Abstract. The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.
Introduction
Since smart cards are becoming widespread and are typically used for security-critical applications, smart card vendors face the demand for validating the security functionality of their cards w.r.t. adequacy and correctness. Third-party evaluation and certification is accepted as the appropriate approach, making it quite an active field. Certification of smart card processor products according to the Common Criteria [5] typically refers to the Smartcard IC Platform Protection Profile [1] and its augmentations like [2] . Based on these documents, the security target [22] for the Infineon SLE 88 smart card chip demands assurance level EAL5+ to be achieved, in particular requiring formal reasoning on the requirements level, viz. a formal security model. Infineon could make use of an extension of the established LKW model [10] that already covers most aspects of security. Yet the SLE 88 offers a new security feature that requires special attention: a sophisticated memory management. For its evaluation we have developed a formal model that we describe in detail in the present article. The emerging field of multiapplication smart cards motivates protection of applications from each other. The model shows that this can be effectively achieved with classical hardware-based separation of memory areas. This feature may be used in particular within Java Virtual Machine implementations, yielding major progress in the area of dynamically loadable applications for smart cards.
The memory management security model is given in terms of Interacting State Machines (ISMs) introduced in [17] . ISMs are state-transition automata that communicate asynchronously on multiple input and output ports and thus can be seen as high-level Input/Output Automata [11] . They have turned out to be appropriate for the task of security modeling, for instance the full formalization of the LKW model with the Isabelle/HOL theorem prover [14] .
Most of the related work on high EAL evaluation for smart cards, done e.g., at Trusted Logic and Philips, is unpublished. There are publications dealing with the Java Card runtime system [12] and with smart card operating systems in general [21] . Note that these focus on software, while we focus on hardware.
SLE 88 memory management
In this section we introduce the virtual memory system of the SLE 88 with its associated security objectives and protection mechanisms. We start with a description of the security environment stating the processor's security objectives not pertaining to memory management and the security responsibilities of the smart card operating system and the applications.
Security environment
The SLE 88 is a smart card processor designed to support the protection of a smart card against threats including unauthorized access and modification of data as well as compromising the correct execution of the software residing on the card. From the security viewpoint, a smart card consists of the processor hardware, its IC dedicated software, i.e., software providing a high-level interface to hardware functions, and the smart card embedded software providing operating system (OS) and application functionality. The three layers share responsibility for achieving the desired level of security: the processor hardware achieves protection against tampering and side channel attacks, the IC dedicated software provides controlled access to hardware-based security functions including encryption and memory management to the smart card embedded software, which in turn is in charge of enforcing the application-specific security policy.
The SLE 88 is comprised of the processor hardware and the IC dedicated software. Figure 1 gives an overview of its hardware structure, particularly emphasizing the crypto coprocessor used for memory and bus encryption. The hardware is designed to satisfy all security requirements imposed in [1] ; its formal security model is given by the LKW model [10] . This paper concentrates on the particular memory management security service offered through the IC dedicated software, which builds upon the MMU (Memory Management Unit) hardware. It provides a virtual address space where access control attributes can be assigned to pages within that space. The attributes can be used by the smart card embedded software to define rules for information and control flow between applications. Note that the MMU is only responsible for enforcing the protection according to the attributes set by the smart card embedded software. Thus, it does not define an application-layer access control security policy on its own. The division of responsibility to achieve security between the smart card layers is reflected in the definition of the security requirements for memory management and is investigated in detail below.
Memory organization
The physical memory of the SLE 88 family is handled via 22-bit physical effective addresses (PEAs). Virtual memory is addressed via 32-bit virtual effective addresses (VEAs). The atomic units of the translation from virtual to physical addresses are pages of 64 bytes, which results in 6-bit-wide displacements, i.e., address offsets. Peripheral hardware is memory mapped and thus can be accessed -and protected -in the same way as ordinary memory cells.
Typically, there are several independent software modules of different origin. Therefore, virtual memory is logically divided into 256 packages of equal size, such that the package address (PAD) makes up the upper 8 bits of the VEA. Packages 0 to 2 are privileged because they control security-critical entities. Package 0 contains the security layer (SL), package 1 contains the platform support layer (PSL), also known as hardware abstraction layer (HAL), and package 2 contains the operating system (OS). SL and PSL together form the IC dedicated software. Of the remaining regular packages, those with numbers 3 to 15 are reserved, while those with numbers 16 to 255 are available for (third-party) application software to be uploaded on demand. Figure 2 shows the structure of the address space in detail.
Security objectives
The security objective relevant here is O.Mem-Access: "Area-based Memory Access Control," defined in [22, Sect. 4.1] : The TOE must provide the Smartcard Embedded Software with the capability to define restricted access memory areas. The TOE must then enforce the partitioning of such memory areas so that access of software to memory areas is controlled as required, for example, in a multi-application environment. This means, in particular, that interpackage access to code and data should be restricted and that the corresponding protection attributes should be controlled by (specially protected) privileged packages only. Details on the associated Security Functional Requirements (SFRs) may be found in [22, Sect. 5 
Note that the requirement above does not refer to a particular access control security policy to be enforced on the application level: rules may differ depending on the application domain ("partitioning . . . is controlled as required"). The processor's task is therefore to provide the technical means to effectively support the definition and enforcement of application-specific access control policies rather than defining such policies on its own. Only parts of the policy are fixed and cannot be overwritten by attribute assignment of the smart card embedded software, namely, those pertaining to SL and other privileged packages. This is why using classical access control or information flow models like Bell-LaPadula [4] and noninterference 1 [7, 20] as well as integrity models like Biba [3] and Clark-Wilson [6] (preserving integrity might also be a motivation for requiring application separation) turned out to be inappropriate. Requirements imposed on policies, e.g., the domination relation being a lattice in BellLaPadula and Biba and the separation-of-duty principle of Clark-Wilson, cannot be enforced on the processor level since the processor is not intended to know about the particular application structure, its properties, and protection needs. To formally model the requirement above, a security model had to be provided that concentrates on the processor's contribution to access control pol-icy enforcement and reflects the division of responsibility between the processor and the smart card embedded software.
