Verification of a Formal Security Model for Multiapplicative Smart Cards

Schellhorn, Gerhard; Reif, Wolfgang; Schairer, Axel; Karger, Paul A.; Austel, Vernon; Toll, David C.

doi:10.1007/10722599_2

Cited by 40 publications

(36 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There were investigations [12,21,22,23] of static scenarios, when all applets are known and the composition is analyzed off-device. For example, Avvenuti et al [24] have developed the JBIFV tool which verifies whether a JC applet respects pre-defined information flow policies.…”

Section: Related Workmentioning

confidence: 99%

Load time code validation for mobile phone Java Cards

Gadyatskaya

Massacci

Nguyen³

et al. 2013

Journal of Information Security and Applications

View full text Add to dashboard Cite

Over-the-air (OTA) application installation and updates have become a common experience for many endusers of mobile phones. In contrast, OTA updates for applications on the secure elements (such as smart cards) are still hindered by the challenging hardware and certification requirements.The paper describes a security framework for Java Card-based secure element applications. Each application can declare a set of services it provides and a set of services it wishes to call, and its own security policy. An on-card checker verifies compliance and enforces the policy; thus an off-card validation of the application is no longer required.The framework has been optimized in order to be integrated with the run-time environment embedded into a concrete card. This integration has been tried and tested by a smart card manufacturer. In this paper we present the formal security model of the approach, its overall architecture and the implementation footprint which can fit on a real secure element. We also report the lessons learned and the intricacies of integrating a research prototype with a protected loader of the manufacturer.

show abstract

Section: Related Workmentioning

confidence: 99%

Load time code validation for mobile phone Java Cards

Gadyatskaya

Massacci

Nguyen³

et al. 2013

Journal of Information Security and Applications

View full text Add to dashboard Cite

show abstract

“…These multi-level functions can be modeled by trusted subjects that have a label range spanning multiple nodes of the lattice. [47][10] [20] [40] It is a significant distinction that trusted subjects do not violate the security policy: rather their defined behavior is an explicit part of the security policy, as follows. The set of flows allowed by the system MLS security policy is the union of: (a) the flows allowed by the strict MLS policy; and (b) the set of flows defined to be allowed for the system's trusted subjects (here, called the relaxed MLS policy).…”

Section: Trusted Subjectsmentioning

confidence: 99%

Analysis of three multilevel security architectures

Levin

Irvine

Weissman

et al. 2007

Proceedings of the 2007 ACM Workshop on Computer Security Architecture

View full text Add to dashboard Cite

Various system architectures have been proposed for high assurance enforcement of multilevel security. This paper provides an analysis of the relative merits of three architectural types -one based on a security kernel, another based on a traditional separation kernel, and a third based on a least-privilege separation kernel. We introduce the Least Privilege architecture, which incorporates security features from the recent "Separation Kernel Protection Profile," and show how it can provide several unique aspects of security and assurance, although each architecture has advantages.

show abstract

“…It does not describe the granularity of control required to represent the principle of least privilege. Schellhorn, et al [41] describe a formal model that includes non-interference between blocks (called "applications"), as well as a mandatory access control (MAC) policy regarding both confidentiality and integrity for references to resources within a block. There is one subject per block, which is associated with a set of private resources ("files").…”

Section: Separation Kernel Formal Modelsmentioning

confidence: 99%

A Least Privilege Model for Static Separation Kernels

Levin¹,

Irvine²,

Nguyen³

2004

View full text Add to dashboard Cite

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 15 October 2004 REPORT TYPE AND DATES COVEREDFindings; 10/1/03 -9/31/04 TITLE AND SUBTITLE A Least Privilege Model for Static Separation Kernels FUNDING AUTHOR(S)Timothy E. Levin and Cynthia E. Irvine and Thuy D. Nguyen NSA Contract H98230-V0-04-0023 PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)Center for SUPPLEMENTARY NOTESAny opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Security Agency. 12a. DISTRIBUTION/AVAILABILITY STATEMENTApproved for public release; distribution is unlimited 12b. DISTRIBUTION CODE ABSTRACT (Maximum 200 words.)We extend the separation kernel abstraction to represent the enforcement of the principle of least privilege. In addition to the inter-block flow control policy prescribed by the traditional separation kernel paradigm, we describe an orthogonal finer-grained flow control policy by extending the protection of elements to subjects and resources, as well as blocks, within a partitioned system. We show how least privilege applied to the actions of subjects and resources provides enhanced protection for secure systems, and how only "trusted subjects" may cause certain information flows between partitions. A high assurance separation kernel based on least privilege can provide all of the functionality and protection of the traditional separation kernel, combined with a high level of confidence that the effects of subjects' activities can be minimized to their intended scope.

show abstract

Verification of a Formal Security Model for Multiapplicative Smart Cards

Cited by 40 publications

References 3 publications

Load time code validation for mobile phone Java Cards

Load time code validation for mobile phone Java Cards

Analysis of three multilevel security architectures

A Least Privilege Model for Static Separation Kernels

Contact Info

Product

Resources

About