We consider a sequential object-oriented language with pointers and mutable state, private fields and classbased visibility, dynamic binding and inheritance, recursive classes, casts and type tests, and recursive methods. Programs are annotated with security levels, constrained by security typing rules. A noninterference theorem shows how the rules ensure pointer confinement and secure information flow.

Access control mechanisms are often used with the intent of enforcing confidentiality and integrity policies, but few rigorous connections have been made between information flow and runtime access control. The Java virtual machine and the .NET runtime system provide a dynamic access control mechanism in which permissions are granted to program units and a runtime mechanism checks permissions of code in the calling chain. We investigate a design pattern by which this mechanism can be used to achieve confidentiality and integrity goals: a single interface serves callers of more than one security level and dynamic access control prevents release of high information to low callers. Programs fitting this pattern would be rejected by previous flow analyses. We give a static analysis that admits them, using permission-dependent security types. The analysis is given for a class-based object-oriented language with features including inheritance, dynamic binding, dynamically allocated mutable objects, type casts and recursive types. The analysis is shown to ensure a noninterference property formalizing confidentiality and integrity.

In this paper we extend a program logic for verifying JAVA CARD applications by introducing a \throughout" operator that allows us to prove \strong" invariants. Strong invariants can be used to ensure \rip out" properties of JAVACARD programs (properties that are to be maintained in case of unexpected termination of the program). Along with introducing the \throughout" operator, we show how to handle the JAVACARD transaction mechanism (and, thus, conditional assignments) in our logic. We present sequent calculus rules for the extended logic.

Java is a popular development platform for mobile code systems. It ensures application portability and mobility for a variety of systems, while providing strong security features. The intermediate code (byte code) allows the virtual machine to verify statically (during the loading phase) that the program is well-behaved. This is done by a software security module called the byte code verifier. Smart Cards that provide a Java Virtual Machine, called Java Card, are not supplied with such a verifier because of its complexity. Alternatives are being studied to provide the same functionality outside the card. In the present paper, we propose to integrate the whole verifier inside the smart card. This ensures that the smart card becomes entirely autonomous, which allows full realization of smart cards potential as pervasive computing devices. Our verifier uses a specialized encoding and a software cache with a variety of cache polices to adapt to the hardware constraints of smart card. Our experimental results confirm the feasibility of such a security system being implemented in a smart card.

Abstract not found

Abstract not found

Abstract This paper describes an elementary protocol to prove possession of anonymous credentials together with its implementation on smart cards. The protocol uses self-blindable attribute certificates represented as points on an elliptic curve (which are stored on the card). These certificates are verified on the reader-side via a bilinear pairing. Java Card smart cards offer only very limited access to the cryptographic coprocessor. It thus requires some ingenuity to get the protocol running with reasonable speed. We realise protocol runs with on-card computation times in the order of 1.5 seconds. It should be possible to further reduce this time with extended access to the cryptographic coprocessor. Key words: anonymous credentials, elliptic curve cryptography, smart

This is a description of the JAVA CARD Tools package for Together Control Center. The package supports the development of JAVA CARD applets (writing, compiling, installing, testing, etc.) inside the Together Control Center CASE tool. 1

Smart cards and embedded devices are well known for being low end platforms with limited resources and computing power. Thus they are not provided with embedded compilers which are said to be expensive and prefer using byte code interpreters rather than just in time or on the fly compilers. The following paper will challenge this idea and motivate the expected benefits of an embedded on the fly compilation process. Tracks will be given to succeed in compiling in the very small. This paper presents the component binding model implemented in CAMILLE, an extensible operating system for resource-limited devices. Modern embedded systems need on the first hand to fully exploit the limited hardware on which they run and and the other hand to dynamically adapt themselves to changes in their runtime environment. CAMILLE is an exokernel which support static customization of components and dynamic loading of system extensions. Dynamic kernel and application adaptation is implemented by an inter-component communication model. This model is based on flexible bindings which permit to fully customize the way components interact with each others. Bindings can be static, virtual or compiled to guarantee performances of intercomponent communications. This paper shows that it is possible to build a flexible operating system without sacrificing runtime performances, even for devices as constrained as smart cards. Some architectural and experimental results will be extracted from the CAMILLE generic embedded on the fly code compiler.

This Master's thesis discusses the development of OCL specifications for Java Card API, and is part of the KeY project. OCL is a specification language, i.e. it is used to express formally the requirements on a system. The KeY tool is a CASE tool, in which formal methods (formal specification and formal verification) are integrated with contemporary software development techniques. The main purpose of the OCL specifications is to simplify the verification of Java Card programs within the KeY tool. Verification means that one through mathematical and logical methods proves that the implementation fulfils the requirements in the specification. Already existing specifications written in JML, a specification language specially suited for Java, has been used as a starting point for the development of the OCL specifications. OCL is a more general language. Problems that have to be solved are, for instance, how to express in OCL the throwing of exceptions, how to test if a reference variable contains a null value, and how to handle the risk of overflow in the context of arithmetic integer operations. It has been shown that OCL lacks some important properties when it comes to specifying Java programs, but in other aspects is superior to JML. 3 Sammanfattning Det hr examensarbetet behandlar utvecklingen av OCL-specifikationer till Java Card API, och r en del av KeY-projektet. OCL r ett specifikationssprk, d v s det anvnds fr att p ett formellt stt uttrycka de krav man har p ett visst system. KeY r ett utvecklingsverktyg i vilket formella metoder (formell specifikation och formell verifiering) har integrerats med moderna objektorienterade utvecklingsmetoder. Syftet med OCL-specifikationerna r i frsta hand att underltta verifieringen av Java Card-program i KeY. Verifiering innebr...