Protection mechanisms
Virtual memory is associated with effective access rights (EARs) determining the read, write, and execute access of packages. Their granularity is 256 bytes, corresponding to the lower 8 bits of the VEAs. Moreover, each physical page block of 16 bytes, corresponding to the lower 4 bits of the PEA, is associated with additional security attributes referred to as block protection field (BPF). The only information we will need in the model is a predicate called PASL specifying whether a page block should be accessible by SL only.
An EAR is given by a two-letter code where each of the letters may be W, R, X, or -, which specify, respectively, read/write access to data, read-only access to data, executing access to code, and no access. The first letter refers to access within a package, while the second letter refers to access of one package (the source) to some other package (the target). The only allowed combinations are WW, WR, RR, W-, R-, and X-. Note that the EAR gives an implicit classification of memory sections as code or data. Code can be marked only with X-, which indicates that interpackage code fetch is generally prohibited. Regardless of the EAR, privileged packages have free data access to all other packages except SL.
The meaning of the EARs can also be described with Table 1 below.
In the table, + means that the access is granted and MPA means that a Memory Protection Alarm (MPA) is triggered. MPA/+ means + if the source is privileged and the target is not SL, and MPA in all other cases. Apart from the restrictions on (linear) code fetch, interpackage control transfer is allowed only if the target holds a special PORT instruction sequence that defines the set of packages allowed to enter.
Security objectives revisited
Having introduced some of the details of the protection mechanisms available, we are now able to give a more detailed interpretation of the informal security requirements on memory management stated in the Security Target and introduced in Sect. 2.3. The properties to be achieved can be divided into two groups: (i) enforcing separation of applications by controlling access to package memory areas as defined by the EAR setting according to the applications' security policies and (ii) special protection of SL, since it is responsible for managing the security attributes.
Pertaining to application separation, we require: -Read/write/execute accesses have to respect the given EAR settings, i.e., only those access requests should be granted that are allowed by the actual EARs. -Interpackage control transfer is allowed only through PORT instructions. The complexity in arguing about these properties is introduced through the possibility of noninjective address mappings and the functionality to modify the page table and the EAR settings themselves. Noninjective mappings assigning a page to multiple virtual addresses with different EAR assignments are critical because the memory management does not offer conflict resolution strategies but still should avoid weakening access control restrictions by exploiting different access paths to physical addresses. With respect to protection of SL, we require: -Memory areas assigned to SL can be changed only by SL itself, i.e., the integrity of the security functionality is maintained. This also covers protection against buffer overflow attacks on SL. -SL can only be accessed in a controlled way, namely, through the PSL package. Thus, PSL can be used to apply specific filtering of attribute modification requests by the smart card embedded software, which allows one to implement parts of an application separation policy on the level of the IC dedicated software.
Note that protection of SL does not require PSL to be trustworthy. However, SL protection will rely on the benign behavior of SL itself and appropriate initial EAR settings.
Formalism and tools
For modeling (and partially verifying) the SLE 88 memory management, we take the ISM approach [17] . This means that we formally define and analyze its security model as an Interacting State Machine (ISM) [15] within the theorem prover Isabelle/HOL [14] . Though the model described in this article does not actually make use of parallel composition of ISMs and related concepts, we give the full definitions here for completeness. For further advances in the ISM formalism, namely, generic ISMs and their instantiations to dynamic ISMs and ambient ISMs, see [9, 18] .
Concept of Interacting State Machines
An Interacting State Machine (ISM) is an automaton whose state transitions may involve multiple input and output simultaneously on any number of ports. As the name suggests, the key concepts of ISMs are states (and in particular the transitions between them) and interaction. By interaction we mean explicit buffered communication via named ports (also called connections), where on each port (typically) one receiver listens to possibly many senders. Figure 3 gives the basic ISM structure.
Any number of ISMs may be composed in parallel by interleaving their transitions and forming I/O connections among peer ISMs. The local state of the resulting ISM is essentially the Cartesian product of the local states of its components. The top-level composition is called an ISM system. In [18] we extend the ISM concept by the notions of global state and commands that may affect the global state.
A configuration of an ISM consists of its input buffer state and local state. The local state may have an arbitrary structure but typically is the Cartesian product of a control state that is of finite type and a data state that is a record of named fields representing local variables. Each ISM has a single 2 local initial state.
The input buffers of an ISM are a family of (unbounded) message FIFOs, indexed by port names. The buffers are not actually part of an ISM but exist merely as intermediate data structures within parallel composition during ISM runs. Input buffers can (but in most applications should not) be shared among ISMs, which leads to competition on the input without fairness constraints.
Message exchange is triggered by an output operation of any ISM within the system. Input from the environment may be modeled with suitable ISMs. Inputs cannot be blocked, i.e., they may occur at any time, appending the received value to the corresponding FIFO. Values stored in the input buffers related to an ISM are received and processed by the ISM when it is ready to do so.
