About the world-first smart card certificate with EAL7 formal assurances

Transcription

1 About world-first smart card certificate with EAL7 formal assurances Bouina Chetali, Quang-Huy Nguyen Security Labs Technology & Innovation Meudon, France 9 th ICCC, Jeju, September 2008

2 Why? e-passport ID cards Health New New threats threats Privacy Privacy Identity Identity ft ft Data Data disclosure disclosure between between applications applications e.g., e.g., bank bank do do not not want want to to be be spied spied mobile mobile operator operator Mobile Payment Credit/Debit Smart Poster Transport Bouina Chetali, 9 th ICCC Jeju, September 2008 Loyalty Ticketing New New requirements requirements on on security security trust: trust: strong strong need need certification certification independent independent authority authority Both Both robustness robustness (against (against physical physical attacks) attacks) correctness correctness (against (against stware stware attacks) attacks) shall shall be be ensured ensured Robustness Robustness is is ensured ensured penetration penetration test: test: fault-injection, fault-injection, side-channel side-channel attacks, attacks, etc etc Correctness Correctness is is ensured ensured evidence evidence elements elements on on development development process process (from (from specification specification to to code) code) 2

3 The certificate Highest formal assurances Evaluator (CESTI) Bouina Chetali, 9 th ICCC Jeju, September

4 What it is? A SIM card embedding a Java Card System, evaluated at EAL4+ level, where Card manager (U)SIM Applet 1 Applet 2 Applet N JavaCard System design its JCS has been evaluated at EAL7 level ADV_SPM.3, ADV_FSP.4, ADV_HLD.5, ADV_LLD.2, ADV_IMP.3, ADV_INT.3, ADV_RCR.3 Operating System IC Bouina Chetali, 9 th ICCC Jeju, September

5 What does it mean? EAL4 + [AVA_VLA.4, DVS.2,MSU.3, ADV_(SPM.3, FSP.4, HLD.5, LLD.2, IMP.3, INT.3,RCR.3) Testifies that has been methodically designed, tested reviewed, but also it is highly resistant, its security measures are sufficient for its confidentiality integrity, its insecure states have been analysed tested, its Virtual Machine has been formally proved correct : The design development JVM security functions have been formally proved correct The «C code» correctly implements security functions And Firewall, as specified Sun, is correct Bouina Chetali, 9 th ICCC Jeju, September

6 How does it work? Goal : prove formally correctness (security) design JVM, w.r.t. its specification Functional specification : Sun s JC2.2.1 Security specification : security target ensure Security objectives O.Firewall : The JC Platform shall ensure controlled sharing data containers owned applets different packages, between applets system. Security functional requirements FDP_ACF.1.1/FIREWALL The JC platform shall enforce Firewall access control to objects based on ir security attributes: currently active context, SELECTed applet Context, attribute ActiveApplets. Correctly implements Security functions C implementation JVM SF.Firewall The JCRE firewall enforces applet isolation. The JCRE shall allocate manage a context for each applet or package installed, respectively loaded, on card its own JCRE context. Applets cannot access each or's objects unless y share same context or y use object sharing mechanism supported JCRE. Bouina Chetali, 9 th ICCC Jeju, September

7 The global refinement from ST Security Specification (target) Properties Ex: OT.Firewall requires complete isolation between applications SPM Formal l Informal l Functional Specification Description Interface High-Level Design Description Subsystems Low-Level Design Description Modules Bouina Chetali, 9 th ICCC Jeju, September

8 Formalisation Security Target Security Target security target formal security policy? Each security objective is formalized as a (set ) property that security policy model must ensure The security policy formalizes ( behaviour) functional requirements Firewall objective is translated into confidentiality integrity orems Security target formal functional specification? a mapping between security functions ir formal specification. this correspondence must show that FSP is a complete consistent representation security functions. Security objectives Functional requirements Security functions ADV_SPM TSP Security policy ADV_FSP Functional specification ADV_HLD High Level Design ADV_LLD Low level Design ADV_IMP Implementation Binary code (TOE) Bouina Chetali, 9 th ICCC Jeju, September

