Download - Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA
![Page 1: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/1.jpg)
Gilles BARTHE, Guillaume DUFAY, Line JAKUBIEC,Bernard SERPETTE, Simão MELO de SOUSA
January 7th
A Formal Executable Semantics of the Java Card
Platform
![Page 2: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/2.jpg)
Luminy 02
• a subset of Java • designed for Smart Cards
JavaCard
![Page 3: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/3.jpg)
Luminy 02
The formalization
Precise formal, all aspects captured
(exceptions handling, firewall, interfaces, arrays,…)
Complete all instructions formalized (110)
Usable from Java programs to COQ representation
Executable step by step execution
![Page 4: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/4.jpg)
Luminy 02
The functional language in COQ has several advantages :
rather close to an implementation well suited to verify program properties can easily be brought to
pure functional languagesObjective CAML
formal verification environments Isabelle / HOL
The functional language
![Page 5: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/5.jpg)
Luminy 02
Record jc_program : Set := { (* Post linking *)
classes : (list Class);methods : (list Method);interfaces : (list Interface) }.
Record Method : Set := {nargs : nat;nlocal : nat;bytecode : (list Instruction);handler_list : (list handler_type);owner : Package;... }.
Applet’s data
![Page 6: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/6.jpg)
Luminy 02
• Stack as a list of frames Record frame : Set := { opstack : (list valu); locvars : (list valu); method_loc : nat; context_ref : Package; p_count : nat }.
• Heap as a list of objectsInductive object : Set := Instance : type_instance object | Array : type_array object.
Memory
![Page 7: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/7.jpg)
Luminy 02
• One step execution for each instructionjcvm_state * operands returned_state
• JCVM statejcvm_state := static heap * heap * stack
• Returned stateInductive returned_state : Set := Normal : jcvm_state returned_state | Abnormal : xcpt * jcvm_state returned_state.
Instructions
![Page 8: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/8.jpg)
Luminy 02
Instruction
Definition NEW := [idx:cap_class_idx][state:jcvm_state][cap:jcprogram]Cases state of(sh, (hp, ((cons h lf) as s))) => (* Extract the owner class from the cap_file *) Cases (Nth_elt (classes cap) idx) of
(* then a new instance is created and pushed into the heap *) (value cl) => let new_obj = ... in (Normal (sh, ((app hp new_obj), (cons (update_opstack (cons ((Ref (Ref_instance idx)), (inject_nat (S (length hp)))) (opstack h)) h) (tail s))))) | error => (AbortCode class_membership_error state) end |_ => (AbortCode state_error state)end.
![Page 9: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/9.jpg)
Luminy 02
Abstraction of types
Concrete VM Abstract VM
valu := type*Z type
returnAddress type_prim nat->type_prim
jcvm_state := sheap*heap*stack sheap*frame
exec_instr : returned_state (list returned_state)
![Page 10: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/10.jpg)
Luminy 02
Abstraction correctness
Use the two VM simultaneously Define a correspondance (abstraction function) between the two formalizations
jcvm_state returned_state
abs_jcvm_state (list abs_returned_state)
’
exec_intr
abs_exec_intr ≤
![Page 11: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/11.jpg)
Luminy 02
Abstract instruction
Definition abs_NEW := [idx:cap_class_idx][state:abs_jcvm_state][cap:jcprogram]Cases state of(sh, h) => Cases (Nth_elt (classes cap) idx) of (value cl) => (update_absframe (Build_absframe
(cons (absRef (absRef_instance idx)) (absOpstack h)) ... (S (absP_count h))) state) | error => (abs_AbortCode class_membership_error state) end |_ => (abs_AbortCode state_error state)end.