The actions of ISMs are given as user-defined transitions, which may be nondeterministic and can be specified in any relational style. Thus for each transition the user has the choice of defining it in an operational (i.e., executable) or axiomatic (i.e., property-oriented) fashion or a mixture of the two. Transition rules specify that -potentially under some precondition that typically includes matching of messages in the input buffers -the ISM consumes some input, makes a local state transition, and produces some output. The output is appended to the respective input buffers specified by port names. Direct or indirect feedback is possible. Multicast is not directly supported but may be explicitly modeled easily.
An ISM system run is any prefix of the sequence of configurations reachable from the initial configuration. The length of a run is not bounded but finite. Finiteness allows for a simple trace semantics, but on the other hand implies that we cannot handle liveness properties. Yet we do not feel this as a real restriction because most relevant properties are essentially safety properties: practical guarantees about the existence of future events typically involve timeouts.
Transitions of different ISMs that are composed in parallel cannot directly interfere with each other but are related only by the causality w.r.t. the messages interchanged. Execution gets stuck (i.e., deadlocks) when there is no component that can perform any step. As is typical for reactive systems, there is no built-in notion of final or accepting states.
ISM Semantics
This subsection gives the logical meaning of ISMs, which is both an extension and a slight simplification of the definitions given in [15] . It may be skipped for a first reading of this article.
First, some general remarks on the presentation: all definitions and proofs have been developed as a hierarchy of Isabelle/HOL theories and machine-checked using this tool. One important effect of this approach is that many kinds of mistakes like type mismatches can be ruled out. Using the L A T E X documentation feature of Isabelle would even preclude typographic slips in the presentation but on the other hand would introduce some technicalities many readers would not be familiar with. Therefore, we give the semantics in traditional "mathematical" style in order to enhance readability. We sometimes make use of λ-abstraction borrowed from the λ-calculus but write (multiargument) function application in the conventional form, e.g., f (a, b, c). Occasionally we make use of partial application (also known as currying), such that, in the example just given, f (a, b) is an intermediate function that requires a third parameter before yielding the actual function result.
In order to help in understanding the abstract formal definitions, we give a simple running example. It describes two producers sending random integer values to a port named Inlet of a consumer which sums them up in a local variable named Accu initialized to 0. The system can be depicted as given in Fig. 4 .
Message families
Let M be the type of all messages potentially exchanged by ISMs and P the type of port names. Then the message families, which are used to denote both input 3 buffers and input/output patterns, have type MSGs = P → M * , where M * is any finite sequence of elements of M. We will make use of the following operations on message families:
-The term denotes the empty message family λp. , where denotes the empty sequence.
-The term mdom(m) is short for {p. m(p) = }, i.e., the domain of m. -The infix operation .@. concatenates two message families m and n pointwise: (m .@. n)(p) = m(p) @ n(p). In our example, P = {Inlet} and M = int, such that MSGs = {Inlet} → int * . Assuming m = λp. if p = Inlet then 1, −3 else , which can also be written as m = (Inlet := 1, −3 ), and n = (Inlet := 6 ); one obtains mdom(m) = {Inlet} and m .@. n = (Inlet := 1, −3, 6 ).
States and transitions
A set of ISM transitions has type TRANS(Σ) = ℘((MSGs × Σ) × (MSGs × Σ)), where the parameter Σ stands for the type of the local state and the two occurrences of MSGs stand for input and output patterns, respectively. For the consumer in the above example, Σ = int. Each element has the form ((i, σ), (o, σ )) and means that the ISM can (possibly nondeterministically) perform a step from local state σ to σ , consuming input i and producing output o. Simultaneous input and/or output on multiple channels can be specified because both i and o each denote whole message families. In contrast to the original definition of ISMs [15] , within a transition, input is described by patterns of messages consumed in the given step -not by a transition between the state of the input buffer before and after the transition. This simplifies the definition of single ISMs and shifts the concept of input buffering to the places where it is indispensable: at the definitions of parallel composition and automata runs.
Elementary ISMs
An ISM is given as a quadruple 4 
where -In(a) is the set of input port names, -Out(a) is the set of output port names, -σ 0 (a) is the initial local state, -Trans(a) is the transition relation. Such an ISM is well formed iff all the port names actually used in the transitions for input or output respect the I/O interface of the ISM, i.e., ipns(a) ⊆ In(a) and
Note that In(a) and Out(a) may overlap, which allows for direct feedback within parallel composition.
In the above example, the consumer ISM can be given as Consumer = ({Inlet}, ∅, 0, {( (Inlet := n ), a, , a + n) | n ∈ int ∧ a ∈ int}). This ISM is well formed since ipns(Consumer) = {Inlet} and opns(Consumer) = ∅. The producers do not need local variables, so we give their local state the dummy type unit with sole element •. They can be defined as
Runs
Below we will define composite ISM runs, i.e., the parallel composition and execution of a family of ISMs, directly in one step. Nevertheless, we first define the two notions of ISM runs and parallel composition independently. Defining parallel composition in isolation not only makes it easier to understand but also enables hierarchical analysis and design.
The open runs of an ISM a, denoted by Runs(a) ∈ ℘(Σ * ), are finite sequences of states that are inductively defined as
ss σ σ ∈ Runs(a)
.
The operator appends elements to a sequence. This form of runs is called open because in each step the environment provides arbitrary input to the ISM, and any output of the ISM is discarded. If feedback from output to input is desired, one can achieve this by applying the parallel composition operator to the singleton family of ISMs consisting just of a, described next.
