Download L. Lanet: Modeling Java Card with the B formal method.

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts
no text concepts found
Transcript 
Smart Card Modeling
Gemplus Research Lab
Saint Malo, 8-9 July 1999
[email protected]
4/29/2017
1
Bull & Innovatron Patents
Action Coopérative Java Card
Outline
 Motivations
 The B Method
 Java Card Mechanisms:
 Verifier
 Interpreter
 Firewall
 Conclusions
4/29/2017
2
Bull & Innovatron Patents
Action Coopérative Java Card
Motivations
 Applications are developed by the card provider in a
secure environment,
 Drawbacks:
 time consuming
 costly
Responses
Commands
Operating System +
Application
Chip
4/29/2017
3
Bull & Innovatron Patents
Action Coopérative Java Card
Open cards...
 Applications developed by the customer or
any application provider,
Downloadable
 Dynamically downloaded through a network applications
Data
Responses
Commands
Secure Virtual
Machine
Operating System
Chip
4/29/2017
4
Bull & Innovatron Patents
Action Coopérative Java Card
Instructions
...and the sharing mechanism
 The Java Card specification provides a mechanism to
share data between several applets,
 For example: a purse and a loyalty applet can share
methods and/or objects,
 Due to the limited resources of the smart cards new
services or libraries will be offered.
A share with B a method
Purse Applet
Log
Log.getTransaction
Applet Provider A
B share with C a method
Loyalty Applet
Buffer
Buffer
Buffer.reSell
Applet Provider B
JCRE
4/29/2017
5
Bull & Innovatron Patents
Hostile Applet
Action Coopérative Java Card
Applet Provider C
New security problems
 Applications are no more developed under card
issuer control,
 Naïve implementation can ease DPA attacks,
 Any application provider can introduce a Trojan
Horse in the card,
 New attacks can arise (denial of services…),
 Information can be exchanged between application,
 Use faulty platform implementation
4/29/2017
6
Bull & Innovatron Patents
Action Coopérative Java Card
Java Card Security Chain
.class
Applet
Applet
Applet
Applet
Java Card
Applet Security
Policy
4/29/2017
7
Bull & Innovatron Patents
Verifier
Sign/Enc
Loader
.cap
Virtual Machine
.java
Applet
OP CM
Applet
Loader
Linker
JC API
JVM
OS
Chip
Action Coopérative Java Card
Platform
Security
Two security levels
 Platform security
 Traditional means,
 Use of formal methods.
=> Models of the platform security modules
 Application security
 There is a need for a global security policy
 Flow control (data and/or code sharing)
 Resources consumption (memory, CPU, method
calls...)
=> Static analysis of applet configurations (part of the
CMS)
4/29/2017
8
Bull & Innovatron Patents
Action Coopérative Java Card
Smart Card Modeling
 B Method
 Verifier
 Interpreter
 Firewall
4/29/2017
9
Bull & Innovatron Patents
Action Coopérative Java Card
The B method
 A formal Method
Based on the mathematical set theory (variables,
sets, relations, etc..),
Generation of proof obligations,
Theorem prover
 Supported by CASE tools (AtelierB, B Toolkit..)
 Used in industrial applications (RATP Meteor
automatic subway, SNCF TGV Speed train control
4/29/2017
10
Bull & Innovatron Patents
Action Coopérative Java Card
The B Method - Machine
MACHINE EX_1
VARIABLES
x, y, z
INVARIANTS
x  0..10 
y  0..10 
z  0..20
INITIALISATION
x : 0..10 
y : 0..10 
z : 0..20
GENERATION
OF PROOF
OBLIGATIONS
OPERATION
OP1 =
BEGIN
z := x+y
END
END
4/29/2017
11
Bull & Innovatron Patents
Action Coopérative Java Card
The B Method - Proof Obligation
H1 
H2 
.
.
Hn 
B
EXAMPLE
INVARIANTS
x  0..10 
y  0..10 
z  0..20
OPERATION
OP1 =
BEGIN
z := x+ y
END
4/29/2017
12
Bull & Innovatron Patents
x  0..10 
Generation of a
Proof Obligation
y  0..10 
z  0..20

x+ y  0..20
Action Coopérative Java Card
The B Method - Refinement
PROOF
OBLIGATION
ABSTRACT
MACHINE
PROOF
OBLIGATIONS
REFINEMENT 1
PROOF
OBLIGATION
PROOF
OBLIGATIONS
PROOF
OBLIGATION
REFINEMENT
n-1
PROOF
OBLIGATIONS
REFINEMENT n
PROOF
OBLIGATION
PROOF
OBLIGATIONS
IMPLEMENTATION
PROOF
OBLIGATION
C soure code or
ADA source code
4/29/2017
13
Bull & Innovatron Patents
Action Coopérative Java Card
Smart Card Modeling
 B Method
 Verifier
 Interpreter
 Firewall
4/29/2017
14
Bull & Innovatron Patents
Action Coopérative Java Card
The Byte Code Verifier
 The Java byte code is compiled for the Java Virtual
Machine.
