Conference PaperPDF Available

Applying the B Method for the Rigorous Development of Smart Card Applications

Authors:

Abstract and Figures

Smart Card applications usually require reliability and security to avoid incorrect operation or access violation in transactions and corruption or undue access to stored information. A way of reaching these requirements is improving the quality of the development process of these applications. BSmart is a method and a corresponding tool designed to support the formal development of the complete Java Card smart card application, following the B formal method.
Content may be subject to copyright.
Applying the B Method for the Rigorous
Development of Smart Card Applications
Bruno Gomes1,DavidD´eharbe1, Anamaria Moreira1, and Katia Moraes2
1Federal University of Rio Grande do Norte (UFRN), Natal, RN, Brazil
{bruno,david,anamaria}@consiste.dimap.ufrn.br
2Petr´oleo Brasileiro S.A. (PETROBRAS), Rio de Janeiro, RJ, Brazil
katikaka@yahoo.com.br
Abstract. Smart Card applications usually require reliability and se-
curity to avoid incorrect operation or access violation in transactions
and corruption or undue access to stored information. A way of reaching
these requirements is improving the quality of the development process
of these applications. BSmart is a method and a corresponding tool de-
signed to support the formal development of the complete Java Card
smart card application, following the B formal method.
1 Introduction
Smart card applications are present in our everyday life in a wide range of
sectors such as banking and finance, communication, Internet, public transport,
health care, etc. These applications are stored in a resource constrained device
and usually manage confidential information, such as bank account data, the
medical history of a patient or user authentication data.
Java Card [1] is a version of the Java platform with a restricted API and
Virtual Machine optimized for smart cards and other memory and processor
constrained devices. The Java Card developer can benefit from most of the Java
features, such as portability, type-safe language, object oriented development,
and the available tools.
To prevent undesirable behavior and to avoid security violations, it is helpful
to improve the quality of the smart card development process with the adoption
of rigorous software engineering process, methods and tools, to ensure that the
final product is in conformance with the specified requirements.
The BSmart project aims to contribute with a method and its corresponding
tool support which support the formal development of Java Card application
services through a development process that starts from a platform independent
B Specification of these services (i.e., a specification where Java Card character-
istics are not specified). The application installed on card, which contains the
This work was partially supported by the National Institute of Science and Tech-
nology for Software Engineering (INES) www.ines.org.br, funded by CNPq grant
573964/2008-4 and by CNPq grant 553597/2008-6. The author Bruno Gomes is sup-
ported by a doctoral degree scholarship from CNPq.
M. Frappier et al. (Eds.): ABZ 2010, LNCS 5977, pp. 203–216, 2010.
c
Springer-Verlag Berlin Heidelberg 2010
204 B. Gomes et al.
implementation of the services accessed by the client, is developed following a
customized B refinement/implementation process of the initial specification. For
the client (host application) we provide the generation of an API to commu-
nicate with the applet that takes care of all the work related with Java Card
protocol aspects and transparent Java/Java Card data coding/encoding.
Previous work [2] [3] introduced the basic structure of the BSmart method.
Its tool support has been also presented as a short paper in [4]. Here we describe
the work current stage, including the API generation for the host side and the
developed library machines that may be used in the process of specification,
verification and code generation of these applications. With respect to these
previous works, the current paper contributes with a more complete support
and formalization.
This paper is organized as follows. The Section 2 introduces the Java Card
system and its applications. An overview of the process is presented in Section 3.
The host API generation and the development of the card application are dis-
cussed respectively in Sections 4 and 5. The tool support and the developed
libraries are subject of the Section 6. Finally, in Section 7 we present some final
considerations and related work.
2JavaCard
Java Card [1] is a restricted and optimized version of the Java platform to allow
memory and processor constrained devices, such as smart cards, to store and
run small applications. A developer can benefit of many Java features, such
as portability, type-safe language, object oriented development, and available
tools. This infrastructure allows a rapid application build, test and installation
cycle, reducing the time and the cost of software production. However, in face
of hardware limitation, Java Card presents some restrictions on resources and
API. For example, dynamic class loading, threads, Strings,thetypesfloat and
double, and multi-dimensional arrays are not present in the current versions of
Java Card. The integer type (int) and garbage collection are optional.
