Language Based Security for Java and JML

download Language Based Security for Java and JML

of 200

  • date post

    14-Feb-2017
  • Category

    Documents

  • view

    215
  • download

    1

Embed Size (px)

Transcript of Language Based Security for Java and JML

  • Language Based Security for Java and JML

    Martijn Warnier

  • ii

    Copyright c 2006 Martijn WarnierAll rights reserved.ISBN-10: 90-9020922-0ISBN-13: 978-90-9020922-7IPA dissertation series 2006-16

    Typeset with LATEX2Cover design by Dries Verbruggen, unfold.bePrinted by Print Partners Ipskamp, Enschede

    The work in this thesis has been carried out under the auspices of the research schoolIPA (Institute for Programming research and Algorithmics). The author was employed atthe Radboud University Nijmegen and funded by the NWO project Security Analysis forMulti-Applet Smart Cards (SAMACS).

  • Language Based Security for Java and JML

    een wetenschapelijke proeve op het gebiedvan de Natuurwetenschappen, Wiskunde en Informatica

    Proefschrift

    ter verkrijging van de graad van doctoraan de Radboud Universiteit Nijmegen,

    op gezag van de Rector Magnificus prof. dr. C.W.P.M. Blom,volgens besluit van het College van Decanen

    in het openbaar te verdedigen op maandag 27 november 2006des namiddags om 1.30 uur precies

    door

    Martinus Elisabeth Warnier

    geboren op 20 mei 1976te Heerlen

  • Promoter:Prof. dr. B.P.F. Jacobs

    Copromotor:Dr. M.D. Oostdijk

    Manuscriptcommissie:Prof. dr. P.H. Hartel University of TwenteProf. dr. D. Sands Chalmers University of TechnologyDr. J.R. Kiniry University College Dublin

  • Preface

    The first time I met Bart Jacobs is now five years ago. At the time I was a student inUtrecht with an interest in Java and its semantics. Jan Bergstra suggested that if I wantedto pursue this interest I should go to Nijmegen and talk to Bart. It turned out that wasvery good suggestion indeed! After first finishing my Masters thesis in Nijmegen (underBarts supervision) I was asked to stay on as a PhD student. The result of which you readat this moment.

    I learned a lot in these last five years and I had a lot of fun along the way. One canhardly ask for a better atmosphere, both scientifically and socially, as the one at the sixthflour of the FNWI building in Nijmegen were the SoS group resides. In this preface I wantto thank everybody who helped me with the writing of this thesis.

    The first person I want to thank is Bart Jacobs. He gave me the chance to start as aPhD student in his group. I learned a lot from him about security, theorem proving andother subjects of which some are encountered in this thesis. Im grateful to know him,both as a researcher and as a person.

    I also want to thank Martijn Oostdijk who, as my daily supervisor and copromotor,was always the person who had to read another first draft of a paper or one of the chaptersof this thesis. I do not think that anybody has read so much of my writing as he has. He isprobably also the person who can best judge how this thesis has improved from its infantstate to its current form. These improvements stem in large part from his suggestionsand comments on earlier drafts. Another thing I liked was the teaching we did together.Preparing and grading all those exercises was annoying at times, but it certainly taughtme a lot about teaching.

    Erik Poll also read this entire thesis. His comments are always spot on. I want tothank him for all the valuable comments and suggestions he gave me both on this thesisas well as on other papers and presentations I gave during the years.

    My thanks are also due to the members of the reading committee, Pieter Hartel, DavidSands and Joe Kiniry, for their comments that improved the overall quality of this thesisconsiderably. Furthermore I want to thank the following people for reading earlier drafts ofchapters of my thesis: Engelbert Hubbers, Christian Haack, Wojciech Mostowski, WolterPieters, Ling Cheung and Ruby Groen for proof reading the Dutch summary.

    Im very thankful for being part of such a talented group of people as the SoS group.They are thanked for the fun we had during those endless coffee breaks, lunches and beerswe shared. I explicitly want to thank the following (past and present) members of theSoS group: my roomie Cees-Bart Breunesse, Martijn Oostdijk, Bart Jacobs, Erik Poll,Joachim van den Berg, Jesse Hughes, Ling Cheung, Engelbert Hubbers, Joe Kiniry, FlavioGarcia, David Galindo, Ichiro Hasuo, Wolter Pieters and Harco Kuppens, for teaching meeverything I ever wanted to know about sugar clumbs .

