Static program analysis of multi-applet JavaCard applications

Java Card provides a framework of classes and interfaces that hides the details of the underlying smart card interface and makes it possible to load and run on the same card several applets, from different application providers with complex trust relationships. This fact opens prospects for new business applications, but the card issuer has to secure absence of malicious or faulty card applets. He has to be able to check that (i) applets do not cause illicit method invocations that violate temporal restrictions of inter-applet communication, (ii) applets protect themselves from unwanted information flow to third parties and (iii) it is not possible for an unhandled Java Card API exception to leave an applet in an unpredictable state that is potentially dangerous for the application’s security. We explore recent advances in theory and tool support of static program analysis and we present an approach for automatic verification of smart card applications that by definition are security critical.