 The Java byte code may be corrupted intentionally
or not.
 Need to perform checks before its execution by the
interpreter:
 Flow controls
 Type correctness
4/29/2017
15
Bull & Innovatron Patents
Action Coopérative Java Card
Flow Control and
Type Correctness
 A state is defined by:
 The pc (program counter)
 The type stack
 The type frame
 The properties to be checked are
 Confinement
 Stack access
 Initialization
 Type correctness
4/29/2017
16
Bull & Innovatron Patents
Action Coopérative Java Card
Our Approach of the Model
 Model a Defensive Machine.
 Extract runtime checks by successive refinements.
 De-synchronize verification and execution process.
 Split the defensive machine in two parts:
 The verifier
 The interpreter
4/29/2017
17
Bull & Innovatron Patents
Action Coopérative Java Card
The Model
Machine
Machine
Machine
Machine
Operation
Treechecking
DJVM
Interpreter
Refinement 1
Refinement
Implementation
Operationr
BCV
DJVMr1
Refinement 2
Implementation
DJVMr2
Verifier
Implementation
iDJVM
The Byte Code
Verifier
4/29/2017
18
Bull & Innovatron Patents
The Defensive Machine The Interpreter
Action Coopérative Java Card
The Defensive Machine
 Performing tests on byte code  No need to perform test on
and then executing it.
byte code, just executing it.
ins_push0 =
SELECT(methode(apc)=push0)
THEN
IF (apc < size (methode) 
top_stack < max_stack)
THEN
apc := apc + 1
|| top_stack := top_stack +1
|| types_stacks :=
types_stacks{top_stack+1 
INTEGERS}
ELSE
unchecked:=TRUE
END
END;
4/29/2017
19
Bull & Innovatron Patents
ins_push0 =
SELECT(methode (apc) = push0 
unchecked = FALSE)
THEN
apc := apc + 1
|| top_stack := top_stack +1
|| types_stacks:=
types_stacks{top_stack+1
INTEGERS}
END;
Action Coopérative Java Card
The Freund & Mitchell
Bytecode Instructions
 A subset of the Java bytecode language: Inc,
Push0, Pop, If L, Istore x, Iload x, Halt, New, Init, Use.
 A static semantics and an operational semantics.
 A subset sufficient to study object initialization,
flow and data-flow controls.
4/29/2017
20
Bull & Innovatron Patents
Action Coopérative Java Card
Construction of static stacks
 The equation to be verified :
"pc, type_stack[pc] = P{ fi(type_stack[i] / i belongs to
Preds(pc)},
 A fixed point search for each static stack.
4/29/2017
21
Bull & Innovatron Patents
Action Coopérative Java Card
Types
 The types subset:
TOP
Integers
Addri
Bottom
Addr
Bottom
 The lattice
 A partial-order
 A binary operator Meet
4/29/2017
22
Bull & Innovatron Patents
Action Coopérative Java Card
Conclusion
 The defensive machine is entirely proved
 The integration of the fixed point calculus is proved
at 98%.
 We proved the soundness of our approach.
4/29/2017
23
Bull & Innovatron Patents
Action Coopérative Java Card
Smart Card Modeling
 B Method
 Verifier
 Interpreter
 Firewall
4/29/2017
24
Bull & Innovatron Patents
Action Coopérative Java Card
Java Card Entire Subset
 Not taken into account
 Constant Pool
 Subroutines verification
 Exception
 Heap
 Instructions specification according to their
properties:
 Ease the specification
 Ease the proof (cf. A. Requet)
4/29/2017
25
Bull & Innovatron Patents
Action Coopérative Java Card
Byte Code Properties
 Byte code accessing :
 The stack (bspush)
 The frame (sload_0)
 The program counter (if_scmp_gt, bspush).
