Gadyatskaya, Olga and Massacci, Fabio and Nguyen, Quang-Huy and Chetali, Boutheina (2012) Load Time Code Validation for Mobile Phone Java Cards. Trento : Università di Trento. (Unpublished)
Over-the-air (OTA) application installation and updates have become a common experience for many end-users of mobile phones. In contrast, OTA updates for applications on the secure elements (such as smart cards) are still hindered by the challenging hardware and certification requirements. The paper describes a security framework for Java Card-based secure element applications. Each application can declare a set of services it provides and a set of services it wishes to call, and its own security policy. An on-card checker verifies compliance and enforces the policy; thus an off-card validation of the application is no longer required. The framework has been optimized in order to be integrated with the run-time environment embedded into a concrete card. This integration has been tried and tested by a smart card manufacturer. In this paper we present the formal security model of the approach, its overall architecture and the implementation footprint which can fit on a real secure element. We also report the lessons learned and the intricacies of integrating a research prototype with a protected loader of the manufacturer.
Actions (login required)