Checking Absence of Illicit Applet Interactions: A Case Study

This paper presents the use of a method - and its corre- sponding tool set - for compositional verification of applet interactions on a realistic industrial smart card case study. The case study, an elec- tronic purse, is provided by smart card producer Gemplus as a test case for formal methods for smart cards. The verification method focuses on the possible interactions between different applets, co-existing on the same card, and provides a technique to specify and detect illicit interac- tions between these applets. The method is compositional, thus support- ing post-issuance loading of applets. The correctness of a global system property can algorithmically be inferred from local applet properties. Later, when loading applets on a card, the implementations are matched against these local properties, in order to guarantee the global property. The theoretical framework underlying our method has been presented elsewhere; the present paper evaluates its practical usability by means of an industrial case study. In particular, we outline the tool set that we have assembled to support the verification process, combining existing model checkers with newly developed tools, tailored to our method.

[1]  Joseph Sifakis,et al.  Safety for Branching Time Semantics , 1991, ICALP.

[2]  W. Visser,et al.  Second Generation of a Java Model Checker , 2000 .

[3]  Klaus Havelund,et al.  SPIN Model Checking and Software Verification , 2000, Lecture Notes in Computer Science.

[4]  D. Kozen Results on the Propositional µ-Calculus , 1982 .

[5]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[6]  J. Bergstra,et al.  Handbook of Process Algebra , 2001 .

[7]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[8]  Rance Cleaveland,et al.  A Semantics Based Verification Tool for Finite State Systems , 1989, PSTV.

[9]  Faron Moller,et al.  Verification on Infinite Structures , 2001, Handbook of Process Algebra.

[10]  Marieke Huisman,et al.  Simulation Logic, Applets and Compositional Verification , 2003 .

[11]  Lars-Åke Fredlund,et al.  Model Checking of Multi-Applet JavaCard Applications , 2002, CARDIS.

[12]  James C. Corbett,et al.  A Language Framework for Expressing Checkable Properties of Dynamic Software , 2000, SPIN.

[13]  Matthew B. Dwyer,et al.  Using the Bandera Tool Set to Model-Check Properties of Concurrent Java Software , 2001, CONCUR.

[14]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[15]  Gilles Barthe,et al.  Compositional Verification of Secure Applet Interactions , 2002, FASE.

[16]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..