security by contract for applications evolution in multi
play

Security-by-Contract for Applications Evolution in Multi-Application - PowerPoint PPT Presentation

Jan 16, 2023 •116 likes •475 views

DTU Informatics Department of Informatics and Mathematical Modelling Security-by-Contract for Applications Evolution in Multi-Application Smart Cards Nicola Dragoni ndra@imm.dtu.dk http://www2.imm.dtu.dk/~ndra Embedded Systems Engineering

  1. DTU Informatics Department of Informatics and Mathematical Modelling Security-by-Contract for Applications’ Evolution in Multi-Application Smart Cards Nicola Dragoni ndra@imm.dtu.dk http://www2.imm.dtu.dk/~ndra Embedded Systems Engineering (ESE) Section DTU Informatics Technical University of Denmark (DTU) 02234 - Autumn 2010

  2. DTU Informatics Department of Informatics and Mathematical Modelling Talk Outline ‣ Domain: multi-application smart cards ‣ Problem: supporting applications’ evolution ‣ Approach: Security-by-Contract (key idea) Smart Card 2 02234 - Autumn 2010

  3. DTU Informatics Department of Informatics and Mathematical Modelling Multi-Application Smart Cards • Multi-application smart cards: several applications run on the same card • Applications (Web clients and servers) are owned and asynchronously controlled by different stakeholders • Applications can dynamically be loaded, changed and removed during the active life of the card Smart Card 3 02234 - Autumn 2010

  4. DTU Informatics Department of Informatics and Mathematical Modelling JAVA CARD = JRE + GLOBALPLATFORM • GlobalPlatform = Middleware (with Open Specifications) ‣ Lots of smart card deployed with those specifications • Java Card = GlobalPlatform + Java Runtime Environment ‣ Support loading and unloading of many applications on the fly and asynchronously ‣ Allow interactions among applications on the card (through Shareable Interface inherited services) 4 02234 - Autumn 2010

  5. DTU Informatics Department of Informatics and Mathematical Modelling JAVA CARD = JRE + GLOBALPLATFORM • GlobalPlatform = Middleware (with Open Specifications) ‣ Lots of smart card deployed with those specifications • Java Card = GlobalPlatform + Java Runtime Environment ‣ Support loading and unloading of many applications on the fly and asynchronously ‣ Allow interactions among applications on the card (through Shareable Interface inherited services) • Still/Yet/But… ‣ There is NO fielded open multi-application smart card 4 02234 - Autumn 2010

  6. DTU Informatics Department of Informatics and Mathematical Modelling The Card Platform Applications run in dedicated security domains. The name is evocative of a separate space (such as in a virtual machine) but in reality a domain just supports some security services... 5 02234 - Autumn 2010

  7. DTU Informatics Department of Informatics and Mathematical Modelling Security Domains??!! From GP specification: Security Domains act as the on-card representatives of off-card authorities. Security Domains support security services such as key handling, encryption, decryption, digital signature generation and verification for their providers' (Card Issuer, Application Provider or Controlling Authority) applications. Each Security Domain is established on behalf of a Card Issuer, an Application Provider or a Controlling Authority when these off-card entities require the use of keys that are completely isolated from each other. 6 02234 - Autumn 2010

  8. DTU Informatics Department of Informatics and Mathematical Modelling Problem: Control of Interactions Among Applications • Policy for security domains: ‣ Only Bank can be called by Transport ‣ Transport will only call Bank • Policy for applications: ‣ EMV@Bank will only be called by ePurse@Bank ‣ ePurse@Bank can only be called by jTicket@Transport and will only call EMV@Bank ‣ jTicket@Transport will only call ePurse@Bank • New application Points@Loyalty arrives on the platform. Desired behavior: ‣ Points@Loyalty will only call ePurse@Bank ‣ And here we have a problem! 7 02234 - Autumn 2010

  9. DTU Informatics Department of Informatics and Mathematical Modelling Ok... But... Wait a Minute... GP??!! • GP does not solve the problems of illegal information exchange even for the applications from different security domains • All inter-application interactions are pushed to lower levels ==> runtime environment or even hardware • Example: in Java Card, the control of the communications between the applications and the applications and the platform rests on the JRE!! 8 02234 - Autumn 2010

