Abstract
The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.
We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like noninjective address translation.
Similar content being viewed by others
References
Atmel, Hitachi Europe, Infineon Technologies, Philips Semiconductors (2001) Smartcard IC Platform Protection Profile, version 1.0, July 2001. http://www.bsi.de/cc/pplist/ssvgpp01.pdf
Atmel, Hitachi Europe, Infineon Technologies, Philips Semiconductors (2002) Smartcard Integrated Circuit Platform Augmentations, version 1.0, March 2002. http://www.bsi.de/cc/pplist/augpp002.pdf
Biba KJ (1977) Integrity considerations for secure computer systems. Technical Report MTR 3153, Mitre Corporation, Bedford, MA
Bell DE, LaPadula L (1973) Secure computer systems: mathematical foundations (NTIS AD-770 768), A mathematical model (NTIS AD-771 543), A refinement of the mathematical model (NTIS AD-780 528). Technical Report MTR 2547, Mitre Corporation, Bedford, MA
(1999) Common Criteria for information technology security evaluation (CC), version 2.1, ISO/IEC 15408
Clark DR, Wilson DR (1987) A comparison of commercial and military computer security policies. In: Symposium on security and privacy. IEEE Press, New York, pp 184–194
Goguen JA, Meseguer J (1982) Security policies and security models. In: Symposium on security and privacy. IEEE Press, New York
Huber F, Schätz B, Schmidt A, Spies K (1996) Autofocus – a tool for distributed systems specification. In: Proceedings FTRTFT’96 – Formal techniques in real-time and fault-tolerant systems. Lecture notes in computer science, vol 1135. Springer, Berlin Heidelberg New York, pp 467–470. See also http://autofocus.in.tum.de/index-e.html
Kuhn T, von Oheimb D (2003) Interacting State Machines for mobility. In: Araki K, Gnesi S, Mandrioli D (eds) Proc. 12th international FME symposium (FM’03). Lecture notes in computer science, vol 2805. Springer, Berlin Heidelberg New York, September 2003. http://ddvo.net/papers/ISMfM.html
Lotz V, Kessler V, Walter G (2000) A formal security model for microprocessor hardware. IEEE Trans Softw Eng 26:702–712
Lynch N, Tuttle M (1989) An introduction to input/output automata. CWI Q 2(3):219–246. http://theory.lcs.mit.edu/tds/papers/Lynch/CWI89.html
Motre S, Teri C (2000) Using B method to formalize the Java Card runtime security policy for a Common Criteria evaluation. In: 23rd national information systems security conference . http://csrc.nist.gov/nissc/2000/proceedings/toc.html
Nanz S (2002) Integration of CASE tools and theorem provers: a framework for system modeling and verification with AutoFocus and Isabelle. Master’s thesis, TU München. http://www.doc.ic.ac.uk/ nanz/publications/csthesis/
Nipkow T, Paulson L, Wenzel M (2002) Isabelle/HOL – A proof assistant for higher-order logic. Lecture notes in computer science, vol 2283. Springer, Berlin Heidelberg New York. http://isabelle.in.tum.de/docs.html
von Oheimb D (2002) Interacting State Machines: a stateful approach to proving security. In: Abdallah AE, Ryan P, Schneider S (eds) Formal aspects of security. Lecture notes in computer science, vol 2629. Springer, Berlin Heidelberg New York, pp 15–32. http://ddvo.net/papers/ISMs.html
von Oheimb D (2004) Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In: Samarati P, Ryan P, Gollmann D, Molva R (eds) Computer Security – ESORICS 2004. Lecture notes in computer science, vol 3193. Springer, Berlin Heidelberg New York. http://ddvo.net/papers/Noninfluence.html
von Oheimb D, Lotz V (2002) Formal security analysis with Interacting State Machines. In: Gollmann D, Karjoth G, Waidner M (eds) Proc. 7th European symposium on research in computer security (ESORICS). Lecture notes in computer science, vol 2502. Springer, Berlin Heidelberg New York, pp 212–228. http://ddvo.net/papers/FSA_ISM.html
von Oheimb D, Lotz V (2003) Generic Interacting State Machines and their instantiation with dynamic features. In: Dong JS, Woodcock J (eds) Formal methods and software engineering (ICFEM). Lecture notes in computer science, vol 2885. Springer, Berlin Heidelberg New York, November 2003, pp 144–166. http://ddvo.net/papers/GenISMs.html
von Oheimb D, Nanz S (2002) ISM Homepage: documentation, sources and distribution. http://ddvo.net/ISM/
Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical Report CS-92-02, SRI International
Schellhorn G, Reif W, Schairer A, Karger P, Austel V, Toll D (2000) Verification of a formal security model for multiapplicative smart cards. In: Cuppens F, Deswarte Y, Gollmann D, Waidner M (eds) Proc. 6th European symposium on research in computer security (ESORICS). Lecture notes in computer science, vol 1895. Springer, Berlin Heidelberg New York
Walter G, Noller J (2003) Infineon Technologies SLE88CX 720P / Security Target. www.bsi.de/???0215???, Version 1.00
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
von Oheimb, D., Lotz, V. & Walter, G. Analyzing SLE 88 memory management security using Interacting State Machines. Int J Inf Secur 4, 155–171 (2005). https://doi.org/10.1007/s10207-004-0057-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-004-0057-5