In the example, an open run of the consumer is any sequence of integers starting with 0, for instance 0, 1, −2 if the input happens to be 1 and −3.
Parallel composition
Any number of ISMs can be combined in parallel to form a single composite ISM, which may be further combined with others, etc. By identifying input and output buffers of ISMs to be combined, internal communication including feedback loops can be introduced as shown in Fig. 5 .
The parallel composition i∈I A i of a family of ISMs
where I is any index set I and for any X, the type of an ISM configuration CONF(X) is defined as MSGs × X.
Here MSGs stands for the type of internal buffers. The composite ISM is defined as the quadruple (
-gives the initial value of the internal buffers, which are used to handle I/O among peers as well as direct feedback; -S 0 (A) = Π i∈I (σ 0 (A i )) is the Cartesian product of all initial local states; -PTrans(A) of type TRANS(CONF(Π i∈I Σ i )) is the parallel composition of their transition relations.
In our example, we combine the two producers and the consumer in parallel. Let I = {1, 2, 3} and A 1 = P roducer 1 , A 2 = P roducer 2 , and
The pre-and poststates in the composed transition relation refer not only to the Cartesian product of all local states but also to a message family b. As mentioned above for the initial state, the role of b is to buffer internal I/O. Apart from this, the composed transition relation is defined simply as the interleaving of the transitions of the component ISMs:
, where -S[j :=σ] denotes the replacement of the jth component of the tuple S by σ; -m |P denotes the restriction λp. if p ∈ P then m(p) else of the message family m to the set of ports P ; -i |AllOut(A) denotes those parts of the input i provided not by the output of peer ISMS but by outer ISMs; -i |AllOut(A) denotes the internal input from peer ISMs or direct feedback, which is taken from the current buffer contents b; -o |AllIn(A) denotes those parts of the output o provided to outer ISMs; -o |AllIn(A) denotes the internal output to peer ISMs or direct feedback, which is added to the current buffer contents b.
In the example,
The first part of the union describes the effect of a transition of either producer: a random value n is appended to the internal buffer b(Inlet). The second part describes that the consumer takes one such value out of the buffer and adds the value to its local accumulator variable.
A possible run of the example system, i.e., a member of
where first 1 and −3 are produced (by either of the producers), then both values get consumed, then 6 is produced and immediately thereafter consumed, such that the final local state of the consumer is 0 + 1 − 3 + 6 = 4.
A parallel composition is well formed iff the inputs of the individual components do not overlap:
On the other hand, outputs may overlap, which allows the outputs of different ISMs to interleave nondeterministically. This is the case for our example system: as can be easily seen, input ports do not overlap but outputs do.
A family A of ISMs is called closed iff AllIn(A) = AllOut(A), i.e., there is no interaction with any outside ISMs. Our example system is closed. If a system is modeled with a closed ISM family and input from the environment is important, this may be modeled with an ISM that belongs to the family and does nothing but generate all possible input patterns.
When composing ISMs, it is occasionally necessary to prevent name clashes or to hide connections, which can be achieved by suitable renaming of ports.
Composite runs
We define ISM runs not only for single (possibly composite) ISMs but also directly for closed families of ISMs intended to run in parallel. The above definition of parallel composition may be used in combination with composite runs to describe inner (possibly nested) levels of parallel composition.
The set of all possible composite runs is denoted by CRuns(A) and has type ℘((CONF(Π i∈I Σ i )) * ) corresponding to the ISM type ISM(Π i∈I Σ i ). Its elements are finite sequences of configurations, inductively defined as
Traces of composite runs have the form ( ,S 0 (A)), (b 1 ,S 1 ), (b 2 ,S 2 ), . . . , where each element of the sequence is a pair of the current internal buffer contents and the Cartesian product of all the currently relevant local states.
One can show that composite runs of any closed family A of well-formed ISMs are equivalent to the runs of the parallel composition of the same family: wf_isms(A) ∧ closed(A) −→ Runs( i∈I A i ) =CRuns(A). Of course, this is the case for our running example since the system is closed.
Isabelle/HOL representation
When aiming at rigorous formal modeling or even system verification, tools performing syntactic checks, type checks, and mechanized proofs are essential. We employ the theorem-proving system Isabelle/HOL because of our excellent experience with this tool.
Isabelle [14] is a generic interactive theorem prover that has been instantiated to many logics, in particular the very practical Higher-Order Logic (HOL). Despite one nuisance, 5 we consider Isabelle/HOL the most flexible and mature modeling and verification environment available. It makes system properties easily and adequately expressed and verified through the use of powerful proof methods. Furthermore, Isabelle offers good facilities for textual presentation and documentation.
ISMs can be defined in special Isabelle theory sections. Their standard interpretation is the metatheory described in Sect. 3.2. It is implemented by an Isabelle plugin [13] in connection with a library of Isabelle theories. ISMs can also be defined graphically using the CASE tool AutoFocus [8] and then translated to the Isabelle/HOL representation using a tool program [13] .
An ISM section is introduced by the keyword ism and has the following general structure: 6 5 The only drawback of Isabelle/HOL for applications like ours is the lack of dependent types: for each system modeled there is a single type of message contents into which all message data has to be injected, and the same holds for the local ISM states. The alternative prover PVS supports dependent types, but on the other hand it is less flexible; in particular, user-defined theory sections are not possible. 6 [. . . ] marks optional parts; (. . . ) + means one or more commadelimited occurrences.
[ post((lvar_name := expr)
The meaning of the individual parts is as follows.
