Static analysis of programs is a proven technology in the implementation of compilers and interpreters. Recent years have begun to see application of static analysis techniques in novel areas such as software validation (for example Ariane V) and software re-engineering (for example the Y2K problem). This project will demonstrate that static analysis technology facilitates the validation of systems based on the Internet and on smart cards. Static analysis of programs is a proven technology in the implementation of compilers and interpreters. Recent years have begun to see application of static analysis techniques in novel areas such as software validation (for example Ariane V) and software re-engineering (for example the Y2K problem). This project will demonstrate that static analysis technology facilitates the validation of systems based on the Internet and on smart cards.
The objective of the project is to assess the scalability of static analysis technology to the validation of security and safety aspects of realistic languages and applications. We have identified two domains where security is all-important: smart cards and Internet programming. We intend to develop methods that apply to both domains by focussing a substantial part of our efforts on the Java programming language and its dialect Java Card, treating source-level as well as bytecode-level applications.
DESCRIPTION OF WORK
The project has 4 main tasks:
1. Specification of Security Properties:
The objective of this task is to determine the most appropriate way of expressing the dynamic properties of interest for security and safety. We have some experience of using a linear-time temporal logic over program traces for expressing a variety of security properties. This task is an investigation of the scalability and extension of these techniques to realistic case studies.
2. Static Analysis: The focal point of the project is the development of analyses that, on the one hand, provide useful information for the security and safety of systems and, on the other hand, are able to deal with large programs that are subsequently modified. A number of promising approaches exist for developing suitable analyses with varying degrees of precision and cost: e.g. Type and Effect Systems and Flow Logics. Aspects of analysis techniques that are important are modularity and expressibility of control flow analysis.
3. Algorithms and Tools: The implementation of static analyses eventually boils down to constraint solving. We will aim at adapting general tools, which are already available rather than performing ad hoc developments of new tools. As we extend our analysis techniques to cope with larger languages, we may also need to extend the state-of-the-art in constraint solving.
4. Semantics: This task has two sub-parts: modularising semantic specifications and correctness proofs; and semantic specification of security-specific aspects of Java and Java Card. Key technical challenges involve developing good semantic accounts of visibility modifiers and shareable interfaces.
We have defined an abstraction of Java Card Virtual Machine (JCVM) Language, called Carmel, which simplifies analysis and semantics issues while retaining all the expressive power and features of Java Card.We have defined a comprehensive operational semantics for Carmel that addresses not only the virtual machine but also issues related to the Java Card Runtime Environment (JCRE) and Application Programming Interface (JCAPI). We have developed an automatic translator from Java Card to Carmel. It ensures that any tool operating on Carmel applications can also be applied to Java Card applications. We have identified a number of security properties that are typically of interest for applications in the banking area. We have specified and implemented a demonstrative Java Card application to exercise our prototypes. This application (called Demoney) is an electronic purse. Although very basic, it is a realistic representative of similar applications in the banking area, as far as program analysis issues are concerned.
We have shown that flow logic provides a versatile specification language for formalising security properties. We have also shown how Linear Temporal Logic can be used to validate service control properties based on stack inspection. We have proven our flow logic analysis correct with respect to the semantics. We have developed an approach to modular analyses. We have also extended the Succinct Solver to support dynamic universes; this allows partial solutions to be extended when new queries are added. We have developed a new quantitative approach to security analysis which replaces the classical notion of safety (used in program analysis) by "closeness"; this allows us to measure how vulnerable a system might be. We have shown how the hardest attacker approach can be used to detect reference leaks. We have produced a prototype which integrates some of the analyses that we have specified.
Funding SchemeCSC - Cost-sharing contracts
2800 Kgs. Lyngby
78153 Le Chesnay