Certifying Native Java Card API by Formal Refinement

  • Quang-Huy Nguyen
  • Boutheina Chetali
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3928)


This paper describes a refinement-based approach to show that a native Java Card API function fulfills its specification. We refine a native function from its informal specification (by Sun) through several intermediate models into a low-level model which is very close to its C implementations. We formally prove the correctness of the refinement steps between two adjacent levels. The low-level model is sufficiently detailed such that its correspondence to the C implementation can be informally checked. This work provides a framework to enforce the security of the native code by formal analysis and can be generalized to verify a complete implementation of the Java Card platform.


Virtual Machine Smart Card Native Function Current Frame Program Counter 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    van der Berg, J., Jacobs, B., Poll, E.: Specification of the JavaCard API in JML. In: Domingo-Ferrer, J., Chan, D., Watson, A. (eds.) Proc. of CARDIS 2000, pp. 135–154. Kluwer Academic Publishers, Dordrecht (2000)Google Scholar
  2. 2.
    Meijer, H., Poll, E.: Towards a Full Specification of the Java Card API. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 165–178. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Burdy, L., Lanet, J.-L., Requet, A.: Java Applet Correctness: A Developer- Oriented Approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 422–439. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    The Java Modeling Language (JML) homepage,
  5. 5.
    Burdy, L., Requet, A.: Jack: Java Applet Correctness Kit (2002), Available at,
  6. 6.
    Bert, D., Boulm, S., Potet, M.-L., Requet, A., Voisin, L.: Adaptable Translator of B Specifications to Embedded C Programs. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 94–113. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    The Coq Development Team. The Coq Proof Assistant,
  8. 8.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of the ACM 12(10), 576–580 (1969)CrossRefMATHGoogle Scholar
  9. 9.
    Venners, B.: Inside the Java Virtual Machine, 1st edn. McGraw-Hill Professional, New York (1999)Google Scholar
  10. 10.
    Sun Microsystems. Java Card 2.2 Runtime Environment Specification (2002),
  11. 11.
    Barthe, G., Courtieu, P., Dufay, G., de Sousa, S.M.: Tool-Assisted Specification and Verification of the JavaCard Platform. In: Kirchner, H., Ringeissen, C. (eds.) AMAST 2002. LNCS, vol. 2422, pp. 41–59. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Barthe, G., Dufay, G.: A Tool-Assisted Framework for Certified Bytecode Verification. In: Wermelinger, M., Margaria-Steffen, T. (eds.) FASE 2004. LNCS, vol. 2984, pp. 99–113. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Andronick, J., Chetali, B., Ly, O.: Using Coq to Verify Java Card Applet Isolation Properties. In: Basin, D., Wolff, B. (eds.) TPHOLs 2003. LNCS, vol. 2758, pp. 335–351. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: Fähndrich, M. (ed.) Proceedings of TLDI 2005, pp. 103–112. ACM Press, New York (2005)Google Scholar
  15. 15.
    Eluard, M., Jensen, T.: Secure object flow analysis for java card. In: Honeyman, P. (ed.) Proc. of CARDIS 2002, IFIP/USENIX (2002)Google Scholar
  16. 16.
    Pavlova, M., Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L.: Enforcing highlevel security properties for applets. In: Paradinas, P., Quisquater, J.-J. (eds.) Proceedings of CARDIS 2004, Kluwer Academic Publishers, Dordrecht (August 2004)Google Scholar
  17. 17.
    Andronick, J., Chetali, B., Paulin-Mohring, C.: Formal verification of security properties of smart card embedded source code. In: Fitzgerald, J.S., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 302–317. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  19. 19.
  20. 20.

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Quang-Huy Nguyen
    • 1
  • Boutheina Chetali
    • 1
  1. 1.Axalto, Smart Cards ResearchLouveciennesFrance

Personalised recommendations