Towards%20Certifiably%20Correct%20Java%20Card%20Applets

1
Towards Certifiably CorrectJava Card Applets
Alessandro Coglio
joint work with
Matthias Anlauff Li-Mei Gilham
David Cyrluk Lambert Meertens
Kestrel Institute
IFIP WG 2.1 Meeting 60 (May 2005)
2
Java
Java
3
Java
smartcards
chip
authentication, banking, telephony, health care,
plasticsubstrate
4
Java

• language ?

? ?

• ? API

Card
5
Java bytecode program
Java Card program
JAVACOMPILER
JAVA CARD CONVERTER
Java Card applet
(checks subset API)
APPLET
. . .
. . .
Java Card applet? Java web applet
SMART CARD HW/OS
6
typicallywrittenby hand
Java Card program
somewhatlow-level
? error-prone
7
Java Card program
applet spec
8
AutoSmart(automatic generator of smart card
applets)
AUTOSMART
Java Card program
applet spec

• for
• high assurance
• productivity

9
AutoSmart(automatic generator of smart card
applets)
AUTOSMART
Java Card program
applet spec
10
AutoSmart(automatic generator of smart card
applets)
AUTOSMART
Java Card program
applet spec
proof
CHECKER
smaller simplerthan AutoSmart
yes/no
? easier to trust
11
AUTOSMART
Java Card program
applet spec
written in
SmartSlang
12
SmartSlang(smart card specification language)
SmartSlang
13
SmartSlang(smart card specification language)
14
SmartSlang
SmartSlang example e-wallet
15
SmartSlang example e-wallet
expressive type system e.g. integer ranges (vs.
byte/short/int in JC)
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
1000000

• capture semantics
• automatic mapping to JC types e.g. Balance
  ? short Amount ? byte

(short,short)
int
pervasive change in Java Card code
16
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
explicit state components
17
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
explicit symbolic commands with high-level
parameters (vs. APDU bytes in JC)
18
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...

• familiar to developers
• superset of subset of Java

simple Java-likeexpressions statements
19
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
explicit responses
20
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...

• all type safetychecked statically(conservatively
  )
• catches user errors

type-safe assignment
21
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount)
balance balance amount apdu
0x80,0x30,0,0,ubytesAMOUNT_BYTES(amount),0 c
onst EXCEEDED_BALANCE 0x6A84 ...

• all type safetychecked statically(conservatively
  )
• catches user errors

type-safe assignment
user gets warning
22
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...

• all type safetychecked statically(conservatively
  )
• catches user errors
• no runtime errors (e.g. array access)
• type checker uses automated reasoning

