the mondex case study
play

The Mondex Case Study Verifying a Java Implementation Peter H. - PowerPoint PPT Presentation

Aug 06, 2023 •378 likes •1.02k views

The Mondex Case Study Verifying a Java Implementation Peter H. Schmitt, Isabel Tonin Institute for Theoretical Computer Science Department of Computer Science Universit at Karlsruhe (TH) KeY Symposium, June, 2007 The Mondex Case Study

  1. The Mondex Case Study Verifying a Java Implementation Peter H. Schmitt, Isabel Tonin Institute for Theoretical Computer Science Department of Computer Science Universit¨ at Karlsruhe (TH) KeY Symposium, June, 2007 The Mondex Case Study

  2. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver The Mondex Case Study

  3. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming The Mondex Case Study

  4. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming The Mondex Case Study

  5. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs The Mondex Case Study

  6. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set The Mondex Case Study

  7. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set The Mondex Case Study

  8. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code The Mondex Case Study

  9. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code 3. A repository of verified programs. Contains at this time mostly contributions to the Mondex Case Study. The Mondex Case Study

  10. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code 3. A repository of verified programs. Contains at this time mostly contributions to the Mondex Case Study. The Mondex Case Study

  11. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code 3. A repository of verified programs. Contains at this time mostly contributions to the Mondex Case Study. You can’t say any more it can’t be done. Here, we’ve done it! The Mondex Case Study

  12. The Mondex Card ◮ Smart card for electronic financial transactions The Mondex Case Study

  13. The Mondex Card ◮ Smart card for electronic financial transactions ◮ Issued by Natwest in 1996 The Mondex Case Study

  14. The Mondex Card ◮ Smart card for electronic financial transactions ◮ Issued by Natwest in 1996 ◮ First product certified to ITSEC Level E6 The Mondex Case Study

  15. The Mondex Card ◮ Smart card for electronic financial transactions ◮ Issued by Natwest in 1996 ◮ First product certified to ITSEC Level E6 ◮ Sanitised documentation publicly available The Mondex Case Study

  16. A model refinement Previous Work using B model Z , ASM, refinement RSL, Alloy C model Our implementation Contribution using JML Java code The Mondex Case Study

  17. Our Contribution ◮ Reference Implementation in Java Card The Mondex Case Study

  18. Our Contribution ◮ Reference Implementation in Java Card ◮ Specification using Design by Contract paradigm The Mondex Case Study

  19. Our Contribution ◮ Reference Implementation in Java Card ◮ Specification using Design by Contract paradigm ◮ Annotation using Java Modeling Language (JML) The Mondex Case Study

  20. Our Contribution ◮ Reference Implementation in Java Card ◮ Specification using Design by Contract paradigm ◮ Annotation using Java Modeling Language (JML) ◮ Full verification using the KeY prover The Mondex Case Study

  21. The Principal Classes of Mondex Card public class ConPurseJC extends Applet { private short name; private short balance; private byte status; private PayDetails transaction; private short nextSeq; private PayDetails [] exLog; private byte logIdx; ... } public class PayDetails { short fromName; short toName; short value; short fromSeq; short toSeq; ... } The Mondex Case Study

  22. Mondex Protocol Automata View ToPurse FromPurse idle StartFrom idle Epr StartTo Req Epv Epa Val Ack Endt Endf The Mondex Case Study

  23. The Protocol (Modified) central authority From Purse To Purse Idle Idle StartFrom StartTo req Epr Req Epv balance = val balance −value Val Epa balance = ack balance +value Ack Endf Endt The Mondex Case Study

  24. Architecture of a Java Card Application Reader Side Card Side Applet Applet Applet Back−End Host Application Application and Response Command System(s) APDUs Response Command Vendor or Industry specific APDUs Extensions Command Java Card Framework and APIs Card APDUs Acceptance Java Card Device Java Card VM Runtime Environment Response Card OS The Mondex Case Study

  25. Z Specification of the Val Operation ValPurseOkay ∆ ConPurse m ? , m ! : Message AuthenticValMessage status = epv Ξ ConPurseVal balance ′ = balance + pdAuth . value status ′ = esTo m ! = ackpdAuth The Mondex Case Study

  26. ASM Specification of the Val Operation VAL# if msg = val ( pdAuth ( receiver )) ∧ ¬ fail ? balance ( receiver ) := then balance ( receiver ) + pdAuth ( receicer ) .value state ( receiver ) := idle outmsg := ack ( pdAuth ( receiver )) else outmsg := ⊥ The Mondex Case Study

  27. JML Specification of the Val Operation /*@ public behavior 1 @ requires apdu != null; 2 @ assignable balance , status; @ ensures 3 @ (balance == \old(balance) @ + transaction.value) && @ (\old(status) == Epv) && (status == Endt ); @ signals only ISOException ; @ signals (ISOException e) 4 @ (( balance == \old(balance )) @ && (status == \old(status ))); @*/ private void val_operation (APDU apdu) throws ISOException JML keyword in red. The Mondex Case Study