OPCODE
OP_SINGLE_BRANCH_W
sload_0
bspush
iconst_1
iconst_m1
ireturn
if_scmp_gt
OP_PC_NEXT
OP_SINGLE_BRANCH
4/29/2017
26
Bull & Innovatron Patents
Action Coopérative Java Card
Refinements
Machine
Properties
DJVM
Refinement 1
Method
Refinement 2
Control Flow
Refinement 3
Frame
Refinement 4
Stack
Machine
Treechecking
The Byte Code
Verifier
4/29/2017
27
Bull & Innovatron Patents
Implementation
The Defensive Machine
Action Coopérative Java Card
Machine
Interpreter
The Interpreter
Refinements
DEFINITIONS
succ_pc(x) == x + 1 + parameters_size(BYTE_to_OPCODE(method(x)) ;
parameter(x, y) = method(x+y)
OPERATIONS
op_sinc =
SELECT BYTE_to_OPCODE(method(pc)) = IINC_W
THEN
IF
BYTE_to_unsigned(parameter(pc, 1))  0..max_locals-1 
frame_type(BYTE_to_unsigned(parameter(pc, 1))) = int 
succ_pc(pc)  opcode_locations
THEN
pc := succ_pc(pc)
END
END
flow_checked = TRUE
=>
(¡x.(x  dom(method) ¾ BYTE_to_OPCODE(method(x)) OP_NEXT)
=>x+1+parameters_size(BYTE_to_OPCODE(method(x))) opcode_locations)) 
(¡x.(x  dom(method) ¾ BYTE_to_OPCODE(method(x)) OP_SINGLE)
=>x + 1 + BYTE_to_signed(parameter(x,1)) £ opcode_locations)) 
(¡x.(x  dom(method) ¾ BYTE_to_OPCODE(method(x)) OP_SINGLE_W)
=>x + 1 + BYTE_to_signed(parameter(x,1), parameter(x,2)) opcode_locations))
4/29/2017
28
Bull & Innovatron Patents
Action Coopérative Java Card
Refinements
op_sinc =
SELECT
frame_checked = TRUE 
stack_checked = TRUE 
flow_checked = TRUE
THEN
pc := succ_pc(pc)
END
frame_value  0..max_locals-1  INT
/* Gluing invariant */
dom(frame_type)  dom(frame_value)
op_sinc =
SELECT
frame_checked = TRUE 
stack_checked = TRUE 
flow_checked = TRUE
THEN
VAR oldfvalue, newfvalue IN
oldfvalue := frame_value(parameter(1)) ;
newfvalue  jah_sadd(oldfvalue, parameter(2)) ;
frame_value(parameter(1)) := newfvalue
END ;
pc := pc + 3
END
4/29/2017
29
Bull & Innovatron Patents
Action Coopérative Java Card
Status
 All the byte codes are specified
 Proof of the properties per byte code sets is
possible
 Proof Obligation resolution is difficult BUT generic
 100% proved until refinement 3
4/29/2017
30
Bull & Innovatron Patents
Action Coopérative Java Card
Smart Card Modeling
 B Method
 Verifier
 Interpreter
 Firewall
4/29/2017
31
Bull & Innovatron Patents
Action Coopérative Java Card
Object Sharing
Package X
Package Y
JCRE
Kernel
Applet x
Loyalty
JCRE
Entry
Point
Objects
x
extends
Shareable
Global
Arrays
Applet y
FIREWALL
4/29/2017
32
Bull & Innovatron Patents
Action Coopérative Java Card
FIREWALL
Firewall Model
Abstract Machine
Concrete Variables
Invariant
Security Policy
JCRE / Firewall
JCRE
Specification
Sun.
Operations
Byte Code
Interpretation
Implementation
4/29/2017
33
Bull & Innovatron Patents
Action Coopérative Java Card
JavaCard
API
VOP
Sun.
Visa.