type-safe assignment
no such thing in JC!
23
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
declarative APDU encoding (vs. explicit
decoding/dispatch in JC)
lengthy, error-prone JC decoding/dispatching
code automatically generated
24
SmartSlang example e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
amount encoded as byte
JC code to handle user input data errors (e.g. if
amount gt 100) automatically generated
25
e-wallet example
example
e-wallet
type Balance Int(0,MAX_BALANCE) type Amount
Int(1,MAX_AMOUNT) const MAX_BALANCE
10000 const MAX_AMOUNT 100 state Balance
balance command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 const
EXCEEDED_BALANCE 0x6A84 ...
const MAX_BALANCE 10000 const MAX_AMOUNT
100 type Balance Int(0,MAX_BALANCE) type
Amount Int(1,MAX_AMOUNT) const BALANCE_BYTES
ubytes(MAX_BALANCE).length const AMOUNT_BYTES
ubytes(MAX_AMOUNT).length state Balance
balance init() balance 0 bytes
command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu CLA,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 command debit(Amount
amount) if (balance - amount gt 0)
balance balance - amount else
respond NEGATIVE_BALANCE apdu
CLA,0x40,0,0,ubytesAMOUNT_BYTES(amount),0 co
mmand getBalance() respondok
ubytesBALANCE_BYTES(balance) apdu
CLA,0x50,0,0,,BALANCE_BYTES const CLA
0x80 const EXCEEDED_BALANCE 0x6A84 const
NEGATIVE_BALANCE 0x6A85
SmartSlang spec
26
e-wallet example
150lines
40 lines
const MAX_BALANCE 10000 const MAX_AMOUNT
100 type Balance Int(0,MAX_BALANCE) type
Amount Int(1,MAX_AMOUNT) const BALANCE_BYTES
ubytes(MAX_BALANCE).length const AMOUNT_BYTES
ubytes(MAX_AMOUNT).length state Balance
balance init() balance 0 bytes
command credit(Amount amount) if
(balance amount lt MAX_BALANCE) balance
balance amount else respond
EXCEEDED_BALANCE apdu CLA,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 command debit(Amount
amount) if (balance - amount gt 0)
balance balance - amount else
respond NEGATIVE_BALANCE apdu
CLA,0x40,0,0,ubytesAMOUNT_BYTES(amount),0 co
mmand getBalance() respondok
ubytesBALANCE_BYTES(balance) apdu
CLA,0x50,0,0,,BALANCE_BYTES const CLA
0x80 const EXCEEDED_BALANCE 0x6A84 const
NEGATIVE_BALANCE 0x6A85
AUTOSMART
SmartSlang spec
(actual files font size 2)
27
e-wallet Java Card code
e-wallet
... void credit (APDU apdu) byte buffer
apdu.getBuffer() if ((bufferISO7816.OFFSET_P1
! 0) (bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO781
6.OFFSET_LC) if (inDataLength ! 1)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) short amount
nonNegativeByte(inData0) if ((amount lt 1)
(amount gt 100)) ISOException.throwIt(ISO7816.
SW_WRONG_DATA) if ((short)(balance amount)
lt MAX_BALANCE) balance (short)(balance
amount) else ISOException.throwIt((short)E
XCEEDED_BALANCE) ...
... void credit (APDU apdu) byte buffer
apdu.getBuffer() if ((bufferISO7816.OFFSET_P1
! 0) (bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO781
6.OFFSET_LC) if (inDataLength ! 1)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) short amount
nonNegativeByte(inData0) if ((amount lt 1)
(amount gt 100)) ISOException.throwIt(ISO7816.
SW_WRONG_DATA) if ((short)(balance amount)
lt MAX_BALANCE) balance (short)(balance
amount) else ISOException.throwIt((short)E
XCEEDED_BALANCE) ...
Java
Card
code
28
e-wallet Java Card code
... void credit (APDU apdu) byte buffer
apdu.getBuffer() if ((bufferISO7816.OFFSET_P1
! 0) (bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO781
6.OFFSET_LC) if (inDataLength ! 1)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) short amount
nonNegativeByte(inData0) if ((amount lt 1)
(amount gt 100)) ISOException.throwIt(ISO7816.
SW_WRONG_DATA) if ((short)(balance amount)
lt MAX_BALANCE) balance (short)(balance
amount) else ISOException.throwIt((short)E
XCEEDED_BALANCE) ...
interestingcomputation
29
e-wallet Java Card code
... void credit (APDU apdu) byte buffer
apdu.getBuffer() if ((bufferISO7816.OFFSET_P1
! 0) (bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO781
6.OFFSET_LC) if (inDataLength ! 1)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) short amount
nonNegativeByte(inData0) if ((amount lt 1)
(amount gt 100)) ISOException.throwIt(ISO7816.
SW_WRONG_DATA) if ((short)(balance amount)
lt MAX_BALANCE) balance (short)(balance
amount) else ISOException.throwIt((short)E
XCEEDED_BALANCE) ...
APDUchecking decoding
30
SmartSlang counterpart
... command credit(Amount amount) if (balance
amount lt MAX_BALANCE) balance balance
amount else respond
EXCEEDED_BALANCE apdu 0x80,0x30,0,0,ubytes
AMOUNT_BYTES(amount),0 ...
31
SmartSlang example PKI
SmartSlang
32
SmartSlang example PKI
built-in key types
type Key RSAPrivateKey(1024) type Message
Byte1024/8 type Pin Byte8 type PinState
enum blocked, notVerified(Int(1,3)),
... state Key key, Pin pin, PinState
pinState, ... command privSignDecrypt(Message
msg) if (pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8 secure command putPIN(Pin newPin) pin
newPin pinState notVerified(3) apdu
0x80,0x22,0,0,newPin,0 ...
automatic mapping to JC API classes
33
SmartSlang example PKI
type Key RSAPrivateKey(1024) type Message
Byte1024/8 type Pin Byte8 type PinState
enum blocked, notVerified(Int(1,3)),
... state Key key, Pin pin, PinState
pinState, ... command privSignDecrypt(Message
msg) if (pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8 secure command putPIN(Pin newPin) pin
newPin pinState notVerified(3) apdu
0x80,0x22,0,0,newPin,0 ...
built-in cryptographic functions (vs. multiple
API method calls in JC)

• simple
• automatic mapping to JC API method calls

34
SmartSlang example PKI
type Key RSAPrivateKey(1024) type Message
Byte1024/8 type Pin Byte8 type PinState
enum blocked, notVerified(Int(1,3)),
... state Key key, Pin pin, PinState
pinState, ... command privSignDecrypt(Message
msg) if (pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8 secure command putPIN(Pin newPin) pin
newPin pinState notVerified(3) apdu
0x80,0x22,0,0,newPin,0 ...
( tries left)
enumerationtypes

• with arguments
• automatic mapping to byte constants
  auxiliary variables for arguments in JC

35
SmartSlang example PKI
type Key RSAPrivateKey(1024) type Message
Byte1024/8 type Pin Byte8 type PinState
enum blocked, notVerified(Int(1,3)),
... state Key key, Pin pin, PinState
pinState, ... command privSignDecrypt(Message
msg) if (pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8 secure command putPIN(Pin newPin) pin
newPin pinState notVerified(3) apdu
0x80,0x22,0,0,newPin,0 ...
spread change in Java Card code
construct for Global Platformsecure channels
(vs. multipleAPI method calls in JC)

• simple, localized
• automatic mapping to JC API method calls

36
SmartSlang example PKI
type Key RSAPrivateKey(1024) type Message
Byte1024/8 type Pin Byte8 type PinState
enum blocked, notVerified(Int(1,3)),
... state Key key, Pin pin, PinState
pinState, ... command privSignDecrypt(Message
msg) if (pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8 secure command putPIN(Pin newPin) pin
newPin pinState notVerified(3) apdu
0x80,0x22,0,0,newPin,0 ...
decryption result computed on the fly and
returned (vs. pre-allocated intermediate storage
in JC)

