the mondex case study
play

The Mondex Case Study Verifying a Java Implementation Peter H. - PowerPoint PPT Presentation

Aug 06, 2023 •378 likes •1.02k views

The Mondex Case Study Verifying a Java Implementation Peter H. Schmitt, Isabel Tonin Institute for Theoretical Computer Science Department of Computer Science Universit at Karlsruhe (TH) KeY Symposium, June, 2007 The Mondex Case Study

  1. The Mondex Case Study Verifying a Java Implementation Peter H. Schmitt, Isabel Tonin Institute for Theoretical Computer Science Department of Computer Science Universit¨ at Karlsruhe (TH) KeY Symposium, June, 2007 The Mondex Case Study

  2. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver The Mondex Case Study

  3. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming The Mondex Case Study

  4. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming The Mondex Case Study

  5. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs The Mondex Case Study

  6. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set The Mondex Case Study

  7. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set The Mondex Case Study

  8. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code The Mondex Case Study

  9. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code 3. A repository of verified programs. Contains at this time mostly contributions to the Mondex Case Study. The Mondex Case Study

  10. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code 3. A repository of verified programs. Contains at this time mostly contributions to the Mondex Case Study. The Mondex Case Study

  11. Verified Software Grand Challenge a concerted effort of the global scientific community to deliver 1. A comprehensive theory of programming covering all features needed to built practical and reliable programs 2. A coherent tool set automating the theory and scaling up to large code 3. A repository of verified programs. Contains at this time mostly contributions to the Mondex Case Study. You can’t say any more it can’t be done. Here, we’ve done it! The Mondex Case Study

  12. The Mondex Card ◮ Smart card for electronic financial transactions The Mondex Case Study

  13. The Mondex Card ◮ Smart card for electronic financial transactions ◮ Issued by Natwest in 1996 The Mondex Case Study

  14. The Mondex Card ◮ Smart card for electronic financial transactions ◮ Issued by Natwest in 1996 ◮ First product certified to ITSEC Level E6 The Mondex Case Study

  15. The Mondex Card ◮ Smart card for electronic financial transactions ◮ Issued by Natwest in 1996 ◮ First product certified to ITSEC Level E6 ◮ Sanitised documentation publicly available The Mondex Case Study

  16. A model refinement Previous Work using B model Z , ASM, refinement RSL, Alloy C model Our implementation Contribution using JML Java code The Mondex Case Study

  17. Our Contribution ◮ Reference Implementation in Java Card The Mondex Case Study

  18. Our Contribution ◮ Reference Implementation in Java Card ◮ Specification using Design by Contract paradigm The Mondex Case Study

  19. Our Contribution ◮ Reference Implementation in Java Card ◮ Specification using Design by Contract paradigm ◮ Annotation using Java Modeling Language (JML) The Mondex Case Study

  20. Our Contribution ◮ Reference Implementation in Java Card ◮ Specification using Design by Contract paradigm ◮ Annotation using Java Modeling Language (JML) ◮ Full verification using the KeY prover The Mondex Case Study

  21. The Principal Classes of Mondex Card public class ConPurseJC extends Applet { private short name; private short balance; private byte status; private PayDetails transaction; private short nextSeq; private PayDetails [] exLog; private byte logIdx; ... } public class PayDetails { short fromName; short toName; short value; short fromSeq; short toSeq; ... } The Mondex Case Study

  22. Mondex Protocol Automata View ToPurse FromPurse idle StartFrom idle Epr StartTo Req Epv Epa Val Ack Endt Endf The Mondex Case Study

  23. The Protocol (Modified) central authority From Purse To Purse Idle Idle StartFrom StartTo req Epr Req Epv balance = val balance −value Val Epa balance = ack balance +value Ack Endf Endt The Mondex Case Study

