A Formal Executable Semantics of the JavaCard Platform
ESOP '01 Proceedings of the 10th European Symposium on Programming Languages and Systems
On the secure implementation of security protocols
Science of Computer Programming - Special issue on 12th European symposium on programming (ESOP 2003)
Decidability and proof systems for language-based noninterference relations
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Enforcing robust declassification and qualified robustness
Journal of Computer Security - Special issue on CSFW17
Cryptographically-masked flows
Theoretical Computer Science
On Practical Information Flow Policies for Java-Enabled Multiapplication Smart Cards
CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Automated Analysis of Java Methods for Confidentiality
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
Declassification: Dimensions and principles
Journal of Computer Security - 18th IEEE Computer Security Foundations Symposium (CSF 18)
On the secure implementation of security protocols
ESOP'03 Proceedings of the 12th European conference on Programming
Cryptographically-Masked flows
SAS'06 Proceedings of the 13th international conference on Static Analysis
Bridging language-based and process calculi security
FOSSACS'05 Proceedings of the 8th international conference on Foundations of Software Science and Computation Structures
Security-typed languages for implementation of cryptographic protocols: a case study
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Hi-index | 0.00 |
We propose an approach to support confidentiality for mobile implementations of security-sensitive protocols using Java/JVM. An applet, which receives and passes on confidential information onto a public network, has a rich set of direct and indirect channels available to it. The problem is to constrain applet behavior to prevent those leakages that are unintended while preserving those that are specified in the protocol. We use an approach based on the idea of correlating changes in observable behavior with changes in input. In the special case where no changes in (low) behavior are possible we retrieve a version of noninterference. Mapping our approach to JVM a number of particular concerns need to be addressed, including the use of object libraries for IO, the use of labeling to track input/output of secrets, and the choice of proof strategy. We use the bisimulation proof technique. To provide user feedback we employ a variant of proof-carrying code to instrument a security assistant which will let users of an applet inquire about its security properties such as the destination of data input into different fields.