• simple functional model
• automatic mapping to pre-allocated
  intermediate storage in JC

automatic static storage management is
significant advantage for smart cards!
37
PKI example
PKI
example
type Key RSAPrivateKey(1024) type Message
Byte1024/8 type Pin Byte8 type PinState
enum blocked, notVerified(Int(1,3)),
... state Key key, Pin pin, PinState
pinState, ... command privSignDecrypt(Message
msg) if (pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8 secure command putPIN(Pin newPin) pin
newPin pinState notVerified(3) apdu
0x80,0x22,0,0,newPin,0 ...
const KEY_SIZE 1024 // in bits type
KeyState rec Bool isExponentSet, Bool
isModulusSet const MSG_SIZE KEY_SIZE / 8 //
in bytes type Message ByteMSG_SIZE const
PIN_SIZE 8 type Pin BytePIN_SIZE const
MAX_TRIES 3 type PinState enum unset,
notVerified(Int(1,MAX_TRIES)), verified,
blocked const MAX_CERT_SIZE 1000 // in
bytes type Certificate Byte0..MAX_CERT_SIZE c
onst MAX_CERT_CHUNK_SIZE 100 // in bytes type
CertificateChunk Byte1..MAX_CERT_CHUNK_SIZE
const MAX_PROP_SIZE 200 // in bytes type
Properties Byte0..MAX_PROP_SIZE type
AppletState enum personalization, deployment,
updating state RSAPrivateKey(KEY_SIZE)
key, KeyState keyState, Pin
pin, PinState
pinState, Int(0,MAX_CERT_SIZE) certSize,
Certificate certificate, Properties
properties, Int(0,MAX_CERT_SIZE)
certBytesSent, AppletState
appletState invariant appletState !
deployment (certBytesSent lt
(certificate).length-1) init() / The
current definition of SmartSlang requires every
state component to be initialized in the
initialization block. This is a bit artificial
for certain state components that are really
initialized by commands, e.g. keys, forcing us
to use meaningless values like all 0s. We may
change the definition of SmartSlang to no
longer require all state components to be
initialized in the initialization block, while
leaving the requirement that every state
component must be initialized before it is used
for the first time. Besides avoiding artificial
initializations, this change would support
better semantic checking of the SmartSlang spec,
because presumably a key shouldn't be used
before it is assigned a non-all-0s value. /
key RSAPrivateKey(KEY_SIZE)
(repeat(0,KEY_SIZE/8),
repeat(0,KEY_SIZE/8)) keyState
KeyState(false,false) pin
repeat(0,8) pinState unset certSize
0 certificate properties
certBytesSent 0 appletState
personalization bytes command
putExponent(ByteKEY_SIZE/8 exp) if
(appletState deployment) respond
SW_WRONG_STATE key RSAPrivateKey(KEY_SIZE)
(exp, key.modulus) keyState KeyState (true,
keyState.isModulusSet) // we may extend
SmartSlang with direct assignments to record
components // key.exponent exp //
keyState.isExponentSet true apdu CLA,
INS_PUT_EXP, P1, P2, exp, 0 command
putModulus(ByteKEY_SIZE/8 mod) if
(appletState deployment) respond
SW_WRONG_STATE key RSAPrivateKey(KEY_SIZE)
(key.exponent, mod) keyState KeyState
(keyState.isExponentSet, true) apdu CLA,
INS_PUT_MOD, P1, P2, mod, 0 command
putPIN(Pin p) if (appletState deployment)
respond SW_WRONG_STATE pin p pinState
notVerified(MAX_TRIES) apdu CLA,
INS_PUT_PIN, P1, P2, p, 0 command
putCertificateSize(Int(1,MAX_CERT_SIZE) size)
if (appletState deployment) respond
SW_WRONG_STATE certSize size
certificate apdu CLA, INS_CERT_SIZE, P1,
P2, ubytes2(size), 0 command
putCertificateChunk(CertificateChunk certChunk)
if (appletState deployment) respond
SW_WRONG_STATE if (certSize 0) respond
SW_CERT_SIZE_UNSET if (certificate.length
certChunk.length gt certSize) respond
SW_CERTIFICATE_TOO_LARGE certificate
certificate certChunk apdu CLA,
INS_PUT_CERT, P1, P2, certChunk, 0 command
putProperties(Properties prop) if
(appletState deployment) respond
SW_WRONG_STATE properties prop apdu
CLA, INS_PUT_PROP, P1, P2, prop, 0 command
unblockPIN() if (appletState ! updating)
respond SW_WRONG_STATE pinState
notVerified(MAX_TRIES) apdu CLA, INS_UNBLOCK,
P1, P2, , 0 command deploy() if
(appletState deployment) respond
SW_WRONG_STATE if (keyState
KeyState(true,true) pinState !
unset certSize ! 0
certificate.length certSize properties
! ) appletState deployment
else respond SW_UNFINISHED_PERSONALIZATION
apdu CLA, INS_DEPLOY, P1, P2, ,
0 command update() if (appletState !
