Simulation Logic, Applets and Compositional Verification

We present a compositional verification method for control flow based safety properties of smart card applets. Our method rests on a close correspondence between transition system models ordered by simulation and Hennessy-Milner logic extended with simultaneous greatest fixed points. We show that simulation can be characterised logically and, vice versa, logical satisfaction can be represented behaviourally by a maximal model for a given formula. Based on these results and earlier ideas by Grumberg and Long we develop a compositional verification technique, where maximal models replace logical assumptions to reduce compositional verification to standard model checking. However, in the context of applets, equipped with interfaces, this technique needs to be refined. Since for a given behavioural formula and interface a maximal applet does not always exist, we propose a two-level approach, where local assumptions restrict the control flow \emph{structure} of applets, while the global property restricts the control flow \emph{behaviour} of the system. By separating the tasks of verifying global and local properties of applets, our method supports secure post-issuance loading of new applets onto a smart card.