autonomous and yet secure evolution for smart cards...
TRANSCRIPT
![Page 1: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/1.jpg)
Autonomous and yet Secure Evolution for Smart Cards Applications
Fabio Massacci Joint work with O. Gadyatskaya
DISI, University of Trento
Massacci Gadyaskaya - TUB 2011-03-10 1
![Page 2: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/2.jpg)
The talk plan
• Where’s Trento?
• The rara avis of multi-application smart-cards
• Security-by-Contract for smart cards
• A (thin) slice of theory
• A (larger) slice of engineering
• Open problems
Massacci Gadyaskaya - TUB 2011-03-10 2
![Page 3: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/3.jpg)
Trento in Space and Time • 1962
– Institute of Social Science founded as locally funded Institution
• 1972 – Institute becomes
private University
• 1982 – University
becomes a state University with special autonomy
• 2001 – University
becomes 1st in University Rankings
Massacci Gadyaskaya - TUB 2011-03-10 3
TRENTO
![Page 4: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/4.jpg)
What do we do there?
• Organizational Level Security – Governance, Risk and Compliance (FM)
– Security Requirements Engineering (FM,JM,PG)
• System Security – Run-time enforcement at ESB (FM,BC)
– Browser Security (FM)
• Mobile/Embedded Code Security-by-Contract – Load-time security verification (FM)
– Run-time information flow (BC)
Massacci Gadyaskaya - TUB 2011-03-10 4
![Page 5: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/5.jpg)
The talk plan
• Where’s Trento?
• The rara avis of multi-application smart-cards
• Security-by-Contract for smart cards
• A (thin) slice of theory
• A (larger) slice of engineering
• Open problems
Massacci Gadyaskaya - TUB 2011-03-10 5
![Page 6: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/6.jpg)
Smart cards today
• Modern computing devices
• Tamper-resistant security system
• Widely used
• But we have too many of them in our pockets
6 Massacci Gadyaskaya - TUB 2011-03-10
![Page 7: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/7.jpg)
Open Multi-application smart cards
• Cards with multiple applets – allow post-issuance evolution (add/remove/update) – from different stakeholders – Asynchronously
• Interaction of applets on a single chip is natural: – Applications may interact exchanging loyalty points,
transferring money or sharing valuable information.
• First paper I saw, I was a PhD Student 10yrs ago – Information Flow Verification for Multi-Applications
Smart Card. – The Air-France, Hertz example...
Massacci Gadyaskaya - TUB 2011-03-10 7
![Page 8: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/8.jpg)
Java Card + GlobalPlatform
• GlobalPlatform = Middleware for secure management of applets (with open specification)
– Lots of smart cards deployed with GP
• GlobalPlatform and JavaCard specifications
– support loading, update and un-loading of many applications on the fly and asynchronously
– allow interactions among applications (through services implementing Shareable interface)
• Still/Yet/But…
– We don’t really see multi-application cards in the wild.
8 Massacci Gadyaskaya - TUB 2011-03-10
![Page 9: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/9.jpg)
What is there…
Massacci Gadyaskaya - TUB 2011-03-10 9
Malesian card allows lot of applets but no interaction: firewall guarantee security
Evolution
Interaction
Security
Most commercial cards locked before deployment: security of interaction certified off line
??
![Page 10: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/10.jpg)
The usual evocative picture
Imag
e fr
om
D1
.1 o
f Se
cure
Ch
ange
pro
ject
10 Massacci Gadyaskaya - TUB 2011-03-10
![Page 11: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/11.jpg)
A more precise picture
Massacci Gadyaskaya - TUB 2011-03-10 11 Hardware
Operating System
Java API
Native API JVM Loader
JCRE
Applet N Applet 1
Java Firewall
Only checks bytecode and signature from
domains
Once you are in you are in….
![Page 12: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/12.jpg)
How does Java Card firewall work?
• Applets interact through firewall using shareable interfaces • Application ePurse of Bank
– offers a service transfer_money. – does a preliminary access control checking caller AIDs in a list
• Application jTicket of Transport – wants to use transfer_money of ePurse
• What happens – jTicket asks the firewall for a reference to transfer_money. – Firewall passes call to ePurse. If jTicket is in the list, ePurse will
return a reference to transfer_money service.
• Consequences – jTicket got a reference can use service from now on – ePurse wants to prevent jTicket use its service must update itself
Business Model of Multi-Application SC (E+I+S) not supported
Massacci Gadyaskaya - TUB 2011-03-10 12
![Page 13: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/13.jpg)
The talk plan
• Where’s Trento?
• The rara avis of multi-application smart-cards
• Security-by-Contract for smart cards
• A (thin) slice of theory
• A (larger) slice of engineering
• Open problems
Massacci Gadyaskaya - TUB 2011-03-10 13
![Page 14: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/14.jpg)
Security-by-Contract idea
Massacci Gadyaskaya - TUB 2011-03-10 14
![Page 15: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/15.jpg)
SxC as Load-time verification
• General idea of SxC for mobile devices: – Application has to be compliant with security policy of the
device – Derived from PCC and MCC
• Well-tested for mobile platforms – Java & .NET implementation – Eu S3MS project – Many publication: JCS, JLAP, Comp. & Security, SCP, Elsevier
IITR – Policy checker could even run a small model checker
• “allowed file.size > 1024Kb “ vs “filesize < 512kb”
• But here we have a problem – Who sets the policy of device? – “Clear” for mobiles: operator, manfacturer, user
Massacci Gadyaskaya - TUB 2011-03-10 15
![Page 16: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/16.jpg)
SxC for Smart Cards
• Whose policy? – The union of the policies of all applets
• Broader Contract – Claims
• I may provide these shareable interfaces
• I may call those methods from those interfaces
– Security Rules • I can only be called by this Application/Package
– Functional Rules • I need these methods from those interfaces
Massacci Gadyaskaya - TUB 2011-03-10 16
![Page 17: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/17.jpg)
SxC workflow for smart cards
Massacci Gadyaskaya - TUB 2011-03-10 17
Claim Checker Policy Checker
Reject
Update Policy
with new arrival
![Page 18: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/18.jpg)
• Provides = {} • Calls = {ePurse.transferMoney} • Sec.rules = {} • Func.rules ={}
• Provides = {ageDiscount, loyaltyDiscount} • Calls = {ePurse.transferMoney} • Sec.rules = { ageDiscount {IDapplet), loyaltyDscount {ePurse)} • Func.rules = {ePurse.transferMoney}
• Provides = {transferMoney} • Calls = {} • Sec.rules = {transferMoney -> {jTicket}} • Func.rules = {}
SxC Example • Already installed Applet
ePurse with Contract:
• Applet jTicket arrives with Contract:
• jTicket is loaded, cheked, and finally installed.
• Applet i-Travel arrives with Contract:
• i-Travel is rejected: load process is not committed
Massacci Gadyaskaya - TUB 2011-03-10 18
![Page 19: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/19.jpg)
Formal Model of a JC Platform
Platform Θ =
<ΔA, ΔS ,A, shareable(), invoke(), sec.rules(), func.rules()>
– ΔA = domain of applications, ΔS = domain of services
–A ⊆ ΔA • applets deployed (installed) on the platform
– shareable(), invoke(): ΔA → p(ΔS ) • Services offered by applet (resp. invoked by applet)
– sec.rules(): ΔA x ΔS → p(ΔA) • For any applet and its services which applets can call it
– func.rules(): ΔA → p(ΔS ) • Services that must be present in order for the applet to function
19 Massacci Gadyaskaya - TUB 2011-03-10
![Page 20: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/20.jpg)
Why we use different names?
• Platform has
– Shareable(A) ΔS and invoke(A) ΔS
• Contract has
– Provides(A) ΔS and Calls(A) ΔS
• Same difference between reality and claims
– The first is reality, what really is there
– The seconds are the claims, they might be honest but might also not correspond to truth
Massacci Gadyaskaya - TUB 2011-03-10 20
![Page 21: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/21.jpg)
SxC workflow for smart cards
Massacci Gadyaskaya - TUB 2011-03-10 21
DO REALITY MATCH CLAIMS?
Policy Checker
Reject
Update Policy
DO CLAIMS MATCH POLICY?
![Page 22: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/22.jpg)
The talk plan
• Where’s Trento?