deployment) respond SW_WRONG_STATE
appletState updating apdu CLA, INS_UPDATE,
P1, P2, , 0 command getCertificateChunk()
if (appletState ! deployment) respond
SW_WRONG_STATE CertificateChunk chunk if
(certificate.length - certBytesSent gt
MAX_CERT_CHUNK_SIZE) chunk
certificatecertBytesSent,MAX_CERT_CHUNK_SIZE
certBytesSent certBytesSent
MAX_CERT_CHUNK_SIZE else chunk
certificatecertBytesSent..certificate.length-1
certBytesSent certificate.length if
(certificate.length - certBytesSent gt
MAX_CERT_CHUNK_SIZE) respond chunk,
SW1_MORE_DATA, MAX_CERT_CHUNK_SIZE else if
(certificate.length - certBytesSent gt 0)
respond chunk, SW1_MORE_DATA, certificate.length
- certBytesSent else / certificate.length
certBytesSent / certBytesSent 0 //
reset respondok chunk apdu CLA,
INS_GET_CERT, P1, P2, ,
(certificate.length - certBytesSent gt
MAX_CERT_CHUNK_SIZE) ? MAX_CERT_CHUNK_SIZE
certificate.length - certBytesSent command
getProperties() if (appletState !
deployment) respond SW_WRONG_STATE
respondok properties apdu CLA, INS_GET_PROP,
P1, P2, , properties.length command
pinVerify(Pin p) if (appletState !
deployment) respond SW_WRONG_STATE switch
(pinState) case verified
respondok case notVerified(triesLeft)
if (p pin) pinState
verified respondok else if
(triesLeft gt 1) pinState
notVerified(triesLeft - 1) respond ,
SW1_WRONG_PIN, triesLeft else
pinState blocked respond
SW_PIN_BLOCKED case blocked
respond SW_PIN_BLOCKED case
unset // cannot happen -- could be
proved using state invariants apdu
CLA, INS_VERIFY, P1, P2, p, 0 command
pinVerified() if (appletState ! deployment)
respond SW_WRONG_STATE switch (pinState)
case verified respondok
case notVerified(triesLeft) respond ,
SW1_TRIES_LEFT, triesLeft case
blocked respond SW_PIN_BLOCKED
case unset // cannot happen -- could be
proved using state invariants apdu
CLA, INS_VERIFIED, P1, P2, , 0 command
privSignDecrypt(Message msg) if (appletState
! deployment) respond SW_WRONG_STATE if
(pinState ! verified) respond
SW_SECURITY_NOK else respondok
rsa(key,msg) apdu CLA, INS_SIGN_DEC, P1,
P2, msg, MSG_SIZE const CLA 0x80 const P1
0 const P2 0 const INS_PUT_EXP
0x44 const INS_PUT_MOD 0x46 const
INS_PUT_PIN 0x22 const INS_CERT_SIZE
0x3A const INS_PUT_CERT 0x38 const
INS_PUT_PROP 0x58 const INS_UNBLOCK
0x24 const INS_DEPLOY 0x70 const
INS_UPDATE 0x72 const INS_GET_CERT
0x36 const INS_GET_PROP 0x56 const
INS_VERIFY 0x20 const INS_VERIFIED
0x26 const INS_SIGN_DEC 0x42 const
SW_WRONG_STATE 0x6985 const
SW_CERTIFICATE_TOO_LARGE 0x6A80 const
SW_UNFINISHED_PERSONALIZATION 0x6985 const
SW_PIN_BLOCKED 0x6983 const
SW_SECURITY_NOK 0x6982 const
SW_CERT_SIZE_UNSET 0x6985 const
SW1_WRONG_PIN 0x63 const
SW1_TRIES_LEFT 0x63 const
SW1_MORE_DATA 0x63 select
certBytesSent 0 // reset deselect if
(pinState verified) pinState
notVerified(MAX_TRIES)
SmartSlang spec
38
PKI example
240 lines
700lines
size(code)
const KEY_SIZE 1024 // in bits type
KeyState rec Bool isExponentSet, Bool
isModulusSet const MSG_SIZE KEY_SIZE / 8 //
in bytes type Message ByteMSG_SIZE const
PIN_SIZE 8 type Pin BytePIN_SIZE const
MAX_TRIES 3 type PinState enum unset,
notVerified(Int(1,MAX_TRIES)), verified,
blocked const MAX_CERT_SIZE 1000 // in
bytes type Certificate Byte0..MAX_CERT_SIZE c
onst MAX_CERT_CHUNK_SIZE 100 // in bytes type
CertificateChunk Byte1..MAX_CERT_CHUNK_SIZE
const MAX_PROP_SIZE 200 // in bytes type
Properties Byte0..MAX_PROP_SIZE type
AppletState enum personalization, deployment,
updating state RSAPrivateKey(KEY_SIZE)
key, KeyState keyState, Pin
pin, PinState
pinState, Int(0,MAX_CERT_SIZE) certSize,
Certificate certificate, Properties
properties, Int(0,MAX_CERT_SIZE)
certBytesSent, AppletState
appletState invariant appletState !
deployment (certBytesSent lt
(certificate).length-1) init() / The
current definition of SmartSlang requires every
state component to be initialized in the
initialization block. This is a bit artificial
for certain state components that are really
initialized by commands, e.g. keys, forcing us
to use meaningless values like all 0s. We may
change the definition of SmartSlang to no
longer require all state components to be
initialized in the initialization block, while
leaving the requirement that every state
