An Observe-and-Detect Methodology for the Security and Functional Testing of Smart Card Applications

Smart cards are tamper resistant devices but vulnerabilities are sometimes discovered. We address in this paper the security and the functional testing of embedded applications in smart cards. We propose an original methodology for the evaluation of applications and we show its benefit by comparing it to a classical certification process. The proposed method is based on the observation of the APDU (Application Protocol Data unit) communication with the smart card. Some specific properties are verified as a complementary method in the evaluation process and allows the on-the-fly detection of an anomaly and the reasons that triggered this anomaly during the test. Here are presented two uses of this method: a simple use to illustrate the use of properties to verify an implementation of an application and a more complex illustration by applying the fuzzing method to show what we can obtain with the proposed approach, i.e. an analysis of an anomaly.

[1]  Wolfgang Rankl,et al.  Smart Card Applications: Design models for using and programming smart cards , 2007 .

[2]  Sylvain Vernois,et al.  Improving Test Conformance of Smart Cards versus EMV-Specification by Using on the Fly Temporal Property Verification , 2014, SNDS.

[3]  Jan Tretmans,et al.  On-the-Fly Formal Testing of a Smart Card Applet , 2004 .

[4]  Dolores R. Wallace,et al.  Reference information for the software verification and validation process , 1996 .

[5]  Roland Groz,et al.  A Taint Based Approach for Smart Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[6]  Bart Jacobs,et al.  Formal Verification of a Commercial Smart Card Applet with Multiple Tools , 2004, AMAST.

[7]  Matthew J. Parkinson,et al.  jStar: towards practical verification for java , 2008, OOPSLA.

[8]  Joeri de Ruiter,et al.  Formal Models of Bank Cards for Free , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[9]  Bernhard Beckert,et al.  The KeY tool , 2005, Software & Systems Modeling.

[10]  Standard Glossary of Software Engineering Terminology , 1990 .

[11]  Frank Piessens,et al.  Software verification with VeriFast: Industrial case studies , 2014, Sci. Comput. Program..

[12]  Wolfgang Reif,et al.  Verifying Smart Card Applications: An ASM Approach , 2007, IFM.

[13]  Jean-Louis Lanet,et al.  OPAL: an open-source global platform Java Library which includes the remote application management over HTTP, , 2011 .

[14]  Denis Sabatier,et al.  The Use of the B Formal Method for the Design and the Validation of the Transaction Mechanism for Smart Card Applications , 2000, Formal Methods Syst. Des..

[15]  Simon Pugh,et al.  Easing EMV: EMVCo's new common payment application , 2006 .

[16]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[17]  Alexander Pretschner,et al.  Model-Based Test Case Generation for Smart Cards , 2003, FMICS.

[18]  Jean-Louis Lanet,et al.  Formal Proof of Smart Card Applets Correctness , 1998, CARDIS.

[19]  Christophe Rosenberger,et al.  Analysis of embedded applications by evolutionary fuzzing , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).

[20]  Joachim Posegga,et al.  Byte Code Verification for Java Smart Card Based on Model Checking , 1998, ESORICS.