The main component of the Java Card platform (Fig. 1) is its runtime envi-
ronment (JCRE), composed of a Java Card Virtual Machine (JCVM), a small
API, and, usually, system and industry-specific classes [1]. The JCRE acts as
a small operating system, being responsible for the control of the application
lifetime, security and resource management.
In this work we are interested in the Java Card software development, pre-
sented in Section 2.2. However, before going into the software details, it is helpful
to understand some aspects of the smart card system in Section 2.1.
2.1 Smart Card System
A smart card application is distributed between on-card and off-card compo-
nents. The server application on the card side (called applet) provides the appli-
cation services and is installed in the smart card EEPROM memory. The off-card
Applying the B Method for the Rigorous Development of S.C. Applications 205
Fig. 1. Java Card platform components. Adapted from: [5].
client (called host application) resides in a computer or electronic terminal. A
hardware device, named Card Acceptance Device (CAD), provides power to the
card chip and the physical means that the applications uses to communicate [5].
The communication can be processed by electrical contact, when working with
contact cards, or by radio frequency for contactless cards.
Fig. 2. Command and response APDUs. Source: [5].
The information exchange between the host and card applications is made
through a half-duplexed low level communication unit, named Application Proto-
col Data Unit (APDU). The ISO 7816-4 standard specifies two kinds of APDU’s,
which are the command and the response APDU (Fig. 2). Both specify data
packets. A command APDU is sent by the host, requiring some applet service
and a response APDU is sent by the applet, responding to the host request with
the result of the service processing. Examining Figure 2, one can note that the
APDU packets are a low-level structure, requiring information coding (instruc-
tion code, data, etc.) when requesting a service and information decoding (data,
status), after the service execution.
2.2 Developing Java Card Applications
The complete development process of a Java Card application involves essentially
the (i) development of the card side applet and some auxiliary classes when
needed, (ii) test and simulation of the developed application, (iii) conversion of
the generated bytecode into an appropriate format to be installed on a smart
card, and (iv) development of the client side host application. The activities (i)
and (iv) are the focus of our work. In the following we give more information on
the host application and on the Java Card applet.
206 B. Gomes et al.
Java Card host application: Java Card allows the inter-operability of the devel-
oped applet among different smart cards with compatible Java Card specifica-
tions. However, complete compatibility can only be obtained when the whole
smart card environment, including cards, readers, protocols, and host applica-
tions are in accordance to common standards. To achieve this goal, some initia-
tives taken by a consortia of smart card companies emerged, such as PC/SC [6]
and Global Platform [7]. These standards define complete APIs to initialise ter-
minals and cards and to manage the communication through APDU encoding,
taking in consideration not only on-card security, but global system security as-
pects. Other recent API, part of Java 6, is the Smart Card I/O. It is simpler than
the others, but is compatible with PC/SC readers and is suitable to most appli-
cation needs, offering the basic structure for applet communication. A portable
host application must then use one of these standards in its implementation.
Java Card applets: A Java Card applet is a class that inherits the javac-
ard.framewok.Applet class of the Java Card API and is implemented upon the
Java Card subset of Java. During the applet conversion for card installation, a
verification phase is performed to check conformance of the classes with Java
Card restrictions.
The current usual Java Card specification (2.2.x) allows two kinds of applets.
The older, and most commonly used, kind of applet manipulates directly the
APDU packages while the newer one abstracts from the lower level protocol
using Remote Method Invocation (RMI). In this paper we will call the lower
level applet APDU applet and the higher level one, RMI applet. RMI introduces
a layer of abstraction above the APDU protocol, and, due to this fact, it is
usually less efficient than APDU applets.
3 Formal Java Card Development with the B Method
Smart card applications usually require the management of confidential informa-
tion, such as monetary values and data for secure authentication. Thus, a major
part of smart card development is devoted to the implementation of an API
containing the services provided by the card whilst protecting these data. Being
a restricted domain of usually small applications with the need for safety and
correctness, smart card applications represent a suitable domain to the adoption
of formal development methods.
In this work we present a method to develop a Java Card application following
the B method [8], from specification to refinement and code generation. By using
B in the whole development process we aim to guarantee the preservation of the
specified functional properties from the abstract specification modules until their
implementation in Java Card.