component must be initialized before it is used
for the first time. Besides avoiding artificial
initializations, this change would support
better semantic checking of the SmartSlang spec,
because presumably a key shouldn't be used
before it is assigned a non-all-0s value. /
key RSAPrivateKey(KEY_SIZE)
(repeat(0,KEY_SIZE/8),
repeat(0,KEY_SIZE/8)) keyState
KeyState(false,false) pin
repeat(0,8) pinState unset certSize
0 certificate properties
certBytesSent 0 appletState
personalization bytes command
putExponent(ByteKEY_SIZE/8 exp) if
(appletState deployment) respond
SW_WRONG_STATE key RSAPrivateKey(KEY_SIZE)
(exp, key.modulus) keyState KeyState (true,
keyState.isModulusSet) // we may extend
SmartSlang with direct assignments to record
components // key.exponent exp //
keyState.isExponentSet true apdu CLA,
INS_PUT_EXP, P1, P2, exp, 0 command
putModulus(ByteKEY_SIZE/8 mod) if
(appletState deployment) respond
SW_WRONG_STATE key RSAPrivateKey(KEY_SIZE)
(key.exponent, mod) keyState KeyState
(keyState.isExponentSet, true) apdu CLA,
INS_PUT_MOD, P1, P2, mod, 0 command
putPIN(Pin p) if (appletState deployment)
respond SW_WRONG_STATE pin p pinState
notVerified(MAX_TRIES) apdu CLA,
INS_PUT_PIN, P1, P2, p, 0 command
putCertificateSize(Int(1,MAX_CERT_SIZE) size)
if (appletState deployment) respond
SW_WRONG_STATE certSize size
certificate apdu CLA, INS_CERT_SIZE, P1,
P2, ubytes2(size), 0 command
putCertificateChunk(CertificateChunk certChunk)
if (appletState deployment) respond
SW_WRONG_STATE if (certSize 0) respond
SW_CERT_SIZE_UNSET if (certificate.length
certChunk.length gt certSize) respond
SW_CERTIFICATE_TOO_LARGE certificate
certificate certChunk apdu CLA,
INS_PUT_CERT, P1, P2, certChunk, 0 command
putProperties(Properties prop) if
(appletState deployment) respond
SW_WRONG_STATE properties prop apdu
CLA, INS_PUT_PROP, P1, P2, prop, 0 command
unblockPIN() if (appletState ! updating)
respond SW_WRONG_STATE pinState
notVerified(MAX_TRIES) apdu CLA, INS_UNBLOCK,
P1, P2, , 0 command deploy() if
(appletState deployment) respond
SW_WRONG_STATE if (keyState
KeyState(true,true) pinState !
unset certSize ! 0
certificate.length certSize properties
! ) appletState deployment
else respond SW_UNFINISHED_PERSONALIZATION
apdu CLA, INS_DEPLOY, P1, P2, ,
0 command update() if (appletState !
deployment) respond SW_WRONG_STATE
appletState updating apdu CLA, INS_UPDATE,
P1, P2, , 0 command getCertificateChunk()
if (appletState ! deployment) respond
SW_WRONG_STATE CertificateChunk chunk if
(certificate.length - certBytesSent gt
MAX_CERT_CHUNK_SIZE) chunk
certificatecertBytesSent,MAX_CERT_CHUNK_SIZE
certBytesSent certBytesSent
MAX_CERT_CHUNK_SIZE else chunk
certificatecertBytesSent..certificate.length-1
certBytesSent certificate.length if
(certificate.length - certBytesSent gt
MAX_CERT_CHUNK_SIZE) respond chunk,
SW1_MORE_DATA, MAX_CERT_CHUNK_SIZE else if
(certificate.length - certBytesSent gt 0)
respond chunk, SW1_MORE_DATA, certificate.length
- certBytesSent else / certificate.length
certBytesSent / certBytesSent 0 //
reset respondok chunk apdu CLA,
INS_GET_CERT, P1, P2, ,
(certificate.length - certBytesSent gt
MAX_CERT_CHUNK_SIZE) ? MAX_CERT_CHUNK_SIZE
certificate.length - certBytesSent command
getProperties() if (appletState !
deployment) respond SW_WRONG_STATE
respondok properties apdu CLA, INS_GET_PROP,
P1, P2, , properties.length command
pinVerify(Pin p) if (appletState !
deployment) respond SW_WRONG_STATE switch
(pinState) case verified
respondok case notVerified(triesLeft)
if (p pin) pinState
verified respondok else if
(triesLeft gt 1) pinState
notVerified(triesLeft - 1) respond ,
SW1_WRONG_PIN, triesLeft else
pinState blocked respond
SW_PIN_BLOCKED case blocked
respond SW_PIN_BLOCKED case
unset // cannot happen -- could be
proved using state invariants apdu
CLA, INS_VERIFY, P1, P2, p, 0 command
pinVerified() if (appletState ! deployment)
respond SW_WRONG_STATE switch (pinState)
case verified respondok
case notVerified(triesLeft) respond ,
SW1_TRIES_LEFT, triesLeft case
blocked respond SW_PIN_BLOCKED
case unset // cannot happen -- could be
proved using state invariants apdu
CLA, INS_VERIFIED, P1, P2, , 0 command
privSignDecrypt(Message msg) if (appletState
