Load Time Security Verification

Gadyatskaya, Olga; Lostal, Eduardo; Massacci, Fabio

doi:10.1007/978-3-642-25560-1_17

Olga Gadyatskaya¹⁸,
Eduardo Lostal¹⁸ &
Fabio Massacci¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7093))

Included in the following conference series:

International Conference on Information Systems Security

910 Accesses
1 Citations

Abstract

Modern multi-application smart cards can be an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the cardholders. This initiative requires an embedded verification mechanism to ensure that all applications on the card respect the application interactions policy.

The Security-by-Contract approach for loading time verification consists of two phases. During the first phase the loaded code is verified to be compliant with the supplied contract. Then, during the second phase the contract is matched with the smart card security policy. The paper focuses on the first phase and describes an algorithm for static analysis of the loaded bytecode on Java Card. The paper also reports about implementation of this algorithm that can be embedded on a real smart card.

Work partially supported by the EU under grant EU-FP7-FET-IP-Secure Change.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Avvenuti, M., Bernardeschi, C., De Francesco, N.: Java bytecode verification for secure information flow. SIGPLAN Not. 38, 20–27 (2003)
Article Google Scholar
Bieber, P., Cazin, J., Wiels, V., Zanon, G., Girard, P., Lanet, J.-L.: Checking secure interactions of smart card applets: Extended version. J. of Comp. Sec. 10(4), 369–398 (2002)
Google Scholar
Dragoni, N., Lostal, E., Gadyatskaya, O., Massacci, F., Paci, F.: A load time Policy Checker for open multi-application smart cards. In: Proceedings of the 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (2011)
Google Scholar
Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-contract: Toward a semantics for digital signatures on mobile code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)
Chapter Google Scholar
Fontaine, A., Hym, S., Simplot-Ryl, I.: On-device control flow verification for java programs. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 43–57. Springer, Heidelberg (2011)
Chapter Google Scholar
Fontaine, A., Hym, S., Simplot-Ryl, I., Gadyatskaya, O., Massacci, F., Paci, F., Jurgens, J., Ochoa, M.: D6.3 Compositional technique to verify adaptive security at loading time on device. SecureChange EU project public deliverable (2010), http://www.securechange.eu
Gadyatskaya, O., Lostal, E., Massacci, F.: Load time security verification. The Claim Checker. Technical Report DISI-11-471. On the web, at http://eprints.biblio.unitn.it
Ghindici, D., Simplot-Ryl, I.: On Practical Information Flow Policies for Java-Enabled Multiapplication Smart Cards. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 32–47. Springer, Heidelberg (2008)
Chapter Google Scholar
Girard, P.: Which security policy for multiplication smart cards? In: USENIX Workshop on Smartcard Technology. USENIX Association (1999)
Google Scholar
Huisman, M., Gurov, D., Sprenger, C., Chugunov, G.: Checking Absence of Illicit Applet Interactions: A Case Study. In: Wermelinger, M., Margaria-Steffen, T. (eds.) FASE 2004. LNCS, vol. 2984, pp. 84–98. Springer, Heidelberg (2004)
Chapter Google Scholar
Sun Microsystems. Virtual Machine and Runtime Environment. Java Card^TM platform. Specification 2.2.2, Sun Microsystems (2006)
Google Scholar
Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a formal security model for multiapplicative smart cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 17–36. Springer, Heidelberg (2000)
Chapter Google Scholar
Philips Semiconductors. P5CT072 Secure Dual Interface PKI Smart Card Controller. On the web, at http://www.usmartcards.com/images/pdfs/pdf-199.pdf

Download references

Author information

Authors and Affiliations

DISI, University of Trento, Italy
Olga Gadyatskaya, Eduardo Lostal & Fabio Massacci

Authors

Olga Gadyatskaya
View author publications
You can also search for this author in PubMed Google Scholar
Eduardo Lostal
View author publications
You can also search for this author in PubMed Google Scholar
Fabio Massacci
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Center for Secure Information Systems, George Mason University, 4400 University Drive, 22030-4422, Fairfax, VA, USA
Sushil Jajodia
Center for Distributed Computing, Jadavpur University, 7000032, Kolkata, India
Chandan Mazumdar

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Gadyatskaya, O., Lostal, E., Massacci, F. (2011). Load Time Security Verification. In: Jajodia, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2011. Lecture Notes in Computer Science, vol 7093. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25560-1_17

Download citation

DOI: https://doi.org/10.1007/978-3-642-25560-1_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25559-5
Online ISBN: 978-3-642-25560-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics