Surveys 33(4), 517–558 (2001)CrossRefGoogle Scholar
  16. 16.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Boutheina Chetali
    • 1
  • Quang-Huy Nguyen
    • 1
  1. 1.Gemalto, Security LabsMeudon CedexFrance

Personalised recommendations