Starting from a high-level formal specification of the API, the development
(Fig. 3) follows two lines, one for the card side application and the other related
to the host application:
Applying the B Method for the Rigorous Development of S.C. Applications 207
host-side: The full automatic generation of an API that encapsulates the com-
munication between the host and card applications, hiding this communica-
tion, as well as most of the details of the standards cited on section 2.2, from
the developer, who can focus on the functional aspects of the application.
card-side: The development is based on refinement of the initial B specifica-
tion. It progressively adds Java Card related aspects and a more concrete
representation of the application towards its implementation. At the end of
this chain of refinements, we are able to generate the implementation of the
application.
Fig. 3. A view of the BSmart method development and its artifacts
Figure 3 gives a general idea of the artifacts that appear in the development
process. Most of the development can be performed using the support of tools
(Section 6), but, as usual in B, the developer can add refinement levels to manage
complexity or to reduce proof effort.
The Host API component encapsulates communication standards and proto-
cols, so that the application is able to use the card services through the API
method calls. In the next sections we detail the aspects related to the generation
of the host side API and the development of the card-side application.
4 Generation of the Host Application API
As explained in Section 2.2, for the development of the host application there
are some standards which define APIs to supply all the necessary resources to
establish the communication with the card. In this work we propose to generate
a set of classes (Fig. 4) to transparently communicate with the card application,
using one of that APIs, freeing the user of the tedious and error-prone task of
manipulating the lower-level details of the Java Card system. This encapsulation
includes the management of the connection with a card application and the
coding and decoding of the data sent to and received from the applet. The user
208 B. Gomes et al.
keeps the responsibility for the functional aspects of the application only, leading
to an increased productivity.
The code of the API components for the host-side is generated from the
original specification in a fully automatable process, since, in addition to the
desired communication standard API to be used, we only need to know the
expected services of the applet and the necessary data to process them. As the
B method imposes that the signature of each operation does not change in the
refinement process, we can obtain it directly from the operations of the high-level
machine.
Fig. 4. API structure
As shown by the diagram of Figure 4, two main classes are generated for
the host developer, named Communication and Proxy, with implementations
that may vary depending on the kind of Java Card Applet (APDU or RMI)
and communication standard. The Communication class is seen by the host
application and contains high-level Java methods to call each applet service
and to control the life-time of the applet. For APDU applets, the service calls
are dispatched to the Proxy class, which is responsible for coding the received
data into a packet in the command APDU format (Fig. 2) and send it to the
applet. This class also decodes the returned response, sending it back to the
Communication class. The Proxy class is not necessary for the generation of the
RMI host application API since it allows the communication to be taken at a
higher level than the APDU level.
The classes Conversions and Function s contain useful methods to help in
the conversion tasks of data between the card and host applications. These are
predefined library classes that can be reused in different developments.
Until now, we have implemented the generation for the APIs OpenCard frame-
work,Smart Card I/O and RMI Client. The last is a simple API, part of the
Java Card specification, for the communication with RMI applets.
Applying the B Method for the Rigorous Development of S.C. Applications 209
4.1 Rules for Host API Code Generation
This section briefly describes the rules for the generation of the API classes,
namely the rules associated with data emission and reception in the communi-
cation process. The set of translation rules is too large to be fully described here;
they define a translation that follows the syntactical structure of the B specifica-
tion. Most of them are straightforward, and the only complication occurs in the
case of APDU applets due to the encoding and decoding of data when passed
to the communication medium between the card and the host components.
In all cases, each specified operation is mapped into a method of the generated
class. In the case of RMI applets, where the data encoding/decoding is taken
care by the Java Card RMI library, the general rule for the translation of a B
operation is:
generation from(B operation) =
let
jres = java return type of (B operation)
name = java name of (B operation)
jparams = java param list of (B operation)
jthrows = (exception throwing declarations: depends on API)
init try = “try {
end try = “}catch (Exception e) {e.printStackTrace(); }
in
“public” jres name “(”jparams“)” jthrows “{
init try
javarmi app method cal l of (B operation)
end try
}
The above rules rely on auxiliary functions, such as java return type of,
java param list of and java name of that, given a B operation, respectively
yield the return type, the list of parameters and the name of the corresponding
Java method. The function javarmi app method call of uses these predefined
functions to make the operation calling statement.
