Certifying Native Java Card API by Formal Refinement

Abstract: Abstract. This paper describes a refinement-based approach to show that a native Java Card API function fulfills its specification. We refine a native function from its informal specification (by Sun) through several intermediate models into a low-level model which is very close to its C implementations. We formally prove the correctness of the refinement steps between two adjacent levels. The low-level model is sufficiently detailed such that its correspondence to the C implementation can be informally checke… Show more

“…On the other hand, native methods are directly represented by Coq functions. Since the correctness of native methods has already been addressed in a previous work (see [9]), we only present here the HLD models of the Java methods.…”

“…At this point we have to take into consideration the fact that native methods have already been proved correct with respect to their specification (see [9]). In the FSP model, native methods are modeled in the same way as the Java methods, i.e., by a precondition P renat and a postcondition P ostnat.…”

“…This ensures that the actual implementation on card of the JCRMI protocol is correct with respect to Sun informal specification (see Figure 1). We present here the formal proof of the correctness of the Java methods (the correctness of the native methods has been described in [9]). Then, we show that the overall correctness can be preserved when combining the Java code portions and the native portions.…”

“…A Java method can invoke native functions written in C. In the HLD level, a native method is modeled directly as a Coq function (see [9]), not using the Java-like syntax. In other words, an interface is needed to combine the model of the native code and the one of the Java methods.…”

Certifying an embedded remote method invocation protocol

“…On the other hand, native methods are directly represented by Coq functions. Since the correctness of native methods has already been addressed in a previous work (see [9]), we only present here the HLD models of the Java methods.…”

“…At this point we have to take into consideration the fact that native methods have already been proved correct with respect to their specification (see [9]). In the FSP model, native methods are modeled in the same way as the Java methods, i.e., by a precondition P renat and a postcondition P ostnat.…”

“…This ensures that the actual implementation on card of the JCRMI protocol is correct with respect to Sun informal specification (see Figure 1). We present here the formal proof of the correctness of the Java methods (the correctness of the native methods has been described in [9]). Then, we show that the overall correctness can be preserved when combining the Java code portions and the native portions.…”

“…A Java method can invoke native functions written in C. In the HLD level, a native method is modeled directly as a Coq function (see [9]), not using the Java-like syntax. In other words, an interface is needed to combine the model of the native code and the one of the Java methods.…”

Certifying an embedded remote method invocation protocol

Formal Verification of a JavaCard Virtual Machine with Frama-C

Proof of Security Properties: Application to JavaCard Virtual Machine