  28. Top Level ASM Specification BOP# choose msg, fail ? , rec with msg ∈ ether ∧ auth ( rec ) in isStartTo ( msg ) ∧ state ( rec ) = idle then STARTO # if else if isStartFrom ( msg ) ∧ state ( rec ) = idle then STARTFROM # else if isreq ( msg ) ∧ state ( rec ) = epr then REQ # isval ( msg ) ∧ state ( rec ) = epv then V AL # else if else if isack ( msg ) ∧ state ( rec ) = epa then ACK # ABORT # else ether := ether + + outmsg seq The Mondex Case Study

  29. Top Level ASM Specification BOP# choose msg, fail ? , rec with msg ∈ ether ∧ auth ( rec ) in isStartTo ( msg ) ∧ state ( rec ) = idle then STARTO # if else if isStartFrom ( msg ) ∧ state ( rec ) = idle then STARTFROM # else if isreq ( msg ) ∧ state ( rec ) = epr then REQ # isval ( msg ) ∧ state ( rec ) = epv then V AL # else if else if isack ( msg ) ∧ state ( rec ) = epa then ACK # ABORT # else ether := ether + + outmsg seq The Mondex Case Study

  30. Top Level JML Specification First Installment /*@ public behavior @ requires apdu != null; @ assignable ... @ ensures @ ((\ old(logIdx) != logIdx) ==> @ (( logIdx ==0) && @ (status == Idle) && @ (\old(status )== Idle ))) @ && @ ((\ old(status )== status) ==> @ (\old(balance )== balance) && @ (\old(nextSeq )== nextSeq )) @ && The Mondex Case Study

  31. Top Level JML Specification Second Installment && @ ((\ old(status )!= status) ==> @ @ \old(apdu._buffer[I.OFFSET_INS ]) @ == apdu._buffer[I.OFFSET_INS] @ && (\old(status )== Epa ==> @ (status == Endf && @ apdu._buffer[I.OFFSET_INS ]== Ack @ && balance ==\ old(balance ))) @ && The Mondex Case Study

  32. Top Level JML Specification Third Installment @ signals_only ISOException; @ signals (ISOException e) ( @ \old(balance )== balance && @ \old(status )== status && @ \old(logIdx )== logIdx && @ \old(nextSeq) == nextSeq ); @*/ public void process(APDU apdu) The Mondex Case Study

  33. Top Level Z Specification Security Property 1 No value creation: no value may be created in the system. The sum of all purses’ balance does not increase. The Mondex Case Study

  34. Top Level Z Specification Security Property 1 No value creation: no value may be created in the system. The sum of all purses’ balance does not increase. Security Property 2.1 All value accounted: all values must be accounted in the system. The sum of all purses’ balance and lost components does not change. The Mondex Case Study

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mondex / Alloy Last Updates Tahina Ramananandro cole Normale Suprieure Paris, France

Mondex / Alloy Last Updates Tahina Ramananandro cole Normale Suprieure Paris, France

Third Mondex Workshop University of York October 5-6 th , 2006 Mondex / Alloy Last Updates Tahina Ramananandro cole Normale Suprieure Paris, France Daniel Jackson Massachusetts Institute of Technology CSAIL Software Design Cambridge

247 views • 20 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding

Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding

MPRI M1 Internship March 6 th August 26 th , 2006 Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding method Tahina Ramananandro cole Normale Suprieure Paris, France Daniel Jackson

838 views • 40 slides
2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Page 1 of 7 2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular, symbolic problem. The solution that we develop incorporates a task scheduling algorithm. 2.7.1

259 views • 7 slides
Specification, Proof, and Model Checking of the Mondex Electronic Purse Chris George and Anne

Specification, Proof, and Model Checking of the Mondex Electronic Purse Chris George and Anne

Specification, Proof, and Model Checking of the Mondex Electronic Purse Chris George and Anne Haxthausen United Nations University International Institute for Software Technology Macao SAR, China and Informatics and Mathematical Modelling

732 views • 26 slides
Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the Case Study found in the Assignment section of M005 and be ready to present your findings in a formal presentation in week 11. Each team member

319 views • 6 slides
ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction

ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction

INTER AGENCY SHELTER CLUSTER ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction Most clusters (including shelter) used to inform sectoral planning without a capacity to effectively collect, analyze and

520 views • 15 slides
Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman

Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman

Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman who has a primary complaint of back pain with secondary complaints of migraines, anxiety, difficulty with sleep. Yoga Therapy has decreased her

576 views • 19 slides
DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008,

DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008,

DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008, DCK is the largest construction/ general contractor company in the Pittsburgh, PA region Industries served by DCK include hospitality, timeshare,

98 views • 7 slides
1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE

1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE

1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE METHODOLOGY Results analysis. Element definition Environmental impact Budget Unit Description (t CO2eq/Unit) (m3/Unit) MJ/Unit EUR/Unit The

