Typestate: A programming language concept for enhancing software reliability
IEEE Transactions on Software Engineering
ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
An Architecture for Interactive Program Provers
TACAS '00 Proceedings of the 6th International Conference on Tools and Algorithms for Construction and Analysis of Systems: Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS 2000
The LOOP Compiler for Java and JML
TACAS 2001 Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
Towards a Full Formal Specification of the JavaCard API
E-SMART '01 Proceedings of the International Conference on Research in Smart Cards: Smart Card Programming and Security
Formal Specification and Static Checking of Gemplus' Electronic Purse Using ESC/Java
FME '02 Proceedings of the International Symposium of Formal Methods Europe on Formal Methods - Getting IT Right
ACM SIGPLAN Notices
Formal methods for smart cards: an experience report
Science of Computer Programming - Formal methods for components and objects pragmatic aspects and applications
Symbolic path simulation in path-sensitive dataflow analysis
PASTE '05 Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Effective typestate verification in the presence of aliasing
Proceedings of the 2006 international symposium on Software testing and analysis
A framework for the static verification of api calls
Journal of Systems and Software
Model checking of multi-applet javacard applications
CARDIS'02 Proceedings of the 5th conference on Smart Card Research and Advanced Application Conference - Volume 5
Path-Sensitive dataflow analysis with iterative refinement
SAS'06 Proceedings of the 13th international conference on Static Analysis
JCSI: A tool for checking secure information flow in Java Card applications
Journal of Systems and Software
Inlined monitors for security policy enforcement in web applications
Proceedings of the 17th Panhellenic Conference on Informatics
| Hi-index | 0.00 |
The Java Card API provides a framework of classes and interfaces that hides the details of the underlying smart card interface, thus relieving developers from going through the swamps of microcontroller programming. This allows application developers to concentrate most of their effort on the details of application, assuming proper use of the Java Card API calls regarding (i) the correctness of the methods' invocation targets and their argumentsand (ii) temporal safety, i.e. the requirement that certain method calls have to be used in certain orders. Several characteristics of the Java Card applets and their multiple-entry-point program structure make it possible for a potentially unhandled exception to reach the invoked entry point. This contingency opens a possibility to leave the applet in an unpredictable state that is potentially dangerous for the application's security. Our work introduces automatic static program analysis as a means for the early detection of misused and therefore dangerous API calls. The shown analyses have been implemented within the FindBugs bug detector, an open source framework that applies static analysis functions on the applet bytecode.