• The rara avis of multi-application smart-cards
• Security-by-Contract for smart cards
• A (thin) slice of theory
• A (larger) slice of engineering
• Open problems
Massacci Gadyaskaya - TUB 2011-03-10 22
![Page 23: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/23.jpg)
Introducing evolution to the model
• Let B be an application, an evolved platform Θ’ for B from a platform Θ is defined according to the next types of changes: – B is a new applet to be added to the platform,
– old applet B is removed from the platform,
– update of an installed applet B • Add/remove of a service to shareable(B)
• Add/remove of a service to invoke(B)
• Add/remove of an access authorization to sec.rules(B)
• Add/remove of a service to func.rules(B)
Massacci Gadyaskaya - TUB 2011-03-10 23
![Page 24: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/24.jpg)
Checking Changes Incrementally
• For each type of change the Claim Checker and the Policy checker should verify only the parts of the platform that are touched by changes.
• For new applet B: – Claim Checker has to verify that
• shareable(B)=ProvidesB
• invoke(B)=CallsB
• (or to extract shareable(B) and invoke(B) from the code and write these sets into the ContractB)
– The Policy Checker has to check that for all applets A ∈ A : • if A.s ∈ CallsB then (s,B) ∈ sec.rules(A)
• if A.s ∈ func.rules(B) then s ∈ ProvidesA
• if B.s ∈ CallsA then (s,A) ∈ sec.rules(B)
Massacci Gadyaskaya - TUB 2011-03-10 24
![Page 25: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/25.jpg)
• Provides = {ageDiscount, loyaltyDiscount} • Calls = {ePurse.transfer_money} • Sec.rules ={ ageDiscount {IDapplet}, loyaltyDiscount {ePurse)} • Func.rules = {ePurse.transfer_money}
•Provides = {transferMoney} •Calls = {} •Sec.rules = {transferMoney {jTicket}} •Func.rules = {}
Trickier Example
• Applet ePurse:
• Applet jTicket:
• Now we update ePurse
• What happens?
Massacci Gadyaskaya - TUB 2011-03-10 25
• Provides = {transferMoney} • Calls = { jTicket.ageDiscount } • Sec.rules = {transferMoney {jTicket}} • Func.rules = {}
![Page 26: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/26.jpg)
Secure Platform
• A platform Θ remains secure during evolution – This is what you really want after each update – For every applet the traces of real executions
respects its security and functional rules • Whenever somebody calls you it is authorized • Whenever you need to call an essential service it is still there
(provided it was there before)
• Security and functionality in terms of Contracts – Contracts do not violate Global Policy – Claims are consistent with bytecode – Otherwise update is rejected
• Need to show the two coincide.
Massacci Gadyaskaya - TUB 2011-03-10 26
![Page 27: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/27.jpg)
Security Theorem • IF Platform was secure before the update, • & IF shareable interfaces are only means for inter-app
communication • & IF Claim Checker and the Policy Checker are sound and
accepted an update at the loading time, • THEN evolved platform will be secure.
– Proving by contradiction that if security or functionality is broken on the platform, then either the ClaimChecker, or the Policy Checker will reject the update
• Still an Engineering gap – In theory it could work for Application IDs in contracts, – in practice we may need to weaken the claim to Package Ids
• Depends on what we can implement in the claim checker
Massacci Gadyaskaya - TUB 2011-03-10 27
![Page 28: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/28.jpg)
The talk plan
• Where’s Trento?
• The rara avis of multi-application smart-cards
• Security-by-Contract for smart cards
• A (thin) slice of theory
• A (larger) slice of engineering
• Open problems
Massacci Gadyaskaya - TUB 2011-03-10 28
![Page 29: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/29.jpg)
Our First Architecture
Massacci Gadyaskaya - TUB 2011-03-10 29 Hardware
Operating System
Java API
Native API JVM Loader
JCRE
Applet N Applet 1
Policy Checker
Claim Checker
Java Firewall
Just ask results
Outside protocols
![Page 30: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/30.jpg)
First Engineering problem
• Implemented Policy Checker – POLICY’11 short paper
– Footprint of checker 11KB and contracts 2KB
• Require changing existing update protocols – 1stprotocol with policy checker
– 2nd protocol with claim checker
– 3rd protocol is standard loading plus check results of 1+2
• Loader can trust policy checker, what about claim checker? – Needs signatures and certification
– Too small improvement to justify change update protocol
Massacci Gadyaskaya - TUB 2011-03-10 30
![Page 31: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/31.jpg)
Loader
Our Second Architecture
JCRE
Massacci Gadyaskaya - TUB 2011-03-10 31 Hardware
Operating System
Java API
Native API JVM
Applet N Applet 1 Java Firewall
Do everything
Claim checker
Policy checker
![Page 32: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/32.jpg)
Second Engineering Problem
• More Effective and Efficient
– Loader no longer trust external checks of code
– Eliminate checks of signatures beside standards
– Both checkers can be implemented in C
• But where do we put the policy?