  10. DTU Informatics Department of Informatics and Mathematical Modelling Yes... Ok... But... Wait a Minute... JRE Firewall??!! • JRE has a firewall security mechanism that isolates each applet from the other applets within of its own context!! ‣ The internal operations of an applet have no effect on other applets embedded on the card!! 9 02234 - Autumn 2010

  11. DTU Informatics Department of Informatics and Mathematical Modelling Yes... Ok... But... Wait a Minute... JRE Firewall??!! • JRE has a firewall security mechanism that isolates each applet from the other applets within of its own context!! ‣ The internal operations of an applet have no effect on other applets embedded on the card!! ‣ Still, applications can interact in this environment by explicitly implementing shareable methods callable via an API!! (Application service in Java Card 3.0 specification or Global Services in the GP specification) • If application A knows shareable interface of application B, then it may use it for its own purposes, and there is no means for B or B security domain owner to prevent it, unless special controls are hacked into the Java firewall ‣ However this completely prevents the asynchronous download or update of different applications!! 9 02234 - Autumn 2010

  12. DTU Informatics Department of Informatics and Mathematical Modelling What About the Available Business Solutions? • There are business solutions for multi-application smart cards on top of GP and Java Card from Venyon Oy, Gemalto and companies alike developed for banking, transport and mobile operators • But typical solution from such companies is only responsible for ‣ handling loading of card customer applications ‣ security domain key handling ‣ management and removal of applications , but it is not dealing with: • Such a solution is only an improvement of GP ‣ certification of new applications on the card ‣ checks of compliance with new applications to the initial card security policy ‣ checks if the removal of some application is even possible and will not break the work of others remaining on the card 10 02234 - Autumn 2010

  13. DTU Informatics Department of Informatics and Mathematical Modelling Back to “The” Problem • What remains out of reach is a secure way to deploy new applications on the multi-application smart card once it is in the field • A costly manual review is necessary! • What owners of different trust domains wants: to make sure their applications cannot be accessed by new applications added after theirs! • What smart card developers have to prove: all the changes that are possible to apply to the card are security-free!! ‣ In this way their formal proof of compliance with Common Criteria is still valid after that changes and they do not need to obtain a new certificate... 11 02234 - Autumn 2010

  14. DTU Informatics Department of Informatics and Mathematical Modelling “The” (Security) Requirement of Smart Cards • Java Card applications must be Common Criteria certified to respect a certain policy of each stakeholder ‣ Pre-issuance certification when the card is prepared ‣ All later changes must show they meet the same policy 12 02234 - Autumn 2010

  15. DTU Informatics Department of Informatics and Mathematical Modelling “The” (Security) Requirement of Smart Cards • Java Card applications must be Common Criteria certified to respect a certain policy of each stakeholder ‣ Pre-issuance certification when the card is prepared ‣ All later changes must show they meet the same policy • Solution 1 – Theory ‣ Certify the application for all possible changes of itself AND its fellow applications 12 02234 - Autumn 2010

  16. DTU Informatics Department of Informatics and Mathematical Modelling “The” (Security) Requirement of Smart Cards • Java Card applications must be Common Criteria certified to respect a certain policy of each stakeholder ‣ Pre-issuance certification when the card is prepared ‣ All later changes must show they meet the same policy • Solution 1 – Theory ‣ Certify the application for all possible changes of itself AND its fellow applications • Solution 2 – Another Theory ‣ Run-time monitor new applications to prevent their interactions with old applications if it’s forbidden 12 02234 - Autumn 2010

  17. DTU Informatics Department of Informatics and Mathematical Modelling “The” (Security) Requirement of Smart Cards • Java Card applications must be Common Criteria certified to respect a certain policy of each stakeholder ‣ Pre-issuance certification when the card is prepared ‣ All later changes must show they meet the same policy • Solution 1 – Theory ‣ Certify the application for all possible changes of itself AND its fellow applications • Solution 2 – Another Theory ‣ Run-time monitor new applications to prevent their interactions with old applications if it’s forbidden • Solution 3 – Practice ‣ Don’t allow post-issuance evolution… 12 02234 - Autumn 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Supporting Software Evolution for Open Smart Cards by Security-by-Contract Olga Gadyatskaya*

Supporting Software Evolution for Open Smart Cards by Security-by-Contract Olga Gadyatskaya*

Supporting Software Evolution for Open Smart Cards by Security-by-Contract Olga Gadyatskaya* Joint work with F. Massacci*, N. Dragoni + , E. Lostal* *University of Trento (Italy) + Technical University of Denmark (Denmark) NODES Winter School,

355 views • 24 slides
Szumo: A Compositional Contract Model for Safe Multi- Threaded Applications LASER 2005 Laura K.