! deployment) respond SW_WRONG_STATE if
(pinState ! verified) respond
SW_SECURITY_NOK else respondok
rsa(key,msg) apdu CLA, INS_SIGN_DEC, P1,
P2, msg, MSG_SIZE const CLA 0x80 const P1
0 const P2 0 const INS_PUT_EXP
0x44 const INS_PUT_MOD 0x46 const
INS_PUT_PIN 0x22 const INS_CERT_SIZE
0x3A const INS_PUT_CERT 0x38 const
INS_PUT_PROP 0x58 const INS_UNBLOCK
0x24 const INS_DEPLOY 0x70 const
INS_UPDATE 0x72 const INS_GET_CERT
0x36 const INS_GET_PROP 0x56 const
INS_VERIFY 0x20 const INS_VERIFIED
0x26 const INS_SIGN_DEC 0x42 const
SW_WRONG_STATE 0x6985 const
SW_CERTIFICATE_TOO_LARGE 0x6A80 const
SW_UNFINISHED_PERSONALIZATION 0x6985 const
SW_PIN_BLOCKED 0x6983 const
SW_SECURITY_NOK 0x6982 const
SW_CERT_SIZE_UNSET 0x6985 const
SW1_WRONG_PIN 0x63 const
SW1_TRIES_LEFT 0x63 const
SW1_MORE_DATA 0x63 select
certBytesSent 0 // reset deselect if
(pinState verified) pinState
notVerified(MAX_TRIES)
3
size(spec)
AUTOSMART
JavaCardcode
SmartSlang spec
(actual files font size 1)
39
PKI
PKI Java Card code
... static byte _aux1 static Cipher
rsaCipher ... rsaCipher Cipher.getInstance(Ci
pher.ALG_RSA_NOPAD,false) _aux1 new
byte(short)128 ... void privSignDecrypt (APDU
apdu) byte buffer apdu.getBuffer() if
((bufferISO7816.OFFSET_P1 ! 0)
(bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO7816.OFFS
ET_LC) if (inDataLength ! 128)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) Util.arrayCopy(inData
,(short)0,msg,(short)0,inDataLength) if
(pinState.elem ! PinState.verified)
ISOException.throwIt(SW_SECURITY_NOK) else
rsaCipher.init(key,Cipher.MODE_DECRYPT)
rsaCipher.doFinal(msg,(short)0,(short)128,_aux1,(s
hort)0) sendOutgoingData(apdu, _aux1)
return ...
... static byte _aux1 static Cipher rsaCipher
... rsaCipher Cipher.getInstance(Cipher.ALG_RS
A_NOPAD,false) _aux1 new byte(short)128
... void privSignDecrypt (APDU apdu) byte
buffer apdu.getBuffer() if
((bufferISO7816.OFFSET_P1 ! 0)
(bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO7816.OFFS
ET_LC) if (inDataLength ! 128)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) Util.arrayCopy(inData
,(short)0,msg,(short)0,inDataLength) if
(pinState.elem ! PinState.verified)
ISOException.throwIt(SW_SECURITY_NOK) else
rsaCipher.init(key,Cipher.MODE_DECRYPT)
rsaCipher.doFinal(msg,(short)0,(short)128,_aux1,(s
hort)0) sendOutgoingData(apdu, _aux1)
return ...
Java
Card
code
40
PKI Java Card code
... static byte _aux1 static Cipher
rsaCipher ... rsaCipher Cipher.getInstance(Ci
pher.ALG_RSA_NOPAD,false) _aux1 new
byte(short)128 ... void privSignDecrypt (APDU
apdu) byte buffer apdu.getBuffer() if
((bufferISO7816.OFFSET_P1 ! 0)
(bufferISO7816.OFFSET_P2 ! 0))
ISOException.throwIt(ISO7816.SW_WRONG_P1P2)
inDataLength nonNegativeByte(bufferISO7816.OFFS
ET_LC) if (inDataLength ! 128)
ISOException.throwIt(ISO7816.SW_WRONG_LENGTH)
receiveIncomingData(apdu) Util.arrayCopy(inData
,(short)0,msg,(short)0,inDataLength) if
(pinState.elem ! PinState.verified)
ISOException.throwIt(SW_SECURITY_NOK) else
rsaCipher.init(key,Cipher.MODE_DECRYPT)
rsaCipher.doFinal(msg,(short)0,(short)128,_aux1,(s
hort)0) sendOutgoingData(apdu, _aux1)
return ...
intermediate storage
pre-allocation
APDUchecking decoding
arrays accessed withinbounds by construction
interestingcomputation
code for respondok decrypt(key,msg)
41
SmartSlang counterpart
command privSignDecrypt(Message msg) if
(pinState ! verified) respond
SW_SECURITY_NOK else respondok
decrypt(key,msg) apdu 0x80,0x42,0,0,msg,10
24/8
42
SmartSlang example PIN construct
SmartSlang
43
identifier (there may be multiple PINs)
pin p length 8 maxtries 3 protect
privSignDecrypt, getCertificate
apdu verify 0x80,0x20,0,0 apdu set
0x80,0x22,0,0 secure
in bytes (determines strength)
before blocking
commands that requirePIN to be verified first
APDU header for command to verify PIN (data PIN)
APDU header for command to (re)set PIN (data
PIN)
use secure channel
implicit state variables, commands,and checks in
other commands
(tentative syntax)
44
pin p length 8 maxtries 3 protect
privSignDecrypt, getCertificate
apdu verify 0x80,0x20,0,0 apdu set
0x80,0x22,0,0 secure
pin p length 8 maxtries 3 protect
privSignDecrypt, getCertificate
apdu verify 0x80,0x20,0,0 apdu set
0x80,0x22,0,0 secure

