Refine
Year of publication
Document Type
- Part of a Book (26)
- Article (22)
- Report (13)
- Conference Proceeding (4)
- Doctoral Thesis (1)
Keywords
- Verifikation (5)
- Java (4)
- Modellgetriebene Entwicklung (3)
- Codegenerierung (2)
- Informationsfluss (2)
- Multidisciplinary (2)
- Programmverifikation (2)
- Security Protocol (2)
- UML (2)
- code generation (2)
Institute
Smart cards are used in security critical applications where money or private data is involved. Examples are the German Geldkarte or new passports with biometrical data. Design or programming errors can have severe consequences. Formal methods are the best means to avoid errors. Java Card is a restricted version of Java to program smart cards. This work presents a logical calculus to formally prove the correctness and security of Java Card programs. The calculus is implemented in the KIV system, and ready for use. First, an operational big-step semantics for sequential Java is presented based on algebraic specifications. All Java language constructs are modeled. Then, a sequent calculus for dynamic logic for Java Card is developed, and the correctness of the calculus is formally proved. The calculus is designed to support libraries, the reuse of proofs, and program modifications. This entails two different notions of type soundness, the standard one, and a weaker version. Furthermore, the calculus is not restricted to Java Card, but can be used for arbitrary sequential Java program. The work ends with some intricate examples. All properties and theorems are formally proved with the KIV system. The resulting verification system is able to cope with real-life e-commerce applications.
This report is concerned with the formal verification of JavaCard programs, or sequentiel Java programs. A calculus in dynamic logic is presented. This calculus is implemented in KIV, and ready for use. It is the first implemented proof system for JavaCard. KIV parses the original JavaCard (or Java) program, resolves names and types in the same manner as a normal Java compiler, and produces an annotated abstract syntax tree that is the input for the verification. All sequential Java statements (i.e. all Java statements except synchronized), and all Java expressions are handled. Exceptions, breaks, static initialization, objects, dynamic method lookup, and arrays are supported. This report is intended as a reference manual for the calculus. The abstract syntax of Java programs, the proof rules, and the underlying algebraic specifications for the object store and the primitive data types, and a formal semantic is described in detail. An example proof and a list of validation programs conclude the report.
We present a refinement method for Java programs which is motivated by the challenge of verifying security protocol implementations. The method can be used for stepwise refinement of abstract specifications down to the level of code running in the real application. The approach is based on a calculus for the verification of Java programs for the concrete level and Abstract State Machines for the abstract level. In this paper we illustrate our approach with the verification of a MCommerce application for buying movie tickets using a mobile phone written in J2ME. The approach uses the interactive theorem prover KIV.
Java programs often use pointer structures for normal computations. A verification system for Java should have good proof support for reasoning about those structures. However, the literature for pointer verification almost always uses specifications and definitions that are tailored to the problem under consideration. We propose a generic specification for Java pointer structures that allows to express many important properties, and is easy to use in proofs. The specification is part of the Java calculus in the KIV prover.
In this paper we introduce three different implementations for the Mondex electronic purse verification challenge [Woo06] [SCW00]. In previous work ([SGHR06] [SGH+07] and [HSGR06]) we verified security and correctness properties of the Mondex money transfer protocol. Here we present a way to translate the formal specifications into running JavaCard code. We introduce three different ways to implement the protocol, one using symmetric cryptography, one using asymmetric cryptography and finally one using special datatypes for cryptographic protocols and symmetric cryptography. All implementations presented in this paper are able to run on a Gemplus GemxpressoRAD ProR3 SmartCard.
In this paper we introduce a method to apply model-driven ideas to the development of secure systems. Using MDD techniques, our approach, called SecureMDD, provides a possibility to verify the correctness of a system at the modelling stage. To do so, we generate different platformspecific models from one common platform-independent UML model. The considered platforms are JavaCard and a formal model. The formal model is used for the verification of security properties. For the verification results to carry over to the Java(Card) code, these models have to be equivalent with respect to security aspects. This requires complete code generation without the possibility to manually complete the Java(Card) code. To devise such sophisticated models, we extend action elements of activity diagrams. In this paper we focus on the part of our approach which is used to generate secure smartcard code.
Model-Driven Development of Secure Service Applications introduced by a Banking System Example
(2012)
SecureMDD is a model-driven approach to develop security-critical systems. It uses a model that represents an application and generates executable code as well as a formal specification that can be used to prove security properties. In our previous works we considered secure smart card application and now we focus on secure service applications. In this report we describe the modelling of services, their communication and their security. We also show the generated code and explain the integration of services in the formal model. To demonstrate our approach we show a banking system which uses smart cards and services.
As personal information moves from home computers to mobile devices, protection against information leaks and data theft becomes an increasingly important and current issue. We develop a model-driven approach called IFlow which allows a developer to model mobile Android applications with complex information flow properties using UML. Using model-to-model and model-to-code transformations we generate code skeletons for those applications and verify noninterference properties using a language-based approach. Further, we will use those properties as lemmas for a formal verification of an automatically generated formal representation of the modeled application. In this report, we focus on automatic code generation, evaluation of language-based information flow control solutions and deployment of generated code to target platforms.
This report presents an approach called IFlow which allows the model-driven development of secure systems regarding information flow. The approach focuses on the application domain of mobile applications and web services. A developer starts by creating an abstract UML model of a system where he can additionally specify information flow properties the system must satisfy. From the model, Java code is generated together with an information flow policy that can be checked by automated analysis tools like Jif or Joana. In addition, the UML model is transformed into a formal specification which is the basis for formal reasoning within our formal framework including the interactive theorem prover KIV. While automated tools are designed for the simple property of noninterference, formal verification allows to express more complex properties. In order that the results of verification can be carried to the code level and that the results of automated code analysis can be used as lemmas for formal verification, an information flow-preserving refinement relation is established between the formal specification and the code. The focus of this report is on the aspects of formal verification.
The SecureMDD project provides a software engineering approach to develop secure smart card applications. The approach is model-driven and integrates formal verification to guarantee the security of the application under development. Furthermore, based on a platform-independent UML model of the application under development, the approach is able to generate executable source code for the smart cards and terminals of the application. The whole approach is fully supported by tools and all model-to-model- as well as model-to-text-transformations are fully implemented.
This paper contains the implementation of the transformations that generate a formal specification out of the platform-independent UML model of an application. The formal specification is based on algebraic specifications and Abstract State Machines (ASM). The formal model can be loaded into the interactive theorem prover KIV and is used to verify security properties for the modeled application.
The SecureMDD project provides a software engineering approach to develop secure smart card applications. The approach is model-driven and integrates formal verification to guarantee the security of the application under development. Furthermore, based on a platform-independent UML model of the application under development, the approach is able to generate executable source code for the smart cards and terminals of the application. The whole approach is fully supported by tools and all model-to-model as well as model-to-text transformations are fully implemented.
This paper contains the implementation of the transformations that generate executable source code out of a platform-independent UML model of an application.