  24. Architecture of a Java Card Application Reader Side Card Side Applet Applet Applet Back−End Host Application Application and Response Command System(s) APDUs Response Command Vendor or Industry specific APDUs Extensions Command Java Card Framework and APIs Card APDUs Acceptance Java Card Device Java Card VM Runtime Environment Response Card OS The Mondex Case Study

  25. Z Specification of the Val Operation ValPurseOkay ∆ ConPurse m ? , m ! : Message AuthenticValMessage status = epv Ξ ConPurseVal balance ′ = balance + pdAuth . value status ′ = esTo m ! = ackpdAuth The Mondex Case Study

  26. ASM Specification of the Val Operation VAL# if msg = val ( pdAuth ( receiver )) ∧ ¬ fail ? balance ( receiver ) := then balance ( receiver ) + pdAuth ( receicer ) .value state ( receiver ) := idle outmsg := ack ( pdAuth ( receiver )) else outmsg := ⊥ The Mondex Case Study

  27. JML Specification of the Val Operation /*@ public behavior 1 @ requires apdu != null; 2 @ assignable balance , status; @ ensures 3 @ (balance == \old(balance) @ + transaction.value) && @ (\old(status) == Epv) && (status == Endt ); @ signals only ISOException ; @ signals (ISOException e) 4 @ (( balance == \old(balance )) @ && (status == \old(status ))); @*/ private void val_operation (APDU apdu) throws ISOException JML keyword in red. The Mondex Case Study

  28. Top Level ASM Specification BOP# choose msg, fail ? , rec with msg ∈ ether ∧ auth ( rec ) in isStartTo ( msg ) ∧ state ( rec ) = idle then STARTO # if else if isStartFrom ( msg ) ∧ state ( rec ) = idle then STARTFROM # else if isreq ( msg ) ∧ state ( rec ) = epr then REQ # isval ( msg ) ∧ state ( rec ) = epv then V AL # else if else if isack ( msg ) ∧ state ( rec ) = epa then ACK # ABORT # else ether := ether + + outmsg seq The Mondex Case Study

  29. Top Level ASM Specification BOP# choose msg, fail ? , rec with msg ∈ ether ∧ auth ( rec ) in isStartTo ( msg ) ∧ state ( rec ) = idle then STARTO # if else if isStartFrom ( msg ) ∧ state ( rec ) = idle then STARTFROM # else if isreq ( msg ) ∧ state ( rec ) = epr then REQ # isval ( msg ) ∧ state ( rec ) = epv then V AL # else if else if isack ( msg ) ∧ state ( rec ) = epa then ACK # ABORT # else ether := ether + + outmsg seq The Mondex Case Study

  30. Top Level JML Specification First Installment /*@ public behavior @ requires apdu != null; @ assignable ... @ ensures @ ((\ old(logIdx) != logIdx) ==> @ (( logIdx ==0) && @ (status == Idle) && @ (\old(status )== Idle ))) @ && @ ((\ old(status )== status) ==> @ (\old(balance )== balance) && @ (\old(nextSeq )== nextSeq )) @ && The Mondex Case Study

  31. Top Level JML Specification Second Installment && @ ((\ old(status )!= status) ==> @ @ \old(apdu._buffer[I.OFFSET_INS ]) @ == apdu._buffer[I.OFFSET_INS] @ && (\old(status )== Epa ==> @ (status == Endf && @ apdu._buffer[I.OFFSET_INS ]== Ack @ && balance ==\ old(balance ))) @ && The Mondex Case Study

  32. Top Level JML Specification Third Installment @ signals_only ISOException; @ signals (ISOException e) ( @ \old(balance )== balance && @ \old(status )== status && @ \old(logIdx )== logIdx && @ \old(nextSeq) == nextSeq ); @*/ public void process(APDU apdu) The Mondex Case Study

  33. Top Level Z Specification Security Property 1 No value creation: no value may be created in the system. The sum of all purses’ balance does not increase. The Mondex Case Study