-The ISM definition will be referred to by name. Expressions within a rule may refer to the logical data state variable mentioned above. In particular, assuming that s is the name of the data state variable, then the value of any local variable lvar of the ISM may be referred to by lvar s . The scope of free variables appearing in a rule is the whole rule, i.e., free variables are implicitly universally quantified (immediately) outside each rule.
All the following parts of a transition rule are optional:
-The pre part contains guard expressions bool_expr , i.e., preconditions constraining the enabledness of a transition. -The in part gives input port names (or sets of them if preceded by multi) I_pn, each in conjunction with a list I_msgs of message patterns expected to be present in the corresponding input buffer(s). When an ISM executes a transition, any free variables in message patterns are bound to the actual values that have been input. Each port name should appear at most once within an in part. Any input port not explicitly mentioned is left untouched. -The out part gives output port names O_pn, each in conjunction with an expression O_msgs denoting a list of values designated for output to the corresponding port. The variant using multi is used to specify multicasts. Each port name should be used at most once within each out part. Any output port not mentioned does not obtain new output. -The post part describes assignments of values expr to the local variables lvar_name of the data state. Variables not mentioned remain invariant. Alternatively, an expression ds_expr may be given that represents the entire new data state after the transition. Assignments to the local variables suit an operational style, whereas an axiomatic style can be achieved using ds_expr (in conjunction with suitable constraints in the preconditions).
An ism theory section is translated to Isabelle/HOL concepts in a straightforward way using an extension to Isabelle, as described in [13] . In particular, each ISM section is translated to a record definition with the appropriate fields, the most complex one being the transition relation, which is defined via an inductive (but not actually recursive) definition.
The metatheory of ISMs that we have defined in Isabelle/HOL includes all concepts mentioned in Sect. 3.2, in particular well-formedness, renaming, parallel composition, runs, and composite runs. Further auxiliary concepts are introduced as well, in particular reachability and induction schemes related to ISM runs. The characteristic properties of these concepts, as required for system verification, are derived within Isabelle/HOL. All details of the metatheory may be found in [19] .
System model
In order to provide a comprehensive instructive presentation of the formal model, we reproduce all the definitions, lemmas, and theorems (essentially leaving out proof scripts and a few other parts needed for technical reasons only), augmented with comments, just as they appear in the Isabelle theory sources. 8 By employing the automatic L A T E X typesetting facility of Isabelle, we achieve on the one hand maximal accuracy of the presentation, retaining the mathematical rigor and the "flavor" 9 of the machine-checked specifications, and on the other hand good readability by using standard logical notation as far as possible and interspersing textual explanations and motivation. 8 Isabelle/HOL adopts the notational standards of functional programming, writing, for instance, (multiargument) function application as fxyz instead of f (x, y, z). 9 For example, the order of definitions is strictly bottom-up.
A very important design principle is to keep a high level of abstraction, which improves readability and simplifies the proofs. Therefore, we model only those features that are strictly relevant for security, abstracting away unnecessary detail caused, e.g., by efficiency optimizations. For the same reason we often use a modeling technique called underspecification, i.e., for part of the logical types and constants we do not give full definitions but only declarations of their names.
Overview
Following the standard approach to security analysis, we provide a system model describing the abstract behavior of the memory management and formalize the security objectives as properties of the system model. The statebased ISM approach fits well with modeling both the page table and the physical memory as state components of the system, mapping virtual addresses to physical addresses and physical addresses to values. Our specification of (both virtual and physical) addresses represents the structure of the memory organization as described in Sect. 2.2. Values are only of interest in case of PORT instructions; we leave other values unspecified. The state of the system model further includes mappings describing the assignments of BPFs to page blocks and EARs to sections of the virtual address space.
To complete the system model, state transitions represent the different kinds of memory access that may occur. For each of them there is a corresponding input message for the ISM triggering a transition. Each transition produces an output stating whether the access is granted or denied. In case of denial, we have different output messages representing the different traps or alarms. The computation of the output refers to our formalization of the protection rules stated in Sect. 2.4. A transition may also result in modifications of state components, for instance, write access to the main memory or page table updates.
Addressing
First we have to define several aspects of the SLE 88 address space introduced in Sect. 2.2. These include the type of package addresses, PAD , defined as the disjoint sum of privileged and regular PADs, where we enumerate all three possibilities for privileged packages but do not specify the actual range of regular PADs: datatype pri_PAD = SL | PSL | OS -package addresses 0 -2 typedecl reg_PAD -package addresses 3 -255 datatype PAD = Pri pri_PAD | Reg reg_PAD -privileged or regular Next, we define a predicate distinguishing privileged from regular packages.
While PADs form the upper (i.e., most significant) part of virtual addresses, displacements DP form the lower sections used for addressing individual bytes of memory within a page. We need to split them further because there are four page blocks within a page that are associated with their own BPFs. Note that, despite the names that contain numbers giving bit positions, we do not actually specify the concrete ranges of the types declared but just state that DP is the Cartesian product of the two other types:
typedecl DP_lo -4-bit offset within page block (with same BPF) typedecl DP_hi -2-bit page block address within page types DP -6-bit displacement within VEA s and PEA s = DP_hi × DP_lo A virtual effective address consists of the package address, a middle part that we call VEA_mid , and the displacement. We have to further split the middle part because only the upper 16 bits of it are used to determine the EAR associated with the address. We also define the type VP of virtual page pointers that will be mapped to physical page pointers. We define an auxiliary function PAD extracting the package information from any address containing a PAD as its uppermost part, simply by projecting on this first part of the tuple: PAD (pad, x) = pad .
