Antoine Requet

JACK: a tool for validation of security and behaviour of Java applications

We describe the main features of JACK (Java Applet Correctness Kit), a tool for the validation of Java applications, annotated with JML specifications. JACK has been especially designed to improve the quality of trusted personal device applications. JACK is fully integrated with the IDE Eclipse, and provides an easily accessible user interface. In particular, it allows to inspect the generated proof obligations in a Java syntax, and to trace them back to the source code that gave rise to them. Further, JACK provides support for annotation generation, and for interactive verification. The whole platform works both for source code and for bytecode, which makes it particularly suitable for a proof carrying code scenario.

Adaptable Translator of B Specifications to Embedded C Programs

This paper presents the results of the RNTL BOM project, which aimed to develop an approach to generate efficient code from B formal developments. The target domain is smart card applications, in which memory and code size is an important factor. The results detailed in this paper are a new architecture of the translation process, a way to adapt the B0 language in order to include types of the target language and a set of validated optimizations. An assessment of the proposed approach is given through a case study, relative to the development of a Java Card Virtual Machine environment.

Formal development of an embedded verifier for Java Card byte code

The Java security policy is implemented by security components such as the Java Virtual Machine (JVM), the API, the verifier, the loader. It is of prime importance to ensure that the implementation of these components is in accordance with their specifications. Formal methods can be used to bring the mathematical proof that the implementation of these components corresponds to their specification. In the paper, a formal development is performed on the Java Card byte code verifier using the B method. The whole Java Card language is taken into account in order to provide realistic metrics on formal development. The architecture and the tricky points of the development are presented. This formalization leads to an embeddable implementation of the byte code verifier thanks to automatic code translation from formal implementation into C code. We present the formal models, discuss the integration into the card and the results of such an experiment.

Formal Proof of Smart Card Applets Correctness

The new Gemplus smart card is based on the Java technology, embedding a virtual machine. The security policy uses mechanisms that are based on Java properties. This language provides segregation between applets. But due to the smart card constraints a byte code verifier can not be embedded. Moreover, in order to maximise the number of applets the byte code must be optimised. The security properties must be guaranteed despite of these optimisations. For this purpose, we propose an original manner to prove the equivalence between the interpreter of the JVM and our Java Card interpreter. It is based on the refinement and proof process of the B formal method.

Java Card Code Generation from B Specifications

The French BOM (B with Optimised Memory) project has analysed issues related to code generation from B specifications. This analysis was built upon the shortcoming of the existing translators, and led to proposals to generate optimised code suitable for embedding in highly memory-constrained devices, such as smart cards. Two code translators have been developed: one targetting C, suitable for system or virtual machine development; the second targetting object oriented languages. This second translator enables the writing of Java Card applications. This paper presents results of the BOM project related to the Open-Source Java/Java Card translator.

Formal proofs for the NYCT line 7 (flushing) modernization project

The New York City Transit Authority has included formal proofs at system level as part of the safety assessment for its New York subway Line 7 modernization project, based on the CBTC from Thales Toronto. ClearSy carries out these proofs. In this paper, we describe the expected results and benefits of such proofs. We also discuss the methodology, in particular the importance of obtaining a natural language precursor for proofs. This step is paramount to find the simplest reasons why the design ensures the wanted properties.

Extending B with control flow breaks

This paper describes extensions of the B language concerning control flow breaks in implementations and specification of operations with exceptional behaviors. It does not claim to define those extensions in a pure formal and complete way. It is rather a presentation of what could be done and how it could be done. A syntax is proposed and proof obligations are defined using a weakest precondition calculus extended to deal with abrupt termination. Examples emphasizing the advantages of these extensions are also given.