  34. Top Level Z Specification Security Property 1 No value creation: no value may be created in the system. The sum of all purses’ balance does not increase. Security Property 2.1 All value accounted: all values must be accounted in the system. The sum of all purses’ balance and lost components does not change. The Mondex Case Study

Recommend

Mondex / Alloy Last Updates Tahina Ramananandro cole Normale Suprieure Paris, France

Mondex / Alloy Last Updates Tahina Ramananandro cole Normale Suprieure Paris, France

Third Mondex Workshop University of York October 5-6 th , 2006 Mondex / Alloy Last Updates Tahina Ramananandro cole Normale Suprieure Paris, France Daniel Jackson Massachusetts Institute of Technology CSAIL Software Design Cambridge

247 views • 20 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

912 views • 4 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding

Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding

MPRI M1 Internship March 6 th August 26 th , 2006 Mondex , an Electronic Purse : Specification & Refinement Checks with the Alloy Model-Finding method Tahina Ramananandro cole Normale Suprieure Paris, France Daniel Jackson

838 views • 40 slides
2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Page 1 of 7 2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular, symbolic problem. The solution that we develop incorporates a task scheduling algorithm. 2.7.1

259 views • 7 slides
Specification, Proof, and Model Checking of the Mondex Electronic Purse Chris George and Anne

Specification, Proof, and Model Checking of the Mondex Electronic Purse Chris George and Anne

Specification, Proof, and Model Checking of the Mondex Electronic Purse Chris George and Anne Haxthausen United Nations University International Institute for Software Technology Macao SAR, China and Informatics and Mathematical Modelling

732 views • 26 slides
Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the Case Study found in the Assignment section of M005 and be ready to present your findings in a formal presentation in week 11. Each team member

319 views • 6 slides
ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction

ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction

INTER AGENCY SHELTER CLUSTER ASSESSMENTS I Introduction II Case Study #1 III - Case Study #2 REACH Introduction Most clusters (including shelter) used to inform sectoral planning without a capacity to effectively collect, analyze and

520 views • 15 slides
Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman

Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman

Case Study Marlysa Sullivan: msullivan1@muih.edu Introduction This is a case study of a woman who has a primary complaint of back pain with secondary complaints of migraines, anxiety, difficulty with sleep. Yoga Therapy has decreased her

580 views • 19 slides
DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008,

DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008,

DCK DCK Cons Constructi truction on Case Case Study Study #1 #1 Background: Formed in 2008, DCK is the largest construction/ general contractor company in the Pittsburgh, PA region Industries served by DCK include hospitality, timeshare,

98 views • 7 slides
1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE

1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE

1 Urbanization projects in BIM 3 3. CASE STUDY 4 3. CASE STUDY 5 4. VALIDATION OF THE METHODOLOGY Results analysis. Element definition Environmental impact Budget Unit Description (t CO2eq/Unit) (m3/Unit) MJ/Unit EUR/Unit The

639 views • 24 slides
A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE

A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE

A Link Between Environmental Injustice and COVID- 19: A Case Study of Chicago and Milwaukee CASE Fellow: Hannah Bacon CASE Mentor: Dr. Connie Mixon, PhD, MPA Elmhurst University Research focus: This study examines the correlation between

167 views • 15 slides
Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study

Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study

Cypress Creek Greenway Case Study Presentation to Utility Districts April 8-9, 2013 Cypress Creek Greenway Case Study Case Study: What and Why? Part of Houston- Galveston Area Councils Regional Plan for Sustainable Development One

595 views • 31 slides
CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8

CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8

CASE STUDY Solution CASE STUDY Solution 1/8 Main characteristics: A multi site ITN of 8 partners (coordinated by the organisation KIWI) proposes to provide: initial training of 36 months to 11 ESRs (total 396 person months) and

345 views • 10 slides
Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community

Case Management Best P r actice Case Management regulations. Case Study. Community Links Wollondilly and the Case Work Team LEGISLATION AGENCY STANDARDS PROFESSIONAL STANDARDS CMSA STANDARDS STRENGTH BASED APPROACH PERSON

