Multilevel Contracts for Trusted Components

This article contributes to the design and the verification of trusted components and services. The contracts are declined at several levels to cover then different facets, such as component consistency, compatibility or correctness. The article introduces multilevel contracts and a design+verification process for handling and analysing these contracts in component models. The approach is implemented with the COSTO platform that supports the Kmelia component model. A case study illustrates the overall approach.Comment: In Proceedings WCSI 2010, arXiv:1010.233

A B model for ensuring soundness of a large subset of the Java Card virtual machine

AbstractJava Cards are a new generation of smart cards that use the Java programming language. As smart cards are usually used to supply security to an information system, security requirements are very strong. The byte code interpreter and verifier are crucial components of such cards, and proving their safety can become a competitive advantage. Previous works have been done on methodology for proving the soundness of the byte code interpreter and verifier using the B method. It refines an abstract defensive interpreter into a byte code verifier and a byte code interpreter. However, this work had only been tested on a very small subset of the Java Card instruction set. This paper presents a work aiming at verifying the scalability of this previous work. The original instruction subset of about 10 instructions has been extended to a larger subset of more than one hundred instructions, and the additional cost of the proof has been managed by modifying the specification in order to group opcodes by properties

Properties preservation during transformation

To prove the correctness of a program (written in a high level programming language) with respect to a specification (a set of proof obligations) does not assure the correctness of the machine code that the end-user will run after compilation and deployment phases. The code generated by the compiler should be verified again to guarantee that its correctness was preserved, and then that it can be executed in safety. In the context of a Ph.D. work in the area of software analysis and transformation, we are looking for a suitable approach to prove that the software properties (validated at source level) are kept during translation. In this position paper we introduce our architectural proposal, and discuss the platform and we are building for Java+JML on the top of Eclipse.Fundação para a Ciência e a Tecnologia (FCT) - MAPi/FCT, bolsa de doutoramento nº. SFRH/BD/33231/2007

Formalizing non-interference for a simple bytecode language in Coq

In this paper, we describe the application of the interactive theorem prover Coq to the security analysis of bytecode as used in Java. We provide a generic specification and proof of non-interference for bytecode languages using the Coq module system. We illustrate the use of this formalization by applying it to a small subset of Java bytecode. The emphasis of the paper is on modularity of a language formalization and its analysis in a machine proof

06191 Abstracts Collection -- Rigorous Methods for Software Construction and Analysis

From 07.05.06 to 12.05.06, the Dagstuhl Seminar 06191 ``Rigorous Methods for Software Construction and Analysis\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available