• similar high-level constructs planned for
• challenge-response authentication
• piecewise data read/write
• key establishment

estimated
?
45
SmartSlang
is SmartSlang just a macro language? is AutoSmart
just a macro expander?
46
is SmartSlang just a macro language? is AutoSmart
just a macro expander?
NO

• expressive types, statically checked
• automated reasoning
• automatic static storage management by type
  analysis
• APDU decoding/checking
• non-local mapping of spec constructs into code

47
inside AutoSmart
AutoSmart
applet spec
applet code
AUTOSMART
48
inside AutoSmart
applet spec
applet code
AUTOSMART
49
applet spec
SPEC CHECKER
50
CODE GENERATOR
applet code
provable correctness?
SmartSlang semanticsin logic
Java Card semanticsin logic
SMARTSLANG ? LOGIC
JAVA CARD ? LOGIC
SmartSlang applet representedin logic
Java Card applet representedin logic
provable correctness
51
applet represented in logic
applet represented in logic
applet represented in logic
52
applet represented in logic
Metaslang, thespecification languageof
which is a form ofhigher-order logic
other choices are possible
53
?
applet represented in logic
54
applet
applet
55
applet
what is observable?
56
selection
applet
command (APDU)
initialization(w/ params.)
response (APDU)
deselection
type Event initialize InitParam
process Command Response
select deselect
type Command ... type Response ... type
InitParam ...
57
selection
applet
command (APDU)
initialization(w/ params.)
response (APDU)
deselection
type Event initialize InitParam
process Command Response
select deselect
type Trace (Nat -gt Event) orderOK?
type Trace Nat -gt Event
op orderOK? (Nat -gt Event) -gt Boolean def
orderOK? tr embed? initialize (tr 0) ...
58
selection
applet
command (APDU)
initialization(w/ params.)
response (APDU)
deselection
type Event initialize InitParam
process Command Response
select deselect
type Trace (Nat -gt Event) orderOK?
type Applet Set Trace
type Set a a -gt Boolean
59
Applets spec
type Event initialize InitParam
process Command Response
select deselect
type Trace (Nat -gt Event) orderOK?
type Applet Set Trace
endspec
60
Applet spec import Applets op applet
Applet def applet ... endspec
61
Applet spec import Applets type Aux op
aux Aux ... op applet Applet def
applet ... endspec
Applet spec import Applets type Aux
op aux Aux ... op applet Applet def
applet ... endspec
62
Applet spec import Applets type Aux op
aux Aux ... op applet Applet def
applet ... endspec
Applet spec import Applets type Aux
op aux Aux ... op applet Applet def
applet ... endspec
Applet spec import Applets type Aux op
aux Aux ... op applet Applet def
applet ... endspec
Applet spec import Applets type Aux
op aux Aux ... op applet Applet def
applet ... endspec
63
Applet spec import Applets type Aux op
aux Aux ... op applet Applet def
applet ... endspec
Applet spec import Applets type Aux
op aux Aux ... op applet Applet def
applet ... endspec
FormalRelationship spec endspec
64
Applet spec import Applets type Aux
op aux Aux ... op applet Applet def
applet ... endspec
Applet spec import Applets type Aux op
aux Aux ... op applet Applet def
applet ... endspec
FormalRelationship spec import Applet
endspec
65
Applet spec import Applets type Aux
op aux Aux ... op applet Applet def
applet ... endspec
FormalRelationship spec import Applet,
Applet endspec
66
applets have sameobservable behavior
FormalRelationship spec import Applet,
Applet theorem applet applet endspec
67
Applet spec import Applets type Aux op
aux Aux ... op applet Applet def
applet ... endspec
defined in termsof SmartSlang
FormalRelationship spec import Applet,
Applet theorem applet applet endspec
68
SmartSlang
SmartSlang
69
SmartSlang
(simplified)
type Expression ... type Statement ... type
Command ... ... type Spec ...
op wellFormed? Spec -gt Boolean def wellFormed?
... type WFSpec Spec wellFormed?
type Value ... type State ... op expSem
Expression -gt (State -gt Value) op stmSem
Statement -gt (State -gt State) ...
70
SSApplets spec import SmartSlang endspec
71
Applets spec type Event ... type Trace
... type Applet ... endspec
SSApplets spec import SmartSlang,
Applets endspec
72
SSApplets spec import SmartSlang, Applets
op appletOf WFSpec -gt Applet def appletOf
... endspec
SSApplet spec import SSApplets op
appletSpec WFSpec def appletSpec ... op
applet Applet def applet appletOf
appletSpec endspec
73
SSApplets spec import SmartSlang, Applets
op appletOf WFSpec -gt Applet def appletOf
... endspec
SSApplet spec import SSApplets op
appletSpec WFSpec def appletSpec ... op
applet Applet def applet appletOf
appletSpec endspec
74
SmartSlang spec
(.ssl file)
x1
plus(var x, const 1)
SSApplet spec import SSApplets op
appletSpec WFSpec def appletSpec ... op
applet Applet def applet appletOf
appletSpec endspec
75
abstract syntax tree
SmartSlang spec
PARSER
META
(.ssl file)
Metaslang expression eSpec
SSApplet spec import SSApplets op
appletSpec WFSpec def appletSpec ... op
applet Applet def applet appletOf
appletSpec endspec
COPY PASTE
76
SmartSlang spec
(.ssl file)
Spec
e
SSApplet spec import SSApplets op
appletSpec WFSpec def appletSpec op
applet Applet def applet appletOf
appletSpec endspec
COPY PASTE
WFSpec
WFSpec lt Spec
subtype proof obligation
wellFormed? e
77
abstract syntax tree
SmartSlang spec
PARSER
META
SS ? MS
Metaslang expression eSpec
Metaslang spec
proof obligation
SSApplet spec import SSApplets op
appletSpec WFSpec def appletSpec e op