For the APDU version, the Proxy class is responsible for the encoding of
data for the APDU buffer and the corresponding decoding. These rules are more
complex than that for RMI as the arguments and the result of any method call
needtobeencodedasbytesandstoredinanAPDUpacket.TheAPDUformat
has three fields to store data (see Fig. 2): p1 (1 byte), p2 (1 byte) and data
(arbitrary size). We have thus defined and implemented a conversion algorithm
that computes the number of bytes needed to encode the method arguments, and
generates the Java code to convert such arguments to bytes and store them in the
APDU packet. The code thus generated is optimized to reduce communications
as it first fills the p1 and p2 fields, and uses the data field only when the encoding
of the arguments is larger than two bytes.
210 B. Gomes et al.
5 Development of the Card-Side Application
As we introduced in Section 3, the formal development of the card applet starts
from a high-level B specification of the application. This specification does not
need to observe Java Card aspects. To illustrate some concepts of this branch
of the development, let us introduce a simple abstract specification of a counter
(Fig. 5) with an operation to increment the counter. This specification uses a
Java compatible int type (JINT), provided in the JInt library machine (Fig. 10),
which also defines arithmetic operations restricted to the range of the type, such
as sum jint to compute the sum of its two integer arguments and gt jint,which
returns true when its first argument is greater than the second one.
MACHINE JCounter
SEES JInt
VA R I A B L E S value
INVARIANT value JINT
INITIALISATION
value := 0
OPERATIONS
increment (vv )=
PRE
vv JINT
gt jint(vv,0)=true
sum jint (value,vv)JINT
THEN
value := sum jint (value,vv)
END
END
MACHINE JCCounter
SEES JCInt,JInt, (...), InterfaceContext
VA R I A B L E S jc value
INVARIANT jc value JCINT
INITIALISATION
jc value := jcint of jint (0)
OPERATIONS
jc increment (vv )=
PRE
vv JCINT
gt jcint(vv,jcint of jint(0))=true
sum jcint (jc value,vv)JCINT
THEN
jc value := sum jcint (jc value,vv)
END
END
Fig. 5. JCounter machine and its Java Card version JCCounter
Here we introduce a common situation that can occur in a typical develop-
ment: the abstract specification uses types that are not compatible with Java
Card types. The JCounter abstraction uses the int type, which is not built-in
Java Card, and the B method does not allow interface and type changing in the
refinement process. Thus, to follow the card-side development, we need to deal
with this type incompatibility by introducing a refinement pattern.
To achieve the goal of type/interface adaptation without going out the strict
rules of B refinement we use library machines that model each type and interme-
diate machines containing conversion functions and properties relating them. We
will present here the general notion and excerpts of the corresponding modules
to illustrate the solution for our example in which we model the int type through
apairofshorts. The detailed approach is described in [9]. The important point
in favor of this solution is that the development rigorously obeys B refinement
restrictions.
Applying the B Method for the Rigorous Development of S.C. Applications 211
MACHINE InterfaceContext
SEES JInt ,JCInt
CONSTANTS jint of jcint,jcint of jint
PROPERTIES
jint of jcint JCINT JINT
jcint of jint JINT JCINT
ASSERTIONS
jint of jcint 1=jcint of jint
dom (jint of jcint )=JCINT
dom (jcint of jint )=JINT
END
Fig. 6. The InterfaceContext machine
The right side of Figure 5 presents a counter machine providing the same
services as JCounter but with interface and typing restrictions compatible with
Java Card. The JCINT is a definition of the Java integer type represented as a
pair of shorts, included in the JCInt library machine (not detailed here). The
JCCounter machine is also the initial model of a B development to provide an
implementation of the card-side component.
The conversion function linking these two abstract (JINT) and concrete
(JCINT) integer representations are put in InterfaceContext. This machine also
contains some corollaries in the assertions clause. These additional properties
are useful to simplify interactive proofs of the development. Since JCCounter is
a machine, not a refinement, we want to be able to prove that the type adapta-
tion succeeds as a refinement relation. We can do this by refining the abstract
JCounter, relating the abstract and concrete types in its invariant using the
functions defined in InterfaceContext, as we can see in Figure 7. So, in case of
successful verification, we are able to continue our card development using the
concrete JCCounter. Although the process of typing adaptation is automatable
(possibly with some user assistance), the tool support for the method does not
include it yet.
