Load Time Code Validation for Mobile Phone Java Cards

Gadyatskaya, Olga and Massacci, Fabio and Nguyen, Quang-Huy and Chetali, Boutheina (2012) Load Time Code Validation for Mobile Phone Java Cards. Trento : Università di Trento. (Unpublished)

Download (989Kb) | Preview


    Over-the-air (OTA) application installation and updates have become a common experience for many end-users of mobile phones. In contrast, OTA updates for applications on the secure elements (such as smart cards) are still hindered by the challenging hardware and certification requirements. The paper describes a security framework for Java Card-based secure element applications. Each application can declare a set of services it provides and a set of services it wishes to call, and its own security policy. An on-card checker verifies compliance and enforces the policy; thus an off-card validation of the application is no longer required. The framework has been optimized in order to be integrated with the run-time environment embedded into a concrete card. This integration has been tried and tested by a smart card manufacturer. In this paper we present the formal security model of the approach, its overall architecture and the implementation footprint which can fit on a real secure element. We also report the lessons learned and the intricacies of integrating a research prototype with a protected loader of the manufacturer.

    Item Type: Departmental Technical Report
    FP7 Grant Agreement Number: info: eu-repo/grantAgreement/EC/FP7/231101, info: eu-repo/grantAgreement/EC/FP7/256980
    Department or Research center: Information Engineering and Computer Science
    Subjects: Q Science > QA Mathematics > QA075 Electronic computers. Computer science
    Uncontrolled Keywords: Load time application validation, secure elements, Security-by-Contract, Java Card
    Report Number: DISI-12-025
    Repository staff approval on: 22 Nov 2012 13:55

    Actions (login required)

    View Item