Effective access rights
We enumerate all allowed EARs as defined in Sect. 2.4 and relate them with the access that they grant by functions for intrapackage and interpackage access. datatype EAR = WW | WR | RR | Wn ( W-) | Rn ( R-) | Code ( X-) datatype access_mode = Read | Write | Execute consts -access modes for read/write operations RWX_own :: EAR ⇒ access_mode set RWX_other :: EAR ⇒ access_mode set primrec -intrapackage access
State
Our abstract model of the SLE 88 memory management state consists of three aspects that are crucial for the security analysis: -The physical memory contents (where the only sort of value we are interested in is a PORT instruction sequence with its associated set of packages) and the PASL predicate associated with page blocks; -The essentials of the page table entries, i.e., page mapping and EARs -there is no need for us to model complex structures like translation lookaside buffers and multilevel page tables required merely for optimization; -The package information contained in the current program counter and in the return address stack. For simplicity, we model PORT instructions as atomic values. We define them as one of the alternatives in a (free) data type, which implies that they can be distinguished from all other instructions. This is adequate because the SLE 88 instruction layout ensures that PORT instructions are uniquely determined. typedecl value datatype value = PORT PAD set Each of the state components BPF_PASL , PT_map , and PT_EAR defines a mapping only for the relevant sections of physical and virtual addresses, which helps to avoid redundancies, in particular for update operations. Yet it is often convenient to perform the lookup operation with a full PEA or VEA, respectively. The auxiliary functions defined next BP_PASL , PEA , and EAR , respectively, provide these liftings.
Assumed initial state properties
The security target [22] requires that all EARs be initialized with a reasonable value. Since the exact value is immaterial for our analysis, we apply the standard technique, viz. to declare a constant giving the default EAR of memory sections without actually defining its value. consts default_EAR :: EAR -underspecified
The functional specification requires that only the PSL package may call the SL package, which restricts the sets of packages within PORT instructions of SL. We specify this for the initial state s0 with the following axiom: axioms -checks by PORT instructions of SL init_PORT_SL: PEA s0 (Pri SL, la) = Some pa =⇒ memory s0 pa = PORT PADs =⇒ PADs ⊆ {Pri SL,Pri PSL}
The axiom can be read as follows. For any VEA that belongs to SL (i.e., has the form (Pri SL, la) for some la ), if in the initial state it is mapped to any PEA pa and a PORT instruction is stored at that address, then the associated set PADs of allowed packages may contain only SL and PSL.
A further important requirement is that the BPFs be reasonably set: for any physical pointer pp and page block address, PASL should be true iff the page block is owned by SL, i.e., pp is associated with some VEA belonging to SL: axioms init_BPF_PASL: BPF_PASL s0 (pp,pb) = (∃la. PT_map s0 (Pri SL,la) = Some pp) 
Interface
We define the SLE 88 memory management system as an Interacting State Machine (ISM) with a rather trivial in-terface: it has one input port named In and one output port named Out .
The messages exchanged with the environment are either instructions given to the system or results sent by the system. The instructions are abstractions of the usual CPU (micro-)instructions where we focus on code fetch (which is the first step of each instruction execution), memory read and write, various forms of branches, and write operations to various special registers including the page table. The chip may respond with positive or negative acknowledge or various traps (which will be explained where appropriate) in case of denied access. 
Auxiliary access functions
For modeling the access control checks performed when executing access operations, it is beneficial to factor out common behavior and to reduce the complexity of the associated system transitions by defining dedicated auxiliary functions.
The function mem_access takes as its arguments the access mode, the current system state s , and the virtual address va to be accessed. It determines whether the current package, which is the subject (called source) of the operation at hand, is allowed to access -in the given mode -the package given by the PAD of va , which is the object of the operation (called target). In particular, it checks whether -the virtual address is mapped to some existing PEA pa (and otherwise causes a Memory Protection Package Boundary Fault trap); -the source is privileged and performs a read or write access where the target is some other package except SL, 10 or the EAR associated with va allows access with the given mode, making the distinction of whether the access is local or to some other package (and otherwise causes a Memory Protection Access Violation or MPBF trap); -PASL is true for pa iff the target is SL (which checks consistency of the PASL setting) or SL accesses data -for testing purposes -in a page block not belonging to SL where PASL is true (and otherwise causes a Memory Protection Security Field trap).
constdefs -read/write access restrictions to main memory mem_access :: access_mode ⇒ state ⇒ VEA ⇒ message mem_access mode s va ≡ case PEA s va of None ⇒ MPBF | Some pa ⇒ let source = curr_PAD s; target = PAD va in
The function Call_access takes as its arguments the current system state s and the virtual address va to be called. It grants intrapackage calls (i.e., the PAD of the target va equals the current PAD), and otherwise checks whether -va is mapped to some PEA pa (and otherwise causes a Memory Protection Package Boundary Fault trap); -the value stored at pa is a PORT instruction (and otherwise causes a Privileged Instruction trap); -the PORT instruction allows the current package to enter (and otherwise typically just returns from the call without causing a trap). The function Write_PT_access takes as its arguments the current system state s and the package to be affected. Writing to the page table is granted only if the current package is privileged. It must be even SL if the target package is SL. Otherwise a Memory Protection Core Register Address trap is generated. 
