Verification of JAVA CARD Applets Behavior with Respect to Transactions and Card Tears

The Java card transaction mechanism allows to protect sensitive operations on smart cards against problems due to card tears or power losses. Statements within a transaction are viewed as a single atomic operation so that either they are all performed or none of them is. KRAKATOA is a tool for static verification of Java programs annotated in JML (Java modeling language), a behavioral specification language tailored to Java and based on first order predicate logic. In a first step, we show how we modeled the transactions within KRAKATOA, by generating on-the-fly (i.e. on each applet) specifications of the API methods for transactions. In a second step, we consider security problems that can be caused by a card tear. We propose new JML constructs allowing to express properties to satisfy when a method is interrupted by a card tear, also taking non-atomic methods into account. We present a modeling of these constructs in KRAKATOA, and show it is practicable for the detection of potential security holes, or to prove the absence of risk

[1]  Bart Jacobs,et al.  Java Program Verification at Nijmegen: Developments and Perspective , 2003, ISSS.

[2]  E. Poll,et al.  Transactions and non-atomic API calls in Java Card: specification ambiguity and strange implementation behaviours , 2004 .

[3]  Bernhard Beckert,et al.  The KeY tool , 2005, Software & Systems Modeling.

[4]  Claude Marché,et al.  The KRAKATOA tool for certificationof JAVA/JAVACARD programs annotated in JML , 2004, J. Log. Algebraic Methods Program..

[5]  Bernhard Beckert,et al.  A Program Logic for Handling JAVA CARD's Transaction Mechanism , 2003, FASE.

[6]  Reiner Hähnle,et al.  Verification of Safety Properties in the Presence of Transactions , 2004, CASSIS.

[7]  Claude Marché,et al.  Reasoning About Java Programs with Aliasing and Frame Conditions , 2005, TPHOLs.

[8]  Jean-Christophe Filliâtre,et al.  Verification of non-functional programs using interpretations in type theory , 2003, J. Funct. Program..

[9]  Erik Poll,et al.  Reasoning about Card Tears and Transactions in Java Card , 2004, FASE.

[10]  Marcus Oestreicher Transactions in Java Card , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[11]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[12]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[13]  Wojciech Mostowski,et al.  Formal Reasoning About Non-atomic Java Card Methods in Dynamic Logic , 2006, FM.

[14]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[15]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[16]  T LeavensGary,et al.  Preliminary design of JML , 2006 .

[17]  Marcus Oestreicher,et al.  The Advanced Computing Systems Association Object Lifetimes in Java Card , 2022 .

[18]  Jean-Louis Lanet,et al.  Enforcing High-Level Security Properties for Applets , 2004, CARDIS.

[19]  Bart Jacobs,et al.  Specification of the JavaCard API in JML , 2000, CARDIS.