Industrial Use of Formal Methods for a High-Level Security Evaluation

This paper presents an effective use of formal methods for the development and for the security certification of smart card software. The approach is based on the Common Criteria's methodology that requires the use of formal methods to prove that a product implements the claimed security level. This work led to the world-first certification of a commercial Java CardTMproduct involving all formal assurances needed to reach the highest security level. For this certification, formal methods have been used for the design and the implementation of the security functions of the Java Card system embedded in the product. We describe the refinement scheme used to meet the Common Criteria's requirements on formal models and proofs. In particular, we show how to build the proof that the implementation ensures the security objectives claimed in the security specification. We also provide some lessons learned from this important application of formal methods to the smart cards industry.

[1]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[2]  Jean-Louis Lanet,et al.  Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings , 2010, CARDIS.

[3]  Ian J. Hayes,et al.  FM 2005: Formal Methods, International Symposium of Formal Methods Europe, Newcastle, UK, July 18-22, 2005, Proceedings , 2005, FM.

[4]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[5]  Sylvain Boulmé,et al.  Adaptable Translator of B Specifications to Embedded C Programs , 2003, FME.

[6]  Olivier Ly,et al.  Using Coq to Verify Java Card Applet Isolation Properties , 2003, TPHOLs.

[7]  Xavier Leroy,et al.  Formal Verification of a C Compiler Front-End , 2006, FM.

[8]  Pieter H. Hartel,et al.  Formalizing the safety of Java, the Java virtual machine, and Java card , 2001, CSUR.

[9]  June Andronick,et al.  Formal Verification of Security Properties of Smart Card Embedded Source Code , 2005, FM.

[10]  June Andronick,et al.  Certifying an embedded remote method invocation protocol , 2008, SAC '08.

[11]  Tobias Nipkow,et al.  FM 2006: Formal Methods, 14th International Symposium on Formal Methods, Hamilton, Canada, August 21-27, 2006, Proceedings , 2006, FM.

[12]  Quang Huy Nguyen,et al.  Certifying Native Java API by Formal Refinement , 2006, CARDIS.

[13]  Gilles Barthe,et al.  Formal Methods for Smartcard Security , 2005, FOSAD.

[14]  Stefania Gnesi,et al.  FME 2003: Formal Methods: International Symposium of Formal Methods Europe, Pisa, Italy, September 8-14, 2003. Proceedings , 2003, Lecture Notes in Computer Science.