To allow the smart card implementation of the API, an additional refinement
is applied to make it closer to Java Card code. We achieve this making it full-
function, i.e., weakening the preconditions of the operations so that they only
define typing of the parameters. The remaining restrictive conditions are han-
dled in its body through conditional substitutions, whose non-validity leads to
the throwing of an exception. This is performed by modeling simple Java Card
exception classes in an Exception library machine. A dedicated context machine
contains the identifier code of each exception and any other constants or Java
Card related information that the refinement needs. The full function refinement
of JCounter and its context machine can be shown in Figure 8. The restrictive
precondition stating that the value of the increment must be greater than zero
was moved to its body, this way allowing the generation of this verification con-
dition in the translated Java Card code.
212 B. Gomes et al.
REFINEMENT JCounter ref
REFINES JCounter
SEES JInt,JCInt,InterfaceContext
INCLUDES JCCounter
INVARIANT value =jint of jcint (jc value)
OPERATIONS
increment (vv )=
PRE
vv JINT
sum jint(jint of jcint (jc value), vv)JINT
THEN
jc increment (jcint of jint (vv))
END
END
Fig. 7. A refinement of JCounter to verify the type adaption correctness
MACHINE JCCounterContext
SETS EXCEPTIONS ={non positive value}
END
REFINEMENT JCCounterFF ref
REFINES JCCounter
INCLUDES
ISOException.Exception(EXCEPTIONS)
SEES JCCounterContext, (...)
VARIABLES jc value
INVARIANT jc value JCINT
INITIALISATION
jc value := jcint of jint (0)
OPERATIONS
jc increment (vv )=
PRE
vv JCINT
sum jcint (jc value,vv)JCINT
THEN
IF ¬(gt jcint(vv,jcint of jint(0))=
true)
THEN
ISOException.throwIt(
non positive value)
END;
jc value :=sum jcint (jc value,vv)
END
END
Fig. 8. The full function version of JCCounter and its context machine
The translation of the B0 implementations to Java Card code is the last stage
in the card-side development. The main development implementation, contain-
ing the services offered to the host, generates the applet class. As usual, other
modules may have to be generated, such as the context machine. In Section 6.1
we can see part of the counter implementation, emphasizing the use of the APDU
library machine for data sending and receiving.
6 Tool Support
The BSmart tool [4] is an Eclipse plugin connecting several software components,
each responsible for implementing a different step of the BSmart method. Es-
sential software for the B formal method is also included, such as a type checker,
Applying the B Method for the Rigorous Development of S.C. Applications 213
and connection with external tools, such as Atelier B, for proof obligation gen-
eration and verification. Also, as explained in the next Subsection, we supply
jointly with the tool a library of B modules modeling essential classes of the
Java Card API, types and useful data structures.
The main components that provide support for the method are the BSmart
Modules Generator and the B to Java Card code translator. The former is re-
sponsible to generate the B refinements required by the method and the latter
translates all the B implementation modules into Java Card programming code
and also generates the API classes for the host side client. The translator has
been developed based on the Java translator of JBtools [10]. We modified this
open-source B method tool to allow the translation for Java Card.
6.1 A Library of Reusable B Components
We have developed B machines to model Java/Java Card primitive types and
some classes of the Java Card API. We plan to supply these verified B models
to all classes of the Java Card API and to other useful tasks for Java Card
applications, such as manipulation of time, date, currency, etc.
The specification of the Java Card API specification was realized using as basis
the official documentation of the classes, as well as JML-based and OCL-based
specifications [11,12]. In our approach, the specification serves for the purpose of:
(i) providing verified B models of the API (ii) using these verified modules in the
refinement of the card-side application, allowing us to verify the correctness of its
use in relation to adequate data and the necessary dependencies, for example,
when an operation requires the calling of a previous one and (iii) facilitating
the generation of the Java Card code, since an operation of an API model is
translated to its corresponding method call in Java Card.
As an example, we can see in Figure 9 some excerpts of the APDU class
model in B, one of the most important of the Java Card API. Through it one
can access the APDU buffer for exchanging data with the host application.
The details of this process is treated internally with the Java Card Runtime
Environment (JCRE) and it is not our propose to model it. As we said before,
we are interested in the practical use of the operations to allow verification and
code generation. On the right side of the figure, we show a practical example of
the use of APDU machine in the implementation of the count er development.
