Foundations of Security Analysis and Design III, FOSAD 2004/2005- Tutorial Lectures

he increasing relevance of security to real-life applications, such as electronic commerce and Internet banking, is attested by the fast-growing number of research groups, events, conferences, and summer schools that address the study of foundations for the analysis and the design of security aspects. This book presents thoroughly revised versions of eight tutorial lectures given by leading researchers during two International Schools on Foundations of Security Analysis and Design, FOSAD 2004/2005, held in Bertinoro, Italy, in September 2004 and September 2005. The lectures are devoted to: Justifying a Dolev-Yao Model under Active Attacks, Model-based Security Engineering with UML, Physical Security and Side-Channel Attacks, Static Analysis of Authentication, Formal Methods for Smartcard Security, Privacy-Preserving Database Systems, Intrusion Detection, Security and Trust Requirements Engineering

Contributions à la sécurité des Java Card

La Java Card est aujourd’hui le type de cartes à puce le plus déployé dans le milieu bancaire ou dans la téléphonie mobile. Outres la présence de nombreuses contre-mesures physiques pour protéger le microprocesseur contre les attaques externes, la machine virtuelle Java Card possède un ensemble de mécanismes (comme le vérificateur de bytecode et le pare-feu) qui, combinés avec le typage du langage Java, offrent des propriétés d’isolation forte des applications (applets) vis-à-vis de l’exécution de la machine virtuelle Java Card.Mais l’évolution des attaques logicielles par confusion de type et par des moyens physiques a montré des limitations au modèle d’isolation de la machine virtuelle. Dans un premier temps, plusieurs travaux montrent des nouvelles menaces logiques, physiques et hybrides afin de lever des secrets enfouis dans des instances de Java Card en exploitant les applications chargées comme cibles et vecteurs d’attaque. Par la suite, plusieurs stratégies de contre-mesures sont construites selon deux points de vue. D’une part des protections réactives (contre les attaques en fautes) et proactives (par mise à jour dynamique) sont intégrées dans la machine virtuelle Java Card. D’autre part, des solutions d’analyse de code permettant d’aider le développeur sont évaluées afin de renforcer la sécurité des applets contre des faiblesses de développement ou les exploitations possibles du bytecode par des attaques en faute

A Machine-Checked, Type-Safe Model of Java Concurrency : Language, Virtual Machine, Memory Model, and Verified Compiler

The Java programming language provides safety and security guarantees such as type safety and its security architecture. They distinguish it from other mainstream programming languages like C and C++. In this work, we develop a machine-checked model of concurrent Java and the Java memory model and investigate the impact of concurrency on these guarantees. From the formal model, we automatically obtain an executable verified compiler to bytecode and a validated virtual machine

A Formal Correspondence between Offensive and Defensive JavaCard Virtual Machines

Many formal specications of the JavaCard Virtual Machine are defensive, in that they perform type-checking at run-time. In this paper, we show how to construct from such a defensive virtual machine an oensive one that does not perform type-checking at run-time. Further, we establish that the two machines coincide for the class of JavaCard programs that pass bytecode verication. Both the construction of the oensive virtual machine and its correctness proof are achieved using (non-standard) abstract interpretation techniques and have been fully formalized in the Coq proof assistant

Deductive Verification of Concurrent Programs and its Application to Secure Information Flow for Java

Formal verification of concurrent programs still poses a major challenge in computer science. Our approach is an adaptation of the modular rely/guarantee methodology in dynamic logic. Besides functional properties, we investigate language-based security. Our verification approach extends naturally to multi-threaded Java and we present an implementation in the KeY verification system. We propose natural extensions to JML regarding both confidentiality properties and multi-threaded programs

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000

Worst-case resource-usage analysis of java card classic editions application bytecode

Java Card is the dominant smartcard technology in use today, with over 12 billion Java Card smartcards having shipped globally in the last 15 years. Almost exclusively, the deployed Java Card smartcards are instances of a Classic edition for which garbage collection is an optional component in even the most recent Classic edition. Poorly written or malicious Java Card applications may drain the available memory of a Java Card Virtual Machine to the point the card becomes unusable, and undisciplined use of the transaction mechanism may exhaust the available transaction buffers, resulting in programmatic abort by the Java Card Runtime Environment and so limit the range of services a Java Card application may successfully be able to offer. Given the size and global nature of the user base, and the commercial importance of Java Card, there is a stunning lack of tools supporting analysis or certification of the memory, transactional or CPU usage of Java Card applications. In this thesis we present a worst-case resource-usage analysis tool for Java Card which is capable of producing worst-case memory usage and worst-case execution-time estimates for Java Card applications (also known as applets). Our main theoretical contribution is a static analysis for Java Card applets at the bytecode level which conservatively approximates properties of interest affecting memory usage, input-output/APDU usage and transaction usage. Our static analysis provides the high-level information for subsequent worst-case resource-usage analysis in our tool which exploits well-known results and techniques from hard real-time systems. We generate a resource usage graph per registered applet lifecycle method entry point as the start node and the control-flow returning to the Java Card Runtime Environment as the final node. We use the Implicit Path Enumeration Technique to generate and solve Integer Linear Programming problems representing the worst-case memory-usage and worst-case execution-time.Open Acces