applet Applet def applet appletOf
appletSpec endspec
COPY PASTE
78
(previously showed)
AUTOSMART
applet spec
applet code
SmartSlang semanticsin logic
Java Card semanticsin logic
SMARTSLANG ? LOGIC
JAVA CARD ? LOGIC
SmartSlang applet representedin logic
Java Card applet representedin logic
provable correctness
79
(previously showed)
AUTOSMART
applet spec
applet code
SmartSlang semanticsin logic
Java Card semanticsin logic
SMARTSLANG ? LOGIC
JAVA CARD ? LOGIC
fixed
SmartSlang applet representedin logic
Java Card applet representedin logic
provable correctness
80
AUTOSMART
applet spec
applet code
Java Card semanticsin logic
SMARTSLANG ? LOGIC
JAVA CARD ? LOGIC
SmartSlang applet representedin logic
Java Card applet representedin logic
provable correctness
81
same for Java Card
Java Card
82
same for Java Card
JavaCard spec type Expression ... type
Statement ... ... type Program ... op
wellFormed? Program -gt Boolean def
wellFormed? ... op WFProgram Program
wellFormed? type Object ... type Heap
... type State ... type Exception ...
op expSem Expression -gt ... op stmSem
Statement -gt ... ... endspec
JCApplets spec import JavaCard, Applets
op appletOf WFProgram -gt Applet def appletOf
... endspec
JCApplet spec import JCApplets op
appletPrg WFProgram def appletPrg ... op
applet Applet def applet appletOf
appletPrg endspec
83
same for Java Card
Java Card program
(.java file)
JCApplet spec import JCApplets op
appletPrg WFProgram def appletPrg ... op
applet Applet def applet appletOf
appletPrg endspec
COPY PASTE
84
same for Java Card
Java Card program
(.java file)
Program
e
JCApplet spec import JCApplets op
appletPrg WFProgram def appletPrg op
applet Applet def applet appletOf
appletPrg endspec
COPY PASTE
WFProgram
WFProgram lt Program
subtype proof obligation
wellFormed? e
85
same for Java Card
abstract syntax tree
Java Card program
PARSER
META
JC ? MS
Metaslang expression eProgram
Metaslang spec
proof obligation
JCApplet spec import JCApplets op
appletPrg WFProgram def appletPrg restrict
e op applet Applet def applet appletOf
appletPrg endspec
COPY PASTE
86
(previously showed)
AUTOSMART
Java Card program
SmartSlang spec
proof
CHECKER
how does itwork exactly?
yes/no
87
CHECKER
AUTOSMART
AUTOSMART
CHECKER
(not to scale)
88
CHECKER
SS
AUTOSMART
JC
89
CHECKER
SS
SS ? MS
AUTOSMART
WELL-FORMED?
prf
MS
SPECCHECKER
y/n
BEHAVIOR?
AND
prf
y/n
y/n
CODEGENERATOR
y/n
WELL-FORMED?
MS
prf
JC
JC ? MS
90
CHECKER
SS
AUTOSMART
prf
prf
y/n
prf
JC
91
CHECKER
SS
prf
y/n
simple?
JC
92
CHECKER
SS
SS ? MS
proof checkerfor Metaslang
WELL-FORMED?
MS
(unavoidable)
y/n
trivial
BEHAVIOR?
AND
prf
y/n
y/n
y/n
WELL-FORMED?
MS
JC
JC ? MS
93
SS ? MS
SS/JC ? MS
SS/JC
MS
JC ? MS
94
COPY PASTE
META
PARSER
SS/JC
MS
trivial
verysimple
relativelysimple
can be made simpler
95
(previously showed)
SmartSlang spec import SmartSlang
endspec
96
SmartSlang spec import SmartSlang op
parse String -gt Option Spec def parse
... endspec
97
SmartSlang spec import SmartSlang op
parse String -gt Option Spec def parse ...
op denotesWFSpec? String -gt Boolean def
denotesWFSpec? str case parse str of
Some spc -gt wellFormed? spc None -gt
false endspec
98
SmartSlang spec import SmartSlang op
parse String -gt Option Spec def parse ...
op denotesWFSpec? String -gt Boolean def
denotesWFSpec? str case parse str of
Some spc -gt wellFormed? spc None -gt
false type WFSpecString String
denotesWFSpec? endspec
SSApplets spec import SmartSlang,
Applets endspec
99
SSApplets spec import SmartSlang,
Applets op appletOf WFSpecString -gt Applet
def appletOf ... endspec
SSApplet spec import SSApplets op
appletStr WFSpecString def appletStr ...
op applet Applet def applet appletOf
appletStr endspec
as before but spec ? string
100
SmartSlang spec
SSApplet spec import SSApplets op
appletStr WFSpecString def appletStr ...
op applet Applet def applet appletOf
appletStr endspec
101
SmartSlang spec
SmartSlang spec
SS ? MS
SSApplet spec import SSApplets op
appletStr WFSpecString def appletStr
op applet Applet def applet appletOf
appletStr endspec
102
SmartSlang spec
SmartSlang spec
trivialcopy paste
SS ? MS
Metaslang spec
SSApplet spec import SSApplets op
appletStr WFSpecString def appletStr
op applet Applet def applet appletOf
appletStr endspec
SmartSlang spec
103
SmartSlang spec
SmartSlang spec
SmartSlang spec
Java Card program
trivialcopy paste
SS ? MS
JC ? MS
Metaslang spec
Metaslang spec
proof obligations include parsing
104
(previously showed)
AUTOSMART
SPECCHECKER
CODEGENERATOR
SS
JC
SS ? MS
prf
WELL-FORMED?
MS
y/n
105
AUTOSMART
SPECCHECKER
CODEGENERATOR
SS
JC
106
(checked)
CODEGENERATOR
JC
SS
JC ? MS
prf
prf
WELL-FORMED?
MS
y/n
107
(checked)
CODEGENERATOR
JC
SS
JC ? MS
SS ? MS
prf
BEHAVIOR?
MS
MS
y/n
108
CODEGENERATOR
JC
SS
CODEGENERATOR
proof
109
CODEGENERATOR
STEP 1
STEP 2
JC
SS

proof
110
more steps ? easier proofs
CODEGENERATOR
STEP 1
STEP 2
STEP 3
STEP 4
JC
SS

proof
111
STEP 3
. . . . . . . . . . .
JC
SS
withinSmartSlang
withinJava Card
languagechange
declarativetransformations?
112
example of transformation proof
transformation
113
example of transformation proof
e ? e
(SS or JC expressions)
(proof depends on e and e)
?
fa(a,x,y) expSem x expSem y gtappletOf a
appletOf ax/y
(proved onceand for all)
instantiation modus ponens
114
approach is more general than smart card applets
L1 ? L2
L2
L1
languages L1 L2
translation L1 ? L2
(possibly L1 L2)
e.g.

• compilers
• code generators
• theorem prover interfaces