Transitions
The core of our security model is the definition of the ISM that specifies the overall memory management system of the SLE 88. The definition follows the format given in Sect. 3.3. For each kind of instruction that may be issued (by sending it to the ISM) there is one transition rule. Transitions are atomic, and instruction execution is meant to be sequential. The system reacts by outputting a value that indicates granted or denied access, where the latter typically leads to a trap. In our abstract model there is no need to specify trap handling. A couple of the transition rules have preconditions, and most of them have postconditions specifying changes to the system state. Since conditional changes to mappings are very common, we define the syntactic abbreviation "c ? f(x:=y) " "if c then f(x := y) else f ".
ism SLE88_MM = ports interface inputs In outputs Out messages message -instructions received or indications of success sent states data state init s0 name s -the initial state is s0 transitions Code_Fetch: -Okay if the PAD of va equals the current PAD and has the EAR X-and va is mapped to some page block where PASL is true iff the current PAD is SL. -Sets the memory cell at address va to the value v by the value v if access is granted. If the target package is SL and PASL is false for the affected page block, it may nondeterministically -as specified using the free variable belated_MPSF -write the value even though the access is denied,namely if the MPSF trap is delayed. Having given all the above definitions, we use them for stating and proving security properties. Many of these require additional assumptions on reasonable behavior of the SL package, which we will give as additional axioms restricting the transitions of the ISM.
Security properties

Overview
Given the system model in the form of an ISM, we are ready to formalize the security requirements of Sect. 2.3 as properties of (sequences of) ISM state transitions. Since the security requirements are formulated on a very high level, expressing the properties and arguing for their completeness has been appropriately done by discussing them with the requirement engineers, taking into account the SLE 88 specifications and the justifications given in the security target, which define details like access modes, EARs, the PASL attribute, and their intended effect.
The main concern of the security requirements is separation of applications, i.e., suitable restriction of interpackage access, which we address by the theorems -interpackage_Read_Mem_respects_EAR , interpackage_Write_Mem_respects_EAR , and Code_Fetch_only_local_X addressing inter-package read/write/execute protection, described in Sect. 5.2, -interpackage_transfer_only_via_Call_to_ suitable_PORT_or_Return , addressing interpackage control transfer, described in Sect. 5.4. Another critical issue is special protection of the SL package because it manages the security attributes, on which access control is based. By stating the series of theorems given in Sect. 5.3 culminating in only_SL _changes_SL _memory and only_SL_reads_SL_memory , and in Sect. 5.4 culminating in only_PSL_enters_SL , we have covered all properties implied by the security requirements.
Proving that the theorems hold for the given system model completes the formal security analysis. The proofs show some inherent complexity, for instance by having to consider layered protection mechanisms and effects of aliasing, i.e., noninjective page table mappings. Still, due to adequate modeling and the powerful Isabelle proof system, developing the machine-checked proofs has been a matter of just a few days.
The act of conducting proofs identifies necessary assumptions concerning the initial state and the access control attribute settings for the SL package. In particular, we introduce a notion of consistency of EAR assignments that is useful in case of aliasing.
Interpackage access protection
Our first two theorems state basic properties of interpackage read and write access. If in any state s a read instruction for some virtual address va not belonging to the current package is successful, then this has been done by a privileged package accessing a package other than SL, or read (or read/write) access is granted by the EAR associated with va . Note that the access rights are determined at the virtual (not: physical) address level, which opens up the possibility of inconsistencies incurred by aliasing, i.e., different access paths to the same physical memory area. In effect, the accessibility of a memory area is determined by the minimum protection of all related EARs. Only if interpackage consistency of the EARs is ensured can we guarantee that, for any other virtual address va belonging to a different package and mapped to the same physical address, the associated EAR is the same (and cannot be WR because this EAR is not symmetric) and thus no unwanted access is possible.
Some notational remarks are advisable here: in Isabelle formulas, multiple premises are bracketed using "[[" and "]]" and separated using ";". The term hd (p In) refers to the input and hd (p Out) to the output of the transition ((p,s),c, (p ,s ))∈ Trans that takes the state s to s and corresponds to ((p, s), (p , s )) ∈ Trans(a) as defined in Sect. 3.2.3. The free variable c can be ignored. Logical conjunction "∧" has higher syntactic precedence than disjunction "∨" and implication "−→".
The proof of this theorem proceeds by case distinction on the transition rules. The only nontrivial case is the one of Read_Mem , where we unfold the definitions of mem_access , RWX_other , and EARs_consistent and perform standard predicate-logical reasoning and term rewriting. We reproduce the actual proof script for this theorem in order to give an impression of what the Isabelle proofs (in the traditional tactic style) actually look like. The execution of such a script typically takes a few seconds. The necessity of such axioms makes explicit some important assumptions on the initialization of security attributes and the behavior of SL and therefore gives valuable feedback for system software development.
