Martijn Oostdijk

Foundations of attack trees

Attack trees have found their way to practice because they have proved to be an intuitive aid in threat analysis. Despite, or perhaps thanks to, their apparent simplicity, they have not yet been provided with an unambiguous semantics. We argue that such a formal interpretation is indispensable to precisely understand how attack trees can be manipulated during construction and analysis. We provide a denotational semantics, based on a mapping to attack suites, which abstracts from the internal structure of an attack tree, we study transformations between attack trees, and we study the attribution and projection of an attack tree.

Crossing borders: security and privacy issues of the european e-passport

The first generation of European e-passports will be issued in 2006. We discuss how borders are crossed regarding the security and privacy erosion of the proposed schemes, and show which borders need to be crossed to improve the security and the privacy protection of the next generation of e-passports. In particular we discuss attacks on Basic Access Control due to the low entropy of the data from which the access keys are derived, we sketch the European proposals for Extended Access Control and the weaknesses in that scheme, and show how fundamentally different design decisions can make e-passports more secure.

Implementing a Formally Verifiable Security Protocol in Java Card

This paper describes a case study in refining an abstract security protocol description down to a concrete implementation on a Java Card smart card. The aim is to consider the decisions that have to be made in the development of such an implementation in a systematic way, and to investigate the possibilities of formal specification and verification in the design process and for the final implementation.

The KOA remote voting system: a summary of work to date

Remote internet voting incorporates many of the core challenges of trusted global computing. In this paper, we present the Kiezen op Afstand (KOA) system. KOA is a Free Software, remote voting system developed for the Dutch government in 2003/2004. In addition to being Open Source, it is also partially formally specified and verified. This paper summarises the work carried out to date on the KOA system. It charts the evolution of the system, from its initial conception by the Dutch Government, through to its current status. It also describes a roadmap of milestones towards completing its next release: a Free Software, general-purpose, formally specified and verified internet voting system, that incorporates Proof Carrying Code technology for software update and allows trustworthy voting from a mobile phone. We propose that the KOA system should be used as an experimental platform for research in electronic and internet voting; we are not saying that we have solved any of the major problems inherent in voting with computers.

Source code verification of a secure payment applet

Abstract This paper discusses a case study in formal verification and development of secure smart card applications. An elementary Java Card electronic purse applet is presented whose specification can be simply formulated as “in normal operation, the applet’s balance field can only be decreased, never increased”. The applet features a challenge-response mechanism which allows legitimate terminals to increase the balance by putting the applet into a special operation mode. A systematic approach is used to guarantee a secure flow of control within the applet: appropriate transition properties are first formalized as a finite state machine, then incorporated in the specification, and finally formally verified using the Loop translation tool and the PVS theorem prover.

Counting Votes with Formal Methods

This abstract provides some background information about the electronic voting experiment that is planned in the Netherlands for the European Elections of 2004, and about our own involvement in the infrastructure for this experiment. The talk will elaborate further about the computer security issues involved, especially with respect to the use of formal methods for vote counting software.

Formal techniques in a remote voting system

Kiezen op Afstand (KOA) is a Free Software, remote voting system developed for the Dutch government in 2003/2004. In addition to being Open Source, key components have been, or are currently being formally specified and verified. These include a tally system and a modeling of the Irish electoral system. In this paper, we describe the formal techniques incorporated during the development of components of the KOA system. It also includes continuing work including the development of a platform for trustworthy voting from a mobile phone.