Szumo: A Compositional Contract Model for Safe Multi- Threaded Applications LASER 2005 Laura K.

Szumo: A Compositional Contract Model for Safe Multi- Threaded Applications LASER 2005 Laura K. Dillon Software Engineering & Network Systems Laboratory Michigan State University ldillon@cse.msu.edu Laser 2005 - Summer School on 1

960 views • 66 slides
Securing OAuth2-Enabled, Multi-Tenant Applications with Spring Security Rob Winch SpringSource,

Securing OAuth2-Enabled, Multi-Tenant Applications with Spring Security Rob Winch SpringSource,

Securing OAuth2-Enabled, Multi-Tenant Applications with Spring Security Rob Winch SpringSource, VMware About Me Spring Security Lead at SpringSource, VMware Past Cerner: Secure Health Care Applications Argonne Labs: Grid

562 views • 16 slides
1 FLP Partial Intuition Implication for fair exchange Quote from paper: Need a trusted

1 FLP Partial Intuition Implication for fair exchange Quote from paper: Need a trusted

TECS Week 2005 Contract Signing Two parties want to sign a contract Contract-Signing Protocols Multi-party signing is more complicated The contract is known to both parties The protocols we will look at are not for contract

402 views • 7 slides
Data Modelling with ASN.1 for Space Applications ESA/ESTEC frame contract n4000104809

Data Modelling with ASN.1 for Space Applications ESA/ESTEC frame contract n4000104809

Data Modelling with ASN.1 for Space Applications ESA/ESTEC frame contract n4000104809 Thanassis Tsiodras, Dr.-Ing NeuroPublic S.A. ASN.1? What is that? It's a "secret" weapon of the aeronautical, security and telecommunication

757 views • 26 slides
CONSTRUCTION CONTRACT MLI 14 Construction PE Evolution During 1930 s attempt

CONSTRUCTION CONTRACT MLI 14 Construction PE Evolution During 1930 s attempt

CASE STUDY ON SPLITTING OF CONSTRUCTION CONTRACT MLI 14 Construction PE Evolution During 1930 s attempt was made by tax department in Germany to characterise construction activity as a PE under the normal PE / fixed place PE

521 views • 33 slides
Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou Security Consultant Smart contract audits Nmap/Ncrack contributor Certs: OSCE, OSCP, OSWP Blockchain Basics Front Running

642 views • 30 slides
An Approach and Case Study of Cloud Instance Type Selection for Multi-Tier Web Applications

An Approach and Case Study of Cloud Instance Type Selection for Multi-Tier Web Applications

An Approach and Case Study of Cloud Instance Type Selection for Multi-Tier Web Applications Christian Davatz, Christian Inzinger, Joel Scheuner, Philipp Leitner University of Zurich, Switzerland software evolution & architecture lab

446 views • 23 slides
Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer

Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer

Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer Security l Pattern Recognition l Data Mining and Retrieval l Multi-Agent Systems l Design Optimization l Control Applications l Robotics l A

414 views • 28 slides
EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA,

EVOLUTION OF THE CISO And the Confluence of IT Security & Audit Thomas Borton, MBA, CISA, CISM, CRISC, CISSP Director, IT Security & Compliance 13 March 2014 AGENDA 1. Introduction 2. Evolution of the CISO: Past, Present & Future

200 views • 18 slides
Improved multi-party contract signing Aybek Mukhamedov and Mark Ryan March 2, 2007 Digital

Improved multi-party contract signing Aybek Mukhamedov and Mark Ryan March 2, 2007 Digital

Improved multi-party contract signing Aybek Mukhamedov and Mark Ryan March 2, 2007 Digital Contract Signing Use digital signatures to sign a pre-agreed contract over a computer network Potentially useful for e-commerce Why it is not simple:

1.08k views • 27 slides
Smart Contract Security Florian Tramr Nicolas Kokkalis Agenda Smart Contract

Smart Contract Security Florian Tramr Nicolas Kokkalis Agenda Smart Contract

Smart Contract Security Florian Tramr Nicolas Kokkalis Agenda Smart Contract Verification Why? More examples of bugs! How? Beyond bugs in code: networks, miners and incentives Attacks by miners: reorder, delay,

405 views • 24 slides
RTEMS-SMP Improvement for LEON multi-core Contract No: 4000116175/ 15/ NL/ FE/ as

RTEMS-SMP Improvement for LEON multi-core Contract No: 4000116175/ 15/ NL/ FE/ as

RTEMS-SMP Improvement for LEON multi-core Contract No: 4000116175/ 15/ NL/ FE/ as Contractor: embedded brains GmbH (Germany) TRP (95k Euro) Duration: 12 months (KO: Feb 2016, FR: May 2017) TO: M. Verhoef / T.

1.12k views • 35 slides
Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan (sudhodanan@fbk.eu) Alessandro Armando (armando@fbk.eu) Roberto Carbone (carbone@fbk.eu) Luca Compagna (luca.compagna@sap.com) NDSS, San Diego,

508 views • 27 slides
EPOCH The European Network of Excellence on ICT Applications to Cultural Heritage contract no.

EPOCH The European Network of Excellence on ICT Applications to Cultural Heritage contract no.

EPOCH The European Network of Excellence on ICT Applications to Cultural Heritage contract no. IST-2002-507382 EPOCH is funded by the European Commission under the Communitys Sixth Framework Programme, contract no. IST2002507382.

848 views • 35 slides
Applications of the Price equation to language evolution Gerhard J ager

Applications of the Price equation to language evolution Gerhard J ager

Applications of the Price equation to language evolution Gerhard J ager gerhard.jaeger@uni-tuebingen.de April 15, 2010 Evolang 8, Utrecht 1/42 Overview Structure of the talk language evolution George Prices General Theory of

699 views • 42 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Memory Usage Estimation for Java Smart Cards G ERARDO S CHNEIDER IRISA/INRIA - R ENNES , F RANCE

Memory Usage Estimation for Java Smart Cards G ERARDO S CHNEIDER IRISA/INRIA - R ENNES , F RANCE

Memory Usage Estimation for Java Smart Cards G ERARDO S CHNEIDER IRISA/INRIA - R ENNES , F RANCE CASTLES: Conception dAnalyses Statiques et de Tests pour le Logiciel Embarqu e S ecuris e NWPT04 - Uppsala, 06 October 2004 Memory

828 views • 43 slides
Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding

Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding

MPRI M1 Internship March 6 th August 26 th , 2006 Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding method Tahina Ramananandro cole Normale Suprieure Paris, France Daniel Jackson

838 views • 40 slides
Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and Verifying an Debit and credit operations on a global example: balance. Secured communication and a decimal representation in Java

339 views • 5 slides
JavaCard group project Erik Poll Digital Security Radboud University Nijmegen 1 Smartcard

JavaCard group project Erik Poll Digital Security Radboud University Nijmegen 1 Smartcard

JavaCard group project Erik Poll Digital Security Radboud University Nijmegen 1 Smartcard group project You have been contracted to build a system electronic purse loyalty card petrol rationing car rental Only design

461 views • 30 slides
Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other faces youll see Lejla Batina lectures on side-channels Anna Guinet & Niels Samwel JavaCard project & side-channel lab 2 This course:

424 views • 9 slides
C.b) RSA with Applications W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.31 RSA The

C.b) RSA with Applications W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.31 RSA The

1 C.b) RSA with Applications W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.31 RSA The RSA algorithm was introduced by Rivest, Shamir and Adleman in 1977. p,q large primes (to be kept secret) n := pq modulus (publicly

858 views • 69 slides
Derivations vs Parses Grammar is used to derive string or construct parser A derivation is a

Derivations vs Parses Grammar is used to derive string or construct parser A derivation is a

9/18/2012 Derivations vs Parses Grammar is used to derive string or construct parser A derivation is a sequence of applications of rules Starting from the start symbol S ... ... ... (sentence) Context Free Gram m ars

401 views • 5 slides

More recommend