![Page 12: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/12.jpg)
Luminy 02
Bytecode verifier
At any instruction of a program :
Correct type for local variables and instance variable Methods called with the appropriate arguments Instructions used with the appropriate operands
When successively passing through an instruction:
Same operand stack size and similar types of value
![Page 13: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/13.jpg)
Luminy 02
Algorithm
• Use abstract VM for the execution of the instructions of one method
• Unify the returned state with the saved state for the considered instruction
• Keep the unified state as the new saved state
• If the result of the unification differs from the saved state, the execution continues (fixpoint not reached)
![Page 14: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/14.jpg)
Luminy 02
Types lattice - Termination
Prim
To ensure the termination ofthe algorithm :• Use a lattice for VM types
• Show that the result of the unification is bigger than the saved state
Void
Object
InterfacesArrays
Instances
Null
![Page 15: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/15.jpg)
Luminy 02
Well founded recursion
Use the notion of accessibility to describe well-founded relation
Inductive Acc [A:Set; R:A->A->Prop] : A ->Prop :=Acc_intro : (x:A)((y:A)(R y x)->(Acc A R y))->
(Acc A R x)
Use structural induction on a proof of accessibility
Then use this structural induction to ensure the termination of the algorithm
![Page 16: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/16.jpg)
Luminy 02
Structural induction
Theorem (Bytecode verifier)Theorem run_verification :
(lrs:(list (Exc abs_returned_state))) (rs:abs_returned_state)(m:Method)(cap:jcprogram) (Acc (list (Exc abs_returned_state)) lt_lers lrs) -> (well_ordered_lers lrs) -> (list (Exc abs_returned_state)).
Proof of accessibilitylrs: (list (Exc abs_returned_state))H: (Acc (list (Exc abs_returned_state)) lt_lers lrs)
Structural induction Elim H.
![Page 17: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/17.jpg)
Luminy 02
Offensive JCVM
JCVM without static type-checking :
type-checking already performed by BCV
faster for execution
Concrete VM Offensive VM
valu := type*Z Z
![Page 18: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/18.jpg)
Luminy 02
Offensive JCVM correctness
Under the assumption that bytecodeverification has been successful :
jcvm_state returned_state
off_jcvm_state off_returned_state
off ’off
exec_intr
off_exec_intr
![Page 19: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/19.jpg)
Luminy 02
Offensive Instruction
Definition NEW := [idx:cap_class_idx][state:off_jcvm_state][cap:jcprogram]Cases state of(sh, (hp, (cons h lf))) => (* Extract the owner class from thew cap_file *) Cases (Nth_elt (classes cap) idx) of
(* then a new instance is created and pushed into the heap *) (value cl) => let new_obj = ... in (Normal (sh, ((app hp new_obj), (cons (update_opstack (cons (inject_nat (S (length hp)))) (opstack h)) h) (tail s))))) | error => (AbortCode class_membership_error state) end |_ => (AbortCode state_error state)end.
![Page 20: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/20.jpg)
Luminy 02
Generalisation
Given a defensive VM for a particular property (object initialization, security policy, ...) :
Abstract a VM with this property Extract a corresponding executable bytecode
verifier Proove its correctness w.r.t. the concrete VM
Develop a tool to help us dealing with this mechanism and with the proofs : Jakarta
![Page 21: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/21.jpg)
Luminy 02
Formalizing APIs
The Java Card Dispatcher class fromcom.sun.javacard.framework is needed.Its is written in Java, it can be converted BUT :
it relies on APDUs :add I/O buffers for APDUs in our JCVM state
it contains natives methodwrite these methods in Coq
add a special bytecode for invoking these methods
![Page 22: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/22.jpg)
Luminy 02
Summary
Representation of Java Card programs and of the JCVM memory
Semantics of all JCVM instructions as executable functions
Development of a JCVM tool in Java
Realization of several abstractions on the JCVM
Realization of a certified bytecode verifier
Development of a Coq tactic for use with our correctness proofs Coq development : 15000 lines
Java development : 3500 lines
![Page 23: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/23.jpg)
Luminy 02
Future work
Formalize JavaCard API (including native methods)
Formalize JCVM tool in Coq
Prove security properties
Bring the formalization to JVM bytecode
![Page 24: Gilles B ARTHE , Guillaume D UFAY , Line J AKUBIEC , Bernard S ERPETTE , Simão M ELO de S OUSA](https://reader035.vdocuments.net/reader035/viewer/2022070420/56815dd4550346895dcc00be/html5/thumbnails/24.jpg)
Luminy 02
Thank you !