On-Device Control Flow Verification for Java Programs

  • Arnaud Fontaine
  • Samuel Hym
  • Isabelle Simplot-Ryl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)


While mobile devices have become ubiquitous and generally multi-application capable, their operating systems provide few high level mechanisms to protect services offered by application vendors against potentially hostile applications coexisting on the device. In this paper, we tackle the issue of controlling application interactions including collusion in Java-based systems running on open, constrained devices such as smart cards or mobile phones. We present a model specially designed to be embedded in constrained devices to verify on-device at loading-time that interactions between applications abide by the security policies of each involved application without resulting in run-time computation overheads; this model deals with application (un)installations and policy changes in an incremental fashion. We sketch the application of our approach and its security enhancements on a multi-application use case for GlobalPlatform/Java Card smart cards.


Smart Card Security Policy Java Program Java Virtual Machine Call Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bieber, P., Cazin, J., Wiels, V., Zanon, G., El-Marouani, A., Girard, P., Lanet, J.L.: The PACAP Prototype: A Tool for Detecting Java Card Illegal Flow (chapter 3). In: Attali, I., Jensen, T. (eds.) JavaCard 2000. LNCS, vol. 2041, pp. 25–37. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Ghindici, D., Simplot-Ryl, I.: On Practical Information Flow Policies for Java-Enabled Multiapplication Smart Cards. In: Grimaud, G., Standaert, F.X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 32–47. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Progress in Informatics (5), 35–47 (2008)Google Scholar
  4. 4.
    Gurov, D., Huisman, M., Sprenger, C.: Compositional verification of sequential programs with procedures. Information and Computation 206(7), 840–868 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Huisman, M., Gurov, D., Sprenger, C., Chugunov, G.: Checking absence of illicit applet interactions, a case study. In: Wermelinger, M., Margaria-Steffen, T. (eds.) FASE 2004. LNCS, vol. 2984, pp. 84–98. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Barthe, G., Gurov, D., Huisman, M.: Compositional verification of secure applet interactions. In: Kutsche, R.-D., Weber, H. (eds.) FASE 2002. LNCS, vol. 2306, pp. 15–32. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Besson, F., Blanc, T., Fournet, C., Gordon, A.D.: From stack inspection to access control: a security analysis for libraries. In: Proceedings of the 17th workshop on Computer Security Foundations (CSFW 2004), p. 61. IEEE Computer Society, Los Alamitos (2004)CrossRefGoogle Scholar
  8. 8.
    Sistla, A.P., Venkatakrishnan, V.N., Zhou, M., Branske, H.: CMV: automatic verification of complete mediation for java virtual machines. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), pp. 100–111. ACM, New York (2008)CrossRefGoogle Scholar
  9. 9.
    Leroy, X.: Bytecode verification on Java smart cards. Software – Practice & Experience 32(4), 319–340 (2002)CrossRefzbMATHGoogle Scholar
  10. 10.
    Ghindici, D., Grimaud, G., Simplot-Ryl, I.: An Information Flow Verifier for Small Embedded Systems. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 189–201. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Necula, G.C.: Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1997, pp. 106–119. ACM, New York (1997)Google Scholar
  12. 12.
    Bieber, P., Cazin, J., Girard, P., Lanet, J.L., Wiels, V., Zanon, G.: Checking Secure Interactions of Smart Card Applets: extended version. Journal of Computer Security 10, 369–398 (2002)CrossRefGoogle Scholar
  13. 13.
    Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-contract: Toward a semantics for digital signatures on mobile code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Dragoni, N., Massacci, F., Schaefer, C., Walter, T., Vetillard, E.: A Security-by-Contract Architecture for Pervasive Services. In: SECPerU, pp. 49–54 (2007)Google Scholar
  15. 15.
    Ion, I., Dragovic, B., Crispo, B.: Extending the Java Virtual Machine to Enforce Fine-Grained Security Policies in Mobile Devices. In: ACSAC, pp. 233–242 (2007)Google Scholar
  16. 16.
    Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009), pp. 340–349. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  17. 17.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: CCS 2009, Chicago, IL, USA, pp. 235–245. ACM, New York (November 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Arnaud Fontaine
    • 1
  • Samuel Hym
    • 1
  • Isabelle Simplot-Ryl
    • 1
  1. 1.Univ Lille Nord de France, INRIA Lille – Nord Europe, CNRS UMR 8022 LIFLFrance

Personalised recommendations