Abstract
Smart card applications often handle privacy-sensitive information, and therefore must obey certain security policies. Typically, such policies are described as high-level security properties, stating for example that no pin verification must take place within a transaction.
Behavioural interface specification languages, such as JML (Java Modeling Language), have been successfully used to validate functional properties of smart card applications. However, high-level security properties cannot directly be expressed in such languages. Therefore, this paper proposes a method to translate high-level security properties into JML annotations. The method synthesises appropriate annotations and weaves them throughout the application. In this way, security policies can be validated using existing tools for JML. The method is general and applies to a large class of security properties.
To validate the method, it has been applied to several realistic examples of smart card applications. This allowed us to find violations against the documented security policies for some of these applications.
Chapter PDF
Similar content being viewed by others
References
D. Bartetzko, C. Fischer, M. Möller, and H. Wehrheim. Jass-Java with Assertions. In K. Havelund and G. Roşu, editors, ENTCS, volume 55(2). Elsevier Publishing, 2001.
J. van den Berg and B. Jacobs. The LOOP compiler for Java and JML. In T. Margaria and W. Yi, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2001), number 2031 in LNCS, pages 299–312. Springer, 2001.
P. Bieber, J. Cazin, V. Wiels, G. Zanon, P. Girard, and J.-L. Lanet. Checking Secure Interactions of Smart Card Applets: Extended version. Journal of Computer Security, 10(4):369–398, 2002.
G. Brat, K. Havelund, S. Park, and W. Visser. Java PathFinder-second generation of a Java model checker. In Workshop on Advances in Verification, 2000.
C. Breunesse, N. Cataño, M. Huisman, and B. Jacobs. Formal Methods for Smart Cards: an experience report. Technical Report NIII-R0316, NIII, University of Nijmegen, 2003. To appear in Science of Computer Programming.
L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G.T. Leavens, K.R.M. Leino, and E. Poll. An overview of JML tools and applications. In T. Arts and W. Fokkink, editors, Formal Methods for Industrial Critical Systems (FMICS 03), volume 80 of ENTCS. Elsevier, 2003.
L. Burdy, A. Requet, and J.-L. Lanet. Java Applet Correctness: a Developer-Oriented Approach. In Formal Methods (FME’03), number 2805 in LNCS, pages 422–439. Springer, 2003.
T. Colcombet and P. Fradet. Enforcing trace properties by program transformation. In Proceedings of POPL’00, pages 54–66. ACM Press, 2000.
M. Dwyer, G. Avrunin, and J. Corbett. Property Specification Patterns for Finite-state Verification. In 2nd Workshop on Formal Methods in Software Practice, pages 7–15, 1998.
U. Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Department of Computer Science, Cornell University, 2003. Available as Technical Report 2003-1916.
M.D. Ernst, J. Cockrell, W.G. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions on Software Engineering, 27(2):1–25, 2001.
C. Flanagan and K.R.M. Leino. Houdini, an annotation assistant for ESC/Java. In J.N. Oliveira and P. Zave, editors, Formal Methods Europe 2001 (FME’01): Formal Methods for Increasing Software Productivity, number 2021 in LNCS, pages 500–517. Springer, 2001.
K. Hamlen, G. Morrisett, and F.B. Schneider. Computability classes for enforcement mechanisms. Technical Report 2003-1908, Department of Computer Science, Cornell University, 2003.
K.R.M. Leino, G. Nelson, and J.B. Saxe. ESC/Java user’s manual. Technical Report SRC 2000-002, Compaq System Research Center, 2000.
C. Marché, C. Paulin-Mohring, and X. Urbain. The Krakatoa tool for JML/Java program certification. Journal of Logic and Algebraic Programming, 58(1–2): 89–106, 2004.
R. Marlet and D. Le Métayer. Security properties and Java Card specificities to be studied in the SecSafe project, 2001. Number: SECSAFE-TL-006.
J. Meyer and A. Poetzsch-Heffter. An architecture of interactive program provers. In S. Graf and M. Schwartzbach, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2000), number 1785 in LNCS, pages 63–77. Springer, 2000.
G.C. Necula. Proof-Carrying Code. In Proceedings of POPL’97, pages 106–119. ACM Press, 1997.
F.B. Schneider. Enforceable security policies. Technical Report TR99-1759, Cornell University, October 1999.
L. Tan, J. Kim, and I. Lee. Testing and monitoring model-based generated program. In Proceeding of RV’03, volume 89 of ENTCS. Elsevier, 2003.
K. Trentelman and M. Huisman. Extending JML Specifications with Temporal Logic. In H. Kirchner and C. Ringeissen, editors, Algebraic Methodology And Software Technology (AMAST’02), number 2422 in LNCS, pages 334–348. Springer, 2002.
D. Walker. A Type System for Expressive Security Policies. In Proceedings of POPL’ 00, pages 254–267. ACM Press, 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer Science + Business Media, Inc.
About this paper
Cite this paper
Pavlova, M., Barthe, G., Burdy, L., Huisman, M., Lanet, JL. (2004). Enforcing High-Level Security Properties for Applets. In: Quisquater, JJ., Paradinas, P., Deswarte, Y., El Kalam, A.A. (eds) Smart Card Research and Advanced Applications VI. IFIP International Federation for Information Processing, vol 153. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8147-2_1
Download citation
DOI: https://doi.org/10.1007/1-4020-8147-2_1
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8146-0
Online ISBN: 978-1-4020-8147-7
eBook Packages: Springer Book Archive