– We need to retrieve it and store it somewhere…
– but loader is NOT loaded in the EEPROM
• We could have a “static int policy[]’’ but that’s not going to work in the ROM
Massacci Gadyaskaya - TUB 2011-03-10 32
![Page 33: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/33.jpg)
Loader
Our Third Architecture
JCRE
Massacci Gadyaskaya - TUB 2011-03-10 33 Hardware
Operating System
Java API
Native API JVM
Applet N Policy Store
Java Firewall
Claim checker
Policy checker
Applet 1
![Page 34: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/34.jpg)
Third Engineering Problem
• C and Java don’t mix well
– The loader can “easily” invoke the Policy Store applet at the beginning of the process andpass reference to it to the loader
• Just need a Java shell onto the loader
– but how to tell it the result at the end??
• It must be the checked contract and nothing else
• Who’s giving the contract to the checker?
– Must change the protocol of update…
Massacci Gadyaskaya - TUB 2011-03-10 34
![Page 35: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/35.jpg)
Loader
Our Third Architecture
JCRE
Massacci Gadyaskaya - TUB 2011-03-10 35 Hardware
Operating System
Java API
Native API JVM
Applet N +contract
Policy Store
Java Firewall
Claim checker
Policy checker
Applet 1 +contract
![Page 36: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/36.jpg)
Engineering Idea
• Each Applet includes contract in java package – No need to send it separately
– Arrives and leaves with applet
– Neutral: contract update requires re-running claim checker
– Cons: contract update requires code update • But in this way claim checker re-run is automatic!
• Policy store references applet contract – Keep efficiency of C implementation with Java flexibility
• Checkers do not need trust anyone
• Next validation by Smart card manufacturer
Massacci Gadyaskaya - TUB 2011-03-10 36
![Page 37: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/37.jpg)
The talk plan
• Where’s Trento?
• The rara avis of multi-application smart-cards
• Security-by-Contract for smart cards
• A (thin) slice of theory
• A (larger) slice of engineering
• Open problems
Massacci Gadyaskaya - TUB 2011-03-10 37
![Page 38: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/38.jpg)
• Provides = {ageDiscount, loyaltyDiscount} • Calls = {ePurse.transferMoney} • Sec.rules ={ ageDiscount {IDapplet}, loyaltyDiscount {ePurse)} • Func.rules = {ePurse.transfer_money}
•Provides = {transferMoney} •Calls = {} •Sec.rules = {transferMoney {jTicket}} •Func.rules = {}
Trickier Example
• Applet ePurse:
• Applet jTicket:
• We update ePurse
• Update is accepted
• What happens later if jTickets wants to drop access to ePurse?
Massacci Gadyaskaya - TUB 2011-03-10 38
• Provides = {transferMoney} • Calls = {jTicket.loyaltyDiscount} • Sec.rules = {transferMoney {jTicket}} • Func.rules = {jTicket.loyaltyDiscount}
![Page 39: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/39.jpg)
A Conflict Resolution Componnet?
• What happens if ePurse owner wants it to be removed from the platform? – jTicket needs the service ePurse.transfer_money
– But ePurse doesn’t want (now) to give him this
• Two possibilities: – to forbid ePurse to be removed OR
– to remove ePurse and make jTicket unselectable.
• (Automatic) Conflict resolution requires investigation of stakeholders (security domains) hierarchy.
Massacci Gadyaskaya - TUB 2011-03-10 39
![Page 40: Autonomous and yet Secure Evolution for Smart Cards ...securitylab.disi.unitn.it/lib/exe/fetch.php?media=research... · Autonomous and yet Secure Evolution for Smart Cards Applications](https://reader031.vdocuments.net/reader031/viewer/2022022500/5aa35fbd7f8b9aa0108e7ffe/html5/thumbnails/40.jpg)
Conclusions: SxC for Smart-Cards
Massacci Gadyaskaya - TUB 2011-03-10 40
DO REALITY MATCH CLAIMS?
Policy Checker
Reject
Update Policy
DO CLAIMS MATCH POLICY?
Resolve Conflicts
Lots of Engineering Decisions are Involved