Using Coq to Verify Java Card Applet Isolation Properties

This paper reports on the use of the Coq proof assistant for the formal verification of applet isolation properties in Java Card technology. We focus on the confidentiality property. We show how this property is verified by the card manager and the APIs, extending our former proof addressing the Java Card virtual machine. We also show how our verification method allows to complete specifications and to enhance the secure design of the platform. For instance, we describe how the proof of the integrity puts the light on a known bug. Finally, we present the benefits of the use of high order modelling to handle the complexity of the system, to prove security properties and eventually to construct generic re-usable proof architectures.

[1]  Frank Yellin,et al.  Inside the Java Virtual Machine , 1997 .

[2]  Gilles Barthe,et al.  A Formal Executable Semantics of the JavaCard Platform , 2001, ESOP.

[3]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[4]  Gilles Barthe,et al.  A Formal Correspondence between Offensive and Defensive JavaCard Virtual Machines , 2002, VMCAI.

[5]  Gilles Barthe,et al.  Jakarta: A Toolset for Reasoning about JavaCard , 2001, E-smart.

[6]  Werner Dietl,et al.  A Type System for Checking Applet Isolation in Java Card , 2004, CASSIS.

[7]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[8]  Z. Chen Java Card Technology for Smart Cards: Architecture and Programmer''s Guide. The Java Series. Addis , 2000 .

[9]  Bart Jacobs,et al.  The LOOP Compiler for Java and JML , 2001, TACAS.

[10]  Bart Jacobs,et al.  Formal Specification and Verification of JavaCard's Application Identifier Class , 2000, Java Card Workshop.

[11]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[12]  Bart Jacobs,et al.  Formal specification of the JavaCard API in JML: the APDU class , 2001, Comput. Networks.

[13]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[14]  Thomas Jensen,et al.  Smart Card Programming and Security , 2001, Lecture Notes in Computer Science.

[15]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[16]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[17]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[18]  Mads Dam,et al.  Confidentiality for mobile code: the case of a simple payment protocol , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[19]  Pieter H. Hartel,et al.  A Java Reference Model of Transacted Memory for Smart Cards , 2002, CARDIS.

[20]  Scott Oaks,et al.  Java Security , 1998 .