The APDU machine is imported and the operations are called as we do in a Java
Card applet method to receive data and to send it after processing.
In the case of the types library we have developed machines to deal with the
types short,int,boolean andamoduletorepresentthetypeint forJavaCard
as a pair of shorts. As we can see for the type int in Figure 10, each machine has
constants for type definition and useful functions to operate within the bounds
of the type.
The development of the library is still in progress but we expect that when
concluded the developed modules can be reused by B specifiers and Java Card
developers with the advantage of being fully verified using the B method. We
214 B. Gomes et al.
MACHINE APDU (...)
CONCRETE VA R I A B L E S (...)
state,buffer
INVARIANT
state TBYTE
state ST INITIAL ..
ST FULL OUTGOING
buffer (0 .. 132) TBYTE (...)
OPERATIONS
res setIncomingAndReceive =
PRE
state =ST INITIAL
THEN
CHOICE
state := ST PART I A L INCOMING
OR
state := ST FULL INCOMING
END ||
ANY value
WHERE
value TSHORT value 0
value buffer(OFFSET LC)
buffer(OFFSET LC)+
BUFFER HEADER LENGTH
BUFFER LENGTH
THEN res :=value
END
END (...)
IMPLEMENTATION
JCCounter imp
REFINES
JCCounterFF ref
SEES
JCCounterContext,
TShort (...)
IMPORTS
ISOException.Exception(
EXCEPTIONS),
apdu.APDU(...)
OPERATIONS
jc increment (vv )=
VA R buffer, (...), value lc,le,res
IN
buffer apdu.getBuffer; (...)
value lc
apdu.setIncomingAndReceive;
( ... data processing ...)
le apdu.setOutgoing;
apdu.setOutgoingLength(1);
buffer(0) := res;
apdu.sendBytes(0, 1)
END (...)
Fig. 9. Part of APDU machine (left) and its use in an implementation (right)
MACHINE JInt
SEES TBoolean
CONCRETE CONSTANTS
MAXJINT,MINJINT,JINT,
sum jint,subt jint, ... , equal jint,gt jint
PROPERTIES
MINJINT ∈Z∧MINJINT = - 2147483648
MAXJINT ∈Z∧MAXJINT = 2147483647
JINT =MINJINT .. MAXJINT
sum jint JINT ×JINT JINT
sum jint =λ(a1 ,a2 ).(a1 JINT a2 JINT
(a1 +a2 )JINT |a1 +a2 ) (...)
END
Fig. 10. Part of JInt library machine: type definition and sum operation
Applying the B Method for the Rigorous Development of S.C. Applications 215
therefore contribute for the correctness of the generated application as a whole,
since not only the core application, but all its necessary support classes are
subject to formal development and verification.
7 Conclusions
The starting point of this work was to identify the general structure of Java
Card applications, and to develop B specifications of some typical Java Card
applications, e.g. ticketing, electronic wallet, etc. These case studies evolved to
the BSmart method and the first version of its tool support.
Current B development tools include code generation for imperative languages
such as C and ADA. The development of optimized C code for smart cards has
been subject of study of the B with Optimized Memory (BOM) project [13] [14],
proposing optimizations such as method inlining. Optimization is an open issue
in our work, but we plan, for instance, to reduce the number of local variables
introduced in an operation and to minimize class instantiation. Regarding the
translation for Java, a recent initiative is the integration of a translator in the
Rodin platform [15]. A first Java Card synthesis approach has been proposed
in [16]. It was implemented in the JBtools platform [10] and provides a code
generator for Java optimized for Java Card compatibility. However, there is no
specific generation for the Java Card applet and no API support is provided for
the host application. The code generation for Java Card is also restricted to the
short integer type.
Our goal is to provide a complete Java Card service generation method, con-
sisting of the card-side application development, as well as an API for host
applications to transparently access the card services. Thus the user does not
need to deal with type adaptation/conversion and the Java Card lower-level pro-
tocols. The method, jointly with the provided B library of Java Card classes,
types and useful data structures, form the basis of an environment to effectively
and efficiently develop fully-verified Java Card software.