Firewall Specification
 Security properties : the memory access must
conform the security policy:
 context management
 objects management (applet, arrays, interfaces…)
 byte code interpretation
Java Stack
Interpreter
JCRE
Objects
Firewall
4/29/2017
34
Bull & Innovatron Patents
Action Coopérative Java Card
Byte Code Interpretation
 Methods access
 invoke_interface,
invoke_static, invoke_virtual
 Array access
 aaload,
iaload, baload, …
 Context_switch
 invoke_interface
4/29/2017
35
Bull & Innovatron Patents
Action Coopérative Java Card
Components
4/29/2017
36
Bull & Innovatron Patents
Action Coopérative Java Card
Interpreter and Firewall
Abstract Machine
Sees
Contexts
Concrete Variables
InterpStatus, pc
Abstract Variables
Current_obj, Current_ctx
Operations
aaload
AccessArray(obj,array) =
PRE
FireStatus = OK
THEN
IF
(obj | array) :Access_array
THEN
Current_obj
FireStatus := access_denied
ref_array
END
END
Treat_bytecode =
PRE
InterpStatus = OK
THEN
CHOICE
pc := PC_NEXT (pc)
OR
InterpStatus :: STATUS - {OK}
END
END
4/29/2017
37
Bull & Innovatron Patents
FireStatus
Firewall
Interpreter
OK
Access_Denied
Action Coopérative Java Card
Stack
Firewall Refinement
 Specification : ” The acces to an array is allowed if
current object is element of the JCRE, or
 array is global, or
 array is not a transient clear_on_deselect, and is element of
the current package”

Access_Array =
Access_JCRE 
Access_global 
{Access_Package-Access_Transient_COD}
Access_JCRE : {ObjectContext~ (JCREContext)}  ObjectsOnCard
Access_Globals : ObjectsOnCard  GlobalArrays
Access_Package : {ObjectContext ; ObjectContext~}
Access_Transients : ObjectsOnCard  Transients_COD
4/29/2017
38
Bull & Innovatron Patents
Action Coopérative Java Card
Firewall Implementation
 Access_Array implementation
IF
{curr_obj | array_ref} : Access_JCRE  Access_global
 {Access_Package-Access_Transient_COD}
IF
ObjectContext (curr_obj) = JCREContext
OR is_global_array (array_ref) = TRUE
OR (same_package (curr_obj, array_ref) = TRUE
and not (is_transient_cod(array) = TRUE))
4/29/2017
39
Bull & Innovatron Patents
Action Coopérative Java Card
Conclusion
 The Firewall is integrated is the virtual machine.
 100% proof of the model until the implementation
 Optimisation are mandatory on the additional test
 Help to understand the relation between the JCRE,
the Firewall and the interpreter.
4/29/2017
40
Bull & Innovatron Patents
Action Coopérative Java Card
Smart Card Modeling
 B Method
 Verifier
 Interpreter
 Firewall
 Conclusion
4/29/2017
41
Bull & Innovatron Patents
Action Coopérative Java Card
Conclusion
 We specified and/or implemented a large part of the
virtual machine:
 the verifier (spec only)
 the interpreter
 the firewall
 the JCRE
 The implementations do not fit with smart card
constraints
 Specification of the VOP module
 The complete interpreter (sub routine, exception…)
4/29/2017
42
Bull & Innovatron Patents
Action Coopérative Java Card
Publications
 Using B Method to Model Protocols by J.-L. Lanet. In Proceeding of
the Workshop AFADL 98, Poitiers, Oct. 1998.
 Formal Proof of Smart Card Applets Correctness by J.-L. Lanet
and A. Requet. In Proceedings of the Third Smart Card Research and Advanced
Application Conference (CARDIS'98), Louvain-la-Neuve, Belgium, Sept. 1998.
 The use of the B formal method for the design and the
validation of the transaction mechanism for smart card
application by P. Lartigue and D. Sabatier, FM'99, Toulouse sept. 99
 Formal Specification of the Java Bytecode Semantics using the
B method, by L. Casset, J.-L. Lanet, ECOOP workshop, Lisbon, Jun. 99
 Formal Specification of the Java Byte Code Semantics
Coherence for an Embedded System, by L. Casset, J-L. Lanet
and G. Mornet, submitted to ASIAN’99, Phuket Dec. 99
 Formal Model of the Firewall, by S. Motre, submitted to AFADL 2000,
Grenoble, Fev. 00
4/29/2017
43
Bull & Innovatron Patents
Action Coopérative Java Card
Related documents
Chapter 1 questions
Chapter 1 questions
CS112 - INTRODUCTION TO PROGRAMMING Programming Project #2 - Due Purpose:
CS112 - INTRODUCTION TO PROGRAMMING Programming Project #2 - Due Purpose:
Instructor Rubric for Presentations
Instructor Rubric for Presentations
Streams, File I/O, Standard Streams and Scanner class
Streams, File I/O, Standard Streams and Scanner class
Course Introduction - Boston College Computer Science Department
Course Introduction - Boston College Computer Science Department
Designing Web Applications
Designing Web Applications
Public Tests - University of Maryland
Public Tests - University of Maryland
COMS S1007 Object-Oriented Programming and Design in Java August 12, 2008
COMS S1007 Object-Oriented Programming and Design in Java August 12, 2008
Java Unit 5: Applets and Graphics
Java Unit 5: Applets and Graphics
Java
Java
BAND TITLE: Operating Systems Analyst
BAND TITLE: Operating Systems Analyst
Lab 3 - Console Output and Arithmetic Expressions
Lab 3 - Console Output and Arithmetic Expressions