With the help of the two axioms just given and the axiom init_PT_EAR given in Sect. 4 ,s) ,c,(p ,s )) ∈ Trans; curr_PAD s = Pri SL; hd (p In) = Write_PT_map (Pri SL,lvp) (Some pp); hd (p Out)=Ok ]] =⇒ BP_PASL s (pp,dp)
Together with the axiom init_BPF_PASL also given in Sect. 4.5, we can prove the invariant in an analogous way. lemma SL_memory_has_PASL: Inv ( λs. ∀ lva pa dp. PEA s (Pri SL,lva)=Some pa −→ BP_PASL s pa)
Taking advantage of the two invariance lemmas just given, we prove that only SL can change memory allocated to SL. The proof uses the invariant SL_memory_has_ PASL concerning PASL three times, where in all these cases there is aliasing in the page table such that the same physical memory area is allocated to both SL and some non-SL package. Thus we can conclude that PASL plays an important role for detecting such (unwanted) aliasing w.r.t. SL memory. theorem only_SL_changes_SL_memory:
[[ts ∈ TRuns; ((p,s),c,(p ,s )) ∈ set ts; curr_PAD s = Pri SL; PEA s (Pri SL, lva) = Some pa ]] =⇒ memory s pa = memory s pa 
Interpackage control transfer and PORT instructions
Given theorem Code_Fetch_only_local_X , the only form of interpackage code access that needs to be addressed further is transfer of control where the current package changes. Our next theorem states that the only possibilities for such control transfer are a legal procedure call or return; more specifically: if there is a transition from state s to s where the current package changes, then either it has been caused by a call whose target is a virtual address va mapped to a physical address pa containing a PORT instruction that explicitly allows the calling package to enter or it has been caused by a return to a package other than SL: theorem interpackage_transfer_only_via_valid_ Call_to_PORT_or_Return: [[curr_PAD s =curr_PAD s; ((p,s),c,(p ,s )) ∈ Trans ]] =⇒ ( ∃va pa PADs. hd (p In) = Call va ∧ PEA s va = Some pa ∧ memory s pa = PORT PADs ∧ curr_PAD s ∈ PADs) ∨ ( ∃ r rs. hd (p In) = Return ∧ stack s = r#rs ∧ r = Pri SL) The proof of this theorem is straightforward by case distinction on all instructions available and unfolding the definition of Call_access .
Much more involved is the proof of our final theorem stating that only PSL can enter SL: we need an invariant that all PORT instructions contained in memory allocated to SL allow only calls by SL itself and by PSL. This in turn requires two assumptions that SL writes memory allocated to itself and the page table entries for its memory only in such a way that the invariant is maintained: ,s) ,c,(p ,s )) ∈ Trans; curr_PAD s = Pri SL; hd (p In) = Write_PT_map (Pri SL, lvp) (Some pp); hd (p Out) = Ok; memory s (pp,dp) = PORT PADs ]] =⇒ PADs ⊆ {Pri SL, Pri PSL} Note the essential role of aliasing in the first of these axioms: the instruction intended to write a PORT instruction at virtual address va might affect SL memory even if va does not belong to SL, namely, if there is some other virtual address (Pri SL, lva) that happens to be mapped to the same physical address.
Apart from the two axioms, the proof of the invariant requires the axiom init_PORT_SL given in Sect. 4.5 as well as the theorems only_SL_changes_SL_memory and only_SL_changes_PT_map_of_SL . lemma SL_PORT_SL_PSL: Inv ( λs. ∀ lva pa PADs. PEA s (Pri SL, lva) = Some pa −→ memory s pa = PORT PADs −→ PADs ⊆ {Pri SL, Pri PSL})
Exploiting the invariant, the theorem can be proven in just a few steps. It reads as follows: for any sequence of transitions ts that may result from a system run and any state transition from s to s within it, if SL becomes the current package in s , the current package of the prestate s must have been PSL. theorem only_PSL_enters_SL:
[[ts ∈ TRuns; ((p,s),c,(p ,s )) ∈ set ts; curr_PAD s = Pri SL; curr_PAD s = Pri SL ]] =⇒ curr_PAD s = Pri PSL This finishes our abstract formal analysis of the SLE 88 memory management.
Conclusion
We have introduced a security model for the memory management of the SLE 88 smart card processor chip. Memory management contributes to security by providing access control mechanisms on the levels of both virtual and physical memory addresses, allowing one to separate applications and privileged SW packages (e.g., the operating system and the security layer SL) as well as applications from each other. Access control is guided by a policy comprising both discretionary (by effective access rights EAR) and mandatory (w.r.t. SL and privileged packages) rules. Enforcing the policy is nontrivial: the ability to change EARs and address mappings, the interacting levels of protection, aliasing in address translation, interpackage calls, and the peculiarities of SL have to be considered.
The model gives an abstract view of the SLE 88 by concentrating on memory access and its protection only, leaving out details of the system and application functionality. Abstraction is achieved by reductions on the data structure and interface design and by underspecification. For instance, many data types used in the model are declared but not actually defined.
Carrying out the formal modeling work turned out to be worthwhile because it provided new insights and lead to clarification of previously fuzzy concepts. Formal reasoning resulted in a minimal set of requirements on noninjective address mappings that guarantee the maintenance of the security properties. These requirements are given by restrictions on admissible combinations of EAR settings. The derived notion of EAR consistency is the least restrictive one among those that preserve security and offers much more flexibility compared to simply forbidding aliasing. Formal analysis showed that security depends on assumptions on the initial state (e.g., initial EAR and PASL settings) as well as on benign behavior of SL. The assumptions can be interpreted as requirements on configuration upon delivery and on the software development of privileged packages. They clearly indicate the distribution of responsibility between the target of evaluation and its environment. Last but not least, formal arguments lead to a clarification of the role of PASL: the PASL mechanism does not provide additional protection in case of weak EARs for SL but protects against effects resulting from undesired mapping of both SL and non-SL virtual addresses to the same physical address.
To summarize, results of the modeling and proving process are the identification of relevant assumptions on the system environment and the derivation of new insights in the memory management and its security properties. The cost-benefit ratio is adequate: the whole work required no more than 6 weeks' effort, largely due to the availability of adequate tool support through Isabelle/HOL and the ISM approach. Thus, the SLE 88 memory management security model is an excellent example of the value of formal security modeling in practical industrial-scale applications.
