Implementing a High-Assurance Smart-Card OS

  • Paul A. Karger
  • David C. Toll
  • Elaine R. Palmer
  • Suzanne K. McIntosh
  • Samuel Weber
  • Jonathan W. Edwards
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6052)


Building a high-assurance, secure operating system for memory constrained systems, such as smart cards, introduces many challenges. The increasing power of smart cards has made their use feasible in applications such as electronic passports, military and public sector identification cards, and cell-phone based financial and entertainment applications. Such applications require a secure environment, which can only be provided with sufficient hardware and a secure operating system. We argue that smart cards pose additional security challenges when compared to traditional computer platforms. We discuss our design for a secure smart card operating system, named Caernarvon, and show that it addresses these challenges, which include secure application download, protection of cryptographic functions from malicious applications, resolution of covert channels, and assurance of both security and data integrity in the face of arbitrary power losses.


Smart Card Security Policy Authentication Protocol Covert Channel Memory Object 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Béguelin, S.Z.: Formalisation and verification of the GlobalPlatform card specification using the B method. In: Barthe, G., Grégoire, B., Huisman, M., Lanet, J.-L. (eds.) CASSIS 2005. LNCS, vol. 3956, pp. 155–173. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bell, D.E., LaPadula, L.J.: Computer Security Model: Unified Exposition and Multics Interpretation. In: ESD–TR–75–306, The MITRE Corporation, Bedford, MA, HQ Electronic Systems Division, Hanscom AFB, MA (June 1975),
  3. 3.
    Biba, K.J.: Integrity Considerations for Secure Computer Systems. In: ESD–TR–76–372, The MITRE Corporation, Bedford, MA, HQ Electronic Systems Division, Hanscom AFB, MA (April 1977),
  4. 4.
    Dennis, J.B., Van Horn, E.C.: Programming semantics for multiprogrammed computations. ACM Commun. 9(3), 143–155 (1966)zbMATHCrossRefGoogle Scholar
  5. 5.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  6. 6.
    Gray, J.N.: Notes on Data Base Operating Systems. LNCS, vol. 60, pp. 393–481. Springer, Berlin (1978)Google Scholar
  7. 7.
    IBM 4764 Model 001 PCI-X Cryptographic Coprocessor. Data Sheet G221-9091-05,
  8. 8.
    Karger, P.A., Kc, G.S., Toll, D.C.: Privacy is essential for secure mobile devices. IBM Journal of Research and Development 53(2) (2009)Google Scholar
  9. 9.
    Karger, P.A., Toll, D.C., McIntosh, S.K.: Processor requirements for a high security smart card operating system. In: Eighth e-Smart Conference, Eurosmart, Sophia Antipolis, France, September 19-21 (2007), IBM Research Div. Rpt. RC 24219 (W0703-091),
  10. 10.
    Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A retrospective on the VAX VMM security kernel. IEEE Trans. on Software Eng. 17(11), 1147–1165 (1991)CrossRefGoogle Scholar
  11. 11.
    Rankl, W., Effing, W.: Smart Card Handbook: Third Edition. John Wiley & Sons, Chichester (2003)CrossRefGoogle Scholar
  12. 12.
    Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a formal security model for multiapplicative smart cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 17–36. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Scherzer, H., Canetti, R., Karger, P.A., Krawczyk, H., Rabin, T., Toll, D.C.: Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 181–200. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Toll, D.C., Karger, P.A., Palmer, E.R., McIntosh, S.K., Weber, S.: The Caernarvon secure embedded operating system. Operating Systems Review 42(1), 32–39 (2008)CrossRefGoogle Scholar
  15. 15.
    Whitmore, J., Bensoussan, A., Green, P., Hunt, D., Kobziar, A., Stern, J.: Design for Multics security enhancements. In: ESD–TR–74–176, Honeywell Information Systems, Inc., HQ Electronic Systems Division, Hanscom AFB, MA (December 1973),

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Paul A. Karger
    • 1
  • David C. Toll
    • 1
  • Elaine R. Palmer
    • 1
  • Suzanne K. McIntosh
    • 1
  • Samuel Weber
    • 1
  • Jonathan W. Edwards
    • 2
  1. 1.IBM Thomas J. Watson Research CenterYorktown HeightsUSA
  2. 2.IBM Global Business ServicesLexingtonUSA

Personalised recommendations