Wolfgang Raschke

Supporting evolving security models for an agile security evaluation

At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In todays volatile markets customers want to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash with traditional security design and evaluation processes. In this paper, we propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree.

A Defensive Virtual Machine Layer to Counteract Fault Attacks on Java Cards

The objective of Java Cards is to protect security-critical code and data against a hostile environment. Adversaries perform fault attacks on these cards to change the control and data flow of the Java Card Virtual Machine. These attacks confuse the Java type system, jump to forbidden code or remove run-time security checks. This work introduces a novel security layer for a defensive Java Card Virtual Machine to counteract fault attacks. The advantages of this layer from the security and design perspectives of the virtual machine are demonstrated. In a case study, we demonstrate three implementations of the abstraction layer running on a Java Card prototype. Two implementations use software checks that are optimized for either memory consumption or execution speed. The third implementation accelerates the run-time verification process by using the dedicated hardware protection units of the Java Card.

Embedding research in the industrial field: a case of a transition to a software product line

Java Cards [4, 5] are small resource-constrained embedded systems that have to fulfill rigorous security requirements. Multiple application scenarios demand diverse product performance profiles which are targeted towards markets such as banking applications and mobile applications. In order to tailor the products to the customers needs we implemented a Software Product Line (SPL). This paper reports on the industrial case of an adoption to a SPL during the development of a highly-secure software system. In order to provide a scientific method which allows the description of research in the field, we apply Action Research (AR). The rationale of AR is to foster the transition of knowledge from a mature research field to practical problems encountered in the daily routine. Thus, AR is capable of providing insights which might be overlooked in a traditional research approach. In this paper we follow the iterative AR process, and report on the successful transfer of knowledge from a research project to a real industrial application.

Patterns of Software Modeling

Software systems start small and grow in complexity and size. The larger a software system is, the more it is distributed over organizational and geographical confines. Thus, the modeling of software systems is necessary at a certain level of complexity because it can be used for communication, documentation, configuration and certification purposes. We came to the conclusion that several patterns of software modeling exist. The existence of such patterns is dependent on the history and the evolution of the system under consideration. We will show that a software system in its lifecycle has to face several crises. Such a crisis is a watershed in the application of new patterns. We provide an evolutionary view of software systems and models which helps understanding of current problems and prospective solutions.

On the dictionary compression for Java card environment

Java Card is a Java running environment developed for low-end embedded systems such as smart cards. In this context of scarce resources, ROM size plays a very important role and compression techniques help reducing program sizes as much as possible. Dictionary compression is the most promising technique and has been taken in consideration in this field by several authors. Java Card can adopt a dictionary compression scheme, substituting repeated sequences of bytecodes with new macros stored into a dictionary. This approach does not break the Java Card standard, but requires the use of an ad hoc Java virtual machine and an additional custom component in the converted applet (CAP) file. This paper presents two derived compaction techniques and discusses two scenarios: the first adopts an adaptive (dynamic) dictionary, while the second uses a static one. Although the base dictionary compression technique performs better with an adaptive dictionary, the two proposed techniques perform very close to the base one with a static dictionary. Moreover, we present a different compression mechanism based on re-engineering the CAP file through subroutines. This last technique achieves a higher compression rate, but it is fully compliant with the existing Java Card environments.

Evaluation paradigm selection according to Common Criteria for an incremental product development

Today, agile product development techniques are widely used providing a rapidly and steadily progression of incremental product improvements. Traditionally, a product certification is issued in a late stage of the development process, although some Common Criteria evaluation paradigm would exists to support an agile or modular development process. The usage of such a paradigm would result in a beneficial certification process, since the evaluator gains experience through the maturing product. To provide a systematic way to integrate the evaluation process into the development process — and thus saving money and time — we have identified use case scenarios with the according evaluation paradigm, providing a selection scheme for the right paradigm.

Patterns for common criteria certification

One step in the development of certifiable secure systems is to provide trust in the development process and in the implemented security mechanisms of the product. In the domain of information technology, the Common Criteria schemes are used to evaluate the implemented security mechanisms of a product. Traditionally, a product certification is issued at a late stage of the development process, even though some Common Criteria evaluation paradigm exists to support the development process. The usage of such a paradigm would result in a beneficial certification process, since the evaluator gains experience through the maturing product. We have identified patterns which are designed to support the development process of secure applications. Based on these patterns, a systematic approach to integrate the evaluation process into the development process can be defined.

Hardware/software co-design for a high-performance Java Card interpreter in low-end embedded systems

Java Card is a Java running environment specific for smart cards. In such low-end embedded systems, the execution time of the applications is an issue of first order. One of the components of the Java Card Virtual Machine (JCVM) playing an important role in the execution speed is the bytecode interpreter. In Java systems the main technique for speeding-up the interpreter execution is the Just-In-Time compilation (JIT), but this resource consuming technique is inapplicable in systems with as restricted resources available as in smart cards.This paper presents a hardware/software co-design solution for the performance improvement of the interpreter. In the software domain, we adopted a pseudo-threaded code interpreter that allows a better run-time performance with a small amount of additional code. In the hardware domain, we proceeded moving parts of the interpreter into hardware, giving origin to a Java Card interpreter based on an application specific instruction set processor.

Where does all this waste come from

Agile development processes are more flexible than conventional ones. They emphasize iterative development and learning over feedback loops. Nevertheless, we experienced some pitfalls in the application of agile processes in dependable software systems. We present here the experiences we gathered in the construction of high‐quality industrial software. Moreover, we will digest our experiences into a conceptual model of waste creation. This model will be refined to a case study where we take appropriate measurements in order to provide empirical evidence for it. Finally, we discuss the implications of the developed model, which helps to estimate the trade‐off between agile and traditional software processes. Copyright

Test-driven migration towards a hardware-abstracted platform

Platform-based development is one of the most successful paradigms in software engineering. In embedded systems, the reuse of software on several processor families is often abandoned due to the multitude of compilers, processor architectures and instruction sets. In practice, we experienced that a lack of hardware abstraction leads to non-reusable test cases. We will demonstrate a re-engineering process that follows test-driven development practices which fits perfectly for migration activities. Moreover, we will introduce a process that provides trust for the test cases on a new hardware.