9 From Low Level Design to Implementation : bridging gap between models code Top-down: C code is generated from formal specification (e.g. [Bert et al.-fme-03]) but in smart cards industry Certification existing codes performance size issues generated code Bottom-up: formal model is generated from C code (e.g. [Andronick et al.-fm-05]) It does not cover all C features model is complex Semi-formal link : LLD has been built as a mapping between model (HLD) code using a precise complete code-to-spec review ADV_INT to minimize complexity code-to-spec review task Note : no CC requirement on this correpondence Bouina Chetali, 9 th ICCC Jeju, September

10 Some Figures The initial work started in 2002 (with Trusted Logic INRIA) Evaluation, Serma Technologies, lasted 1 year (June June 2007) including training evaluator ~= 20K lines C Most important formal development in Coq > 117,000 lines (5 state machines JC Virtual Machine) > 1600 proved orems 30 elements have been delivered for evaluation (models pros) The most complex tasks have been informal ones! Bouina Chetali, 9 th ICCC Jeju, September

11 Summary A A breakthrough breakthrough in in java java Card Card security security but but also also in in CC CC methodology methodology Feasibility Feasibility : : first first complete complete formal formal ADV ADV chain chain (EAL7) (EAL7) Security Security : : security security properties properties specification specification are are fulfilled fulfilled code code An An implementation implementation augmentation augmentation methodology methodology providing providing highest highest level level confidence: confidence: state state art art level level for for whole whole but but with with The The highest highest level level robustness robustness for for whole whole The The highest highest level level correctness correctness for for sensitive sensitive parts parts (security (security functions) functions) A A contribution contribution to to state state art art certifications certifications French French certification certification body body takes takes into into account account achievement achievement this this evaluation evaluation Correspondence Correspondence between between informal informal formal formal components components Formal Formal modeling modeling tool tool Bouina Chetali, 9 th ICCC Jeju, September

12 Challenges Cost-effective Cost-effective reuse reuse :: Same Same VM VMis is embedded embedded on on several several (JC) (JC) s s each each certificate certificate includes includes same same augmentation augmentation Enhanced/or Enhanced/or VM VMimplementations (code) (code) only only last last step, step, between between most most detailed detailed description description code, code, has has to to be be developed developed Or Or sensitive sensitive function function Global Global methodology methodology is is reused reused but but models models pros pros are are rebuild rebuild Bouina Chetali, 9 th ICCC Jeju, September

13 Questions? Bouina Chetali FM Group Manager Security Labs Technology & Innovation Tel:

14 References Chetali (B.) Nguyen (Q.H.). Industrial Use Formal Methods for a Highlevel Security Evaluation, Proceedings FM08, LNCS 5014, 15TH International symposium on Formal Methods (FM08). Turku, Finl, May 08. J. Andronick, Q-H. Nguyen. Certifying an Embedded Remote Method Invocation Protocol. The 23rd ACM Symposium on Applied Computing (SAC08), Brazil,2008. Chetali (B.). How Common Criteria requirements could be used for development secure stware, ICCC 06.Lanzarote, Spain, September 06. Chetali (B.) Nguyen (Q.H.), Certifying Native Java Card API Formal Refinement e, In J. Domingo-Ferrer, J. Posegga, D. Schreckling, editors, CARDIS 06, volume 3928 LNCS, pages Springer-Verlag, Chetali (B.) Nguyen (Q.H.). Towards CC Certification a Java Card Virtual Machine Proceedings 5th International Conference on Common Criteria (ICCC 04). Berlin, September 04. Chetali (B.), Gimenez (E.), Loiseaux (C.), Ly (O.). An Interpretation Common Criteria EAL7 level, Proceedings 2th International Conference on Common Criteria (ICCC 02). Ottawa, Mai 02. Certificate Bouina Chetali, 9 th ICCC Jeju, September