    I furthermore want to thank all the PhD students (and others) I met during the yearsat various summer schools and conferences. The Marktoberdorf crowd , Jeroen Ketema,Hendrik de Haan, Sander Bruggink and Arthur van Leeuwen, are especially thanked. Weenjoyed ourselves in Marktoberdorf and we had lots of fun later at various evenings in

  • Groningen, Utrecht and Nijmegen. I furthermore would like to thank Cas Cremers andRicardo Corin for organizing, together with myself, the SPAN security workshops. Caswas also a member of the SAMACS project and we had a lot of nice discussions over theyears (and shared many glass of beer).

    I also want to thank Gilles Barthe for letting me visit his group at INRIA Sophia-Antipolis for the month October in 2004. It was a very nice experience to share myideas with others then my own SoS group. Thanks are due to Marieke Huisman, FlorianKammuller, Tamara Rezk and the other members of the Everest group for the nice time Ihad there.

    I couldnt have completed this thesis without my friends which I want to thank herefor all the fun we had over the years. You all made sure that I got some much neededdiversion from my thesis and work in general. I explicitly want to thank: Juriaan Nortier,Daan Moes, Kees Hordijk & Els Bon, Rosha Atsma, Ruby Groen, Thijs Broersma and theJohnson sisters.

    Finally, and foremost, I want to thank my family: Claire Warnier & Dries Verbruggen,its always fun to visit the two of you in Antwerpen. Miriam Warnier & Martijn Schliekel-mann, thanks for cooking for me all those times. The food is always great, as is thecompany. And finally I want to thank my parents, Bart & Ine Warnier, Bedaainkt veuralles, en zoeveul mie.

    Martijn WarnierMay 2006Nijmegen

  • Contents

    Preface v

    1 Introduction 1

    2 Background and preliminaries 72.1 Java Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2 Semantics of programming languages . . . . . . . . . . . . . . . . . . . . . 8

    2.2.1 Semantics of While-like languages . . . . . . . . . . . . . . . . . . . 92.2.2 Semantics of Java-like languages . . . . . . . . . . . . . . . . . . . . 10

    2.3 JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.4 Java program verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.5 Confidentiality as non-interference . . . . . . . . . . . . . . . . . . . . . . . 16

    2.5.1 Security policies and security lattices . . . . . . . . . . . . . . . . . 182.5.2 Downgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

    2.6 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.6.1 ESC/Java2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.6.2 The LOOP verification framework . . . . . . . . . . . . . . . . . . . 202.6.3 PVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.6.4 Other tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    3 Specification and verification of Java programs 233.1 Side-effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2 Data types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    3.2.1 Aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.2.2 Overflow of numeric types . . . . . . . . . . . . . . . . . . . . . . . 273.2.3 Bitwise operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.2.4 Numeric types in specification and implementation . . . . . . . . . 29

    3.3 Control flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.3.1 Return inside try-catch-finally . . . . . . . . . . . . . . . . . . . . . 323.3.2 Throwing exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . 333.3.3 Breaking out of a loop . . . . . . . . . . . . . . . . . . . . . . . . . 343.3.4 Class invariants and callbacks . . . . . . . . . . . . . . . . . . . . . 35

    3.4 Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

  • 3.4.1 Combining late- and early-binding . . . . . . . . . . . . . . . . . . . 373.4.2 Inheritance and method overriding . . . . . . . . . . . . . . . . . . 39

    3.5 Static initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.5.1 Mutually-dependent static fields . . . . . . . . . . . . . . . . . . . . 40

    3.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.6.1 LOOP & ESC/Java2 . . . . . . . . . . . . . . . . . . . . . . . . . . 42

    4 Specification and verification of control flow properties 454.1 The applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

    4.1.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474.1.2 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.1.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.1.4 The crediting protocol . . . . . . . . . . . . . . . . . . . . . . . . . 50

    4.2 Specifying the applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514.2.1 Modeling the card life cycle . . . . . . . . . . . . . . . . . . . . . . 514.2.2 The process method . . . . . . . . . . . . . . . . . . . . . . . . . . 554.2.3 Global properties of the applet . . . . . . . . . . . . . . . . . . . . 56

    4.3 Correctness of the applet specification . .