Formal Development of Safe and Secure Java Card Applets

This thesis is concerned with formal development of JAVA CARD applets. JAVA CARD is a technology that provides a means to program smart cards with (a subset of) the JAVA language. In recent years JAVA CARD technology gained great interest in the formal verification community. There are two reasons for this. Due to the sensitive nature (e.g., security, maintenance costs) of JAVA CARD applets, formal verification for JAVA CARD is highly desired. Moreover, because of the relative simplicity of the programming language, JAVA CARD is also a feasible target for formal verification. The formal verification platform that we used in our research is the KeY system developed in the KeY Project. One of the main objectives of our research is to find out how far formal verification for industrial size JAVA CARD applets goes, in terms of usability, automation, and power (expressivity of constraints). Furthermore, we investigated practical and theoretical shortcomings of the verification techniques and development methods for JAVA CARD applets. As a result, we adapted a program logic for JAVA CARD to be able to express interesting, meaningful safety and security properties (strong invariants) and proposed design guidelines to support and ease formal verification (design for verification). We performed extensive practical experiments with the KeY system to justify and evaluate our work. Formal aspects of our research concentrate on source code level verification of JAVA CARD programs with interactive and automated theorem proving. Our work has been driven by certain assumptions, motivated by the KeY Project’s philosophy: (1) formal verification should be accessible to software engineers without years of training in formal methods, (2) we should be able to perform full verification whenever needed, i.e., we want to handle complex JAVA CARD applets that involve JAVA CARD specific features, like atomic transactions and object persistency, (3) the verified code should not be subjected to translations, simplifications, intermediate representations, etc., and finally, (4) the properties that we prove should relate to important safety and security issues in JAVA CARD development. We relate to these goals in our work.