A Formal Correspondence between Offensive and Defensive JavaCard Virtual Machines

Barthe, Gilles; Dufay, Guillaume; Jakubiec, Line; Sousa, Simão Melo de

doi:10.1007/3-540-47813-2_3

Cited by 20 publications

(11 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The process of delegation works as described below and shown in figure 3b: In both Java Card and Multos, additional measures are implemented in conjunction with the firewall mechanism to protect the platform. These measures include byte-code verification (on-card and off-card) [16,17], strict mechanism to install applications [18] and virtual machine based security mechanisms [19,20].…”

Section: Firewall Mechanism In Multosmentioning

confidence: 99%

Firewall Mechanism in a User Centric Smart Card Ownership Model

Akram

Markantonakis

Mayes

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Multi-application smart card technology facilitates applications to securely share their data and functionality. The security enforcement and assurance in application sharing is provided by the smart card firewall. The firewall mechanism is well defined and studied in the Issuer Centric Smart Card Ownership Model (ICOM), in which a smart card is under total control of its issuer. However, it is not analysed in the User Centric Smart Card Ownership Model (UCOM) that delegates the smart card control to their users. In this paper, we present UCOM's security requirements for the firewall mechanism and propose a generic framework that satisfies them.

show abstract

Section: Firewall Mechanism In Multosmentioning

confidence: 99%

Firewall Mechanism in a User Centric Smart Card Ownership Model

Akram

Markantonakis

Mayes

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Note that for the clarity of presentation, the Coq code presented below is a simplified account of [3,4].…”

Section: Applications To Javacardmentioning

confidence: 99%

“…Further, we illustrate the benefits of the package in reasoning about executable specifications of the JavaCard platform [3,4], and show how its use yields compact proofs scripts, up to 10 times shorter than proofs constructed "by hand", see Section 3. Related work is discussed in Section 3.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Reasoning about Executable Specifications in Coq

Barthe

Courtieu

2002

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We describe a package to reason efficiently about executable specifications in Coq. The package provides a command for synthesizing a customized induction principle for a recursively defined function, and a tactic that combines the application of the customized induction principle with automatic rewriting. We further illustrate how the package leads to a drastic reduction (by a factor of 10 approximately) of the size of the proofs in a large-scale case study on reasoning about JavaCard.

show abstract

“…Barthe, Dufay, Jakubiec and de Sousa [BDJdS02] formalized this intuition by considering the actual virtual machine (which is called offensive) as an abstraction of the tagged (defensive) machine, and proving that the former correctly abstracts the latter, whenever the latter does not raise a type error (which is true for verifiable bytecode). Working directly with an untagged semantics immediately frees from of the risk of making unwanted implicit typing assumptions.…”

Section: Discussionmentioning

confidence: 99%

Computing Stack Maps with Interfaces

Besson

Jensen

Turpin

ECOOP 2008 – Object-Oriented Programming

View full text Add to dashboard Cite

Lightweight bytecode verification uses stack maps to annotate Java bytecode programs with type information so that the checker only has to validate this typing, without having to do any data flow analysis. This report describes an improved analysis technique together with algorithms for optimizing the stack maps generated by the analyser. The improved analyser is based on a modified version of the abstract domain. This domain is simplified in its treatment of base values, keeping only the necessary information to ensure the memory safety property. It is richer in its representation of interface types, using the known Dedekind-MacNeille completion technique to construct abstract domain elements representing sets of interfaces. Tracking interface information allows to remove the dynamic checks at interface method invocations. We prove the memory safety property guaranteed by the verifier using an operational semantics whose distinguishing feature is a low-level memory model operating on untagged 32-bit values, as opposed to the standard, higherlevel memory models using tagged base values. For bytecode that is typable without sets of types (this includes any code compiled from Java) we show how to prune the fix-point to obtain a stack map that can be validated without the interface set computations arising from this extension. In the context of lightweight verification, this is an advantage as it does not make the checking more complex or costly. The size of the stack maps is not significantly modified. Experiments show that the pruning can be done by reasonably efficient (though in theory exponential) algorithms that uses heuristics to explore the space of valid program typings from the least fixpoint generated by the analyser. Stack maps for three substantial test suites were correctly handled by the optimized (but incomplete) pruning algorithm. Calcul de certificats avec interfacesRésumé : La vérification de bytecode "lightweight" utilise des certificats pour anotter les programmes en bytecode Java avec une information de type, de telle sorte que le verifieur de bytecode n'ait plus qu'à vérifier ce typage, sans avoir besoin de faire une quelconque analyse de flot de données. Nous décrivons une technique de vérification améliorée, coupléeà des algorithmes qui optimisent les certificats générés par l'analyseur. L'analyseur amélioré est fondé sur une version modifiée du domaine abstrait pour la vérification de bytecode. Ce domaine est simplifié en ce qui concerne le traitement des valeurs de base, et conserve seulement l'information nécessaire pour assurer la propriété de sûreté mémoire. Il est plus riche dans sa représentation des types interfaces, utilisant la technique connue de complétion de Dedekind-MacNeille pour construire deséléments du domaine abstrait qui représentent des ensembles d'interfaces. La vérification des interfaces permet de supprimer les contrôles dynamiques lors des appels de méthodes d'interfaces. Nous prouvons que la propriété de sûreté mémoire garantie par le vérifieur est assur...

show abstract

A Formal Correspondence between Offensive and Defensive JavaCard Virtual Machines

Cited by 20 publications

References 15 publications

Firewall Mechanism in a User Centric Smart Card Ownership Model

Firewall Mechanism in a User Centric Smart Card Ownership Model

Efficient Reasoning about Executable Specifications in Coq

Computing Stack Maps with Interfaces

Contact Info

Product

Resources

About