472 views • 25 slides
MTN 020 LC : HIV Testing Case Study and Study Closeout Edward Livant BS, MPH MTN Laboratory

MTN 020 LC : HIV Testing Case Study and Study Closeout Edward Livant BS, MPH MTN Laboratory

MTN 020 LC : HIV Testing Case Study and Study Closeout Edward Livant BS, MPH MTN Laboratory Center Thursday, October 9 th 2014 HIV Case Study A clinical research site had some irregular HIV testing results. Additional Testing was

304 views • 7 slides
Hydro One Case Study Hydro One Case Study Kleenoil units were first installed at Hydro One

Hydro One Case Study Hydro One Case Study Kleenoil units were first installed at Hydro One

Hydro One Case Study Hydro One Case Study Kleenoil units were first installed at Hydro One in 2004. The fact that the Kleenoil filter cartridge removes 99.95% of all water made it very appealing to Hydro One. ACer verifying that the

289 views • 18 slides
Case Study Presentation Criteria: information for the NetP Registered Nurse Case Study

Case Study Presentation Criteria: information for the NetP Registered Nurse Case Study

Nursing Entry to Practice (NetP) Programme Case Study Presentation Assessment Criteria: NetP RN Case Study Presentation Criteria: information for the NetP Registered Nurse Case Study Presentation Requirements: Suggested presentation formats may

183 views • 3 slides
A Case Study Approach www.corneryourmarket.ca Overview Today well do a case study

A Case Study Approach www.corneryourmarket.ca Overview Today well do a case study

Running a Marketing Plan Engagement A Case Study Approach www.corneryourmarket.ca Overview Today well do a case study style approach How Ive run marketing plan engagements Two main approaches What worked best Review

519 views • 38 slides
Chapter 1: Introduction to data OpenIntro Statistics, 2nd Edition Case study Case study 1 Data

Chapter 1: Introduction to data OpenIntro Statistics, 2nd Edition Case study Case study 1 Data

Chapter 1: Introduction to data OpenIntro Statistics, 2nd Edition Case study Case study 1 Data basics 2 Overview of data collection principles 3 Observational studies and sampling strategies 4 Experiments 5 Examining numerical data 6

2.25k views • 187 slides
HSSE CONSULTING DIVISION Case Study Maximize Your Business Efficiency Case Study | (R&D

HSSE CONSULTING DIVISION Case Study Maximize Your Business Efficiency Case Study | (R&D

HSSE CONSULTING DIVISION Case Study Maximize Your Business Efficiency Case Study | (R&D Division) Client Profile: Formed in 1915 , The Client is a multinational corporation headquartered in the United States with interests in the

468 views • 12 slides
Week 1, Video 5 Case Study San Pedro Case Study of Classification With educational data

Week 1, Video 5 Case Study San Pedro Case Study of Classification With educational data

Week 1, Video 5 Case Study San Pedro Case Study of Classification With educational data Thousands of examples to choose from This example is one I know particularly well Case Study of Classification San Pedro, M.O.Z., Baker,

448 views • 23 slides
INTENSIVE CARE UNITS: A CASE STUDY FOR RESILIENCE CASE STUDY FOR RESILIENCE Jean Paris

INTENSIVE CARE UNITS: A CASE STUDY FOR RESILIENCE CASE STUDY FOR RESILIENCE Jean Paris

IAEA Technical Meeting on MANAGING THE UNEXPECTED FROM THE PERSPECTIVE OF THE INTERACTION BETWEEN INDIVIDUALS, TECHNOLOGY AND ORGANIZATION Vienna International Centre 25 to 29 June 2012 le SAS France INTENSIVE CARE UNITS: A CASE STUDY

266 views • 16 slides
Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

New Zealand Pilot Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS What are the ecosystem services that our Auckland water Clients impact on and depended on ? What risks and opportunities arise to

256 views • 9 slides

More recommend