639 views • 24 slides
A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE

A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE

A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE Fellow: Hannah Bacon CASE Mentor: Dr. Connie Mixon, PhD, MPA Elmhurst University Research focus: This study examines the correlation between

167 views • 15 slides
Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study

Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study

Cypress Creek Greenway Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study Case Study: What and Why? Part of Houston- Galveston Area Councils Regional Plan for Sustainable Development One

595 views • 31 slides
CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8

CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8

CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8 partners (coordinated by the organisation KIWI) proposes to provide: initial training of 36 months to 11 ESRs (total 396 person months) and

345 views • 10 slides
Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community Links Wollondilly and the Case Work Team LEGISLATION AGENCY STANDARDS PROFESSIONAL STANDARDS CMSA STANDARDS STRENGTH BASED APPROACH PERSON

472 views • 25 slides
MTN 020 LC : HIV Testing Case Study and Study Closeout Edward Livant BS, MPH MTN Laboratory

MTN 020 LC : HIV Testing Case Study and Study Closeout Edward Livant BS, MPH MTN Laboratory

MTN 020 LC : HIV Testing Case Study and Study Closeout Edward Livant BS, MPH MTN Laboratory Center Thursday, October 9 th 2014 HIV Case Study A clinical research site had some irregular HIV testing results. Additional Testing was

304 views • 7 slides
Bringing the world to the classroom and the classroom to life NGL.CENGAGE.COM/ELT A P A R T O F

Bringing the world to the classroom and the classroom to life NGL.CENGAGE.COM/ELT A P A R T O F

Bringing the world to the classroom and the classroom to life NGL.CENGAGE.COM/ELT A P A R T O F C E N G A G E Teaching our Students to be Global Explorers Katherine Stannett The Four Cs Critical Thinking Communication Collaboration

438 views • 39 slides
Improving DPOP with Branch Consistency for Solving Distributed Constraint Optimization Problems

Improving DPOP with Branch Consistency for Solving Distributed Constraint Optimization Problems

Motivation and Background Branch Consistency for Pseudo-Trees Experiments and Results Conclusions Improving DPOP with Branch Consistency for Solving Distributed Constraint Optimization Problems Ferdinando Fioretto 1 , 2 Tiep Le 1 William Yeoh

868 views • 49 slides
Banking Dynamics and Capital Regulation Jos Vctor Ros Rull Tamon Takamura Yaz Terajima

Banking Dynamics and Capital Regulation Jos Vctor Ros Rull Tamon Takamura Yaz Terajima

Banking Dynamics and Capital Regulation Jos Vctor Ros Rull Tamon Takamura Yaz Terajima Penn, CAERP, UCL Bank of Canada Bank of Canada Richmond Fed, March 16, 2018 WORK IN PROGRESS Capital Buffers as a form of Regulation A

994 views • 73 slides
ESC/Java2 vs. JMLForge Juan Pablo Galeotti, Alessandra Gorla,

ESC/Java2 vs. JMLForge Juan Pablo Galeotti, Alessandra Gorla,

ESC/Java2 vs. JMLForge Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany ESC/Java2: the formula is built using Dijsktras

439 views • 43 slides
A DISTRIBUTED SYSTEM FOR SMART ENERGY NEGOTIATION Alba Amato 1 , Beniamino Di Martino 1 , Marco

A DISTRIBUTED SYSTEM FOR SMART ENERGY NEGOTIATION Alba Amato 1 , Beniamino Di Martino 1 , Marco

A DISTRIBUTED SYSTEM FOR SMART ENERGY NEGOTIATION Alba Amato 1 , Beniamino Di Martino 1 , Marco Scialdone 1 , Salvatore Venticinque 1 , Svein Hallsteinsen 2 , Shanshan Jiang 2 1 Second University of Naples, 2 SINTEF ICT MO T I V A T I O N

637 views • 22 slides
Presented by: Debbie Silver <www.debbiesilver.com> 1 Personal Goal Setting State each

Presented by: Debbie Silver <www.debbiesilver.com> 1 Personal Goal Setting State each

Desperately Seeking a Round Tuit Time Management for Educators Presented by: Debbie Silver <www.debbiesilver.com> 1 Personal Goal Setting State each goal in the positive. Be precise (put down dates, times and amounts that

988 views • 60 slides
Agenda 8:30 Classifica1on&localiza1on 9:50 Spotlights

Agenda 8:30 Classifica1on&localiza1on 9:50 Spotlights

Large Scale Visual Recogni1on Challenge (ILSVRC) 2013: Object Detec)on

718 views • 32 slides
Understanding and using SAT solvers A practitioner perspective Daniel Le Berre 1 CRIL-CNRS UMR

Understanding and using SAT solvers A practitioner perspective Daniel Le Berre 1 CRIL-CNRS UMR

Understanding and using SAT solvers A practitioner perspective Daniel Le Berre 1 CRIL-CNRS UMR 8188 Summer School 2009: Verification Technology, Systems & Applications Nancy, October 12-16, 2009 1. Contains material provided by Prof. Joao

1.73k views • 170 slides

More recommend