As future work, we want to verify the result of the translation to Java and
Java Card. An approach is the inclusion of JML annotations in the generated
code to allow runtime checking, as in the work of [17]. We also plan to apply ad-
vanced language transformation techniques, such as TXL [18] or ASF+SDF [19]
to generate part of the B refinements and the Java Card application final code
to replace our ad hoc low level implementation of the transformation rules.
Finally, to better validate the proposal and its tool support, we have to de-
velop a more complex case study. A good candidate is the Mondex electronic
purse, a case study that is part of the Verified Software Initiative. In the Mondex
system some amount of monetary value is transferred from a source to a target
smart card purse in a non-atomic protocol. Each purse must be implemented in
isolation, without sharing properties through a global control. The Mondex sys-
tem has been formally specified in Event-B in Butler and Yadav [20] work and in
other work using several formalisms. We started to adapt this system specifica-
tion to a programming specification, extracting the card and host specifications,
modeling them according to the BSmart method.
216 B. Gomes et al.
References
1. Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer’s
Guide. Addison Wesley, Reading (2000)
2. Gomes, B., Moreira, A.M., eharbe, D.: Developing Java Card applications with
B. In: Brazilian Symposium on Formal Methods (SBMF), pp. 63–77 (2005)
3. Deharbe, D., Gomes, B.G., Moreira, A.M.: Automation of Java Card component
development using the B method. In: ICECCS, pp. 259–268. IEEE Comp. Soc.,
Los Alamitos (2006)
4. D´eharbe, D., Gomes, B.G., Moreira, A.M.: Bsmart: A Tool for the Development
of Java Card Applications with the B Method. In: B¨orger, E., Butler, M., Bowen,
J.P., Boca, P. (eds.) ABZ 2008. LNCS, vol. 5238, pp. 351–352. Springer, Heidelberg
(2008)
5. Ortiz, E.C.: An Introduction to Java Card Technology,
http://java.sun.com/javacard/reference/techart/javacard1 (2003)
6. PC/SC Workgroup: PC/SC Workgroup Web site (2009),
http://www.pcscworkgroup.com
7. Global Platform: Global Platform Web site (2009),
http://www.globalplatform.org
8. Abrial, J.R.: The B-Book: Assigning Programs to Meanings. Cambridge U. Press,
Cambridge (1996)
9. D´eharbe, D., Gomes, B.G., Moreira, A.M.: Refining Interfaces: The Case of the B
Method. Technical report, Fed. Univ. of Rio Grande do Norte (2009) (to appear)
10. Voisinet, J.C.: JBtools: an experimental platform for the formal B method. In:
Principles and Practice of Programming, Maynooth, NUI, pp. 137–139 (2002)
11. Meijer, H., Poll, E.: Towards a Full Formal Specification of the Java Card API. In:
Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 165–178. Springer,
Heidelberg (2001)
12. Larsson, D.: OCL Specifications for the Java Card API. Master’s thesis, School of
Computer Science and Engineering, G¨oteborg University (2003)
13. Requet, A., Bossu, G.: Embedded formally proved code in a smart card: Converting
B to C. In: ICFEM 2000, York, UK, p. 15. IEEE Computer Society, Los Alamitos
(2000)
14. Bert, D., et al.: Adaptable translator of B specifications to embedded C programs.
In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp.
94–113. Springer, Heidelberg (2003)
15. Edmunds, A., Butler, M.: Code Generation for Event-B with Intermediate Speci-
fication. In: Rodin User and Developers Workshop (2009),
http://wiki.event-b.org/index.php/Rodin_Workshop_2009
16. Tatibouet, B., Requet, A., Voisinet, J., Hammad, A.: Java Card Code Generation
from B Specifications. In: Dong, J.S., Woodcock, J. (eds.) ICFEM 2003. LNCS,
vol. 2885, pp. 306–318. Springer, Heidelberg (2003)
17. Costa, U., Moreira, A., Musicante, M., Neto, P.: Specification and Runtime Veri-
fication of Java Card Programs. In: Brazilian Symp. on Formal Methods (2008)
18. Cordy, J.: The TXL Programming Language (2009),
http://www.meta-environment.org
19. Meta-Environment.org: The ASF+SDF Meta-Environment (2009),
http://www.txl.ca/index.html
20. Butler, M., Yadav, D.: An Incremental Development of the Mondex System in
Event-B. Formal Aspects of Computing 20(1), 61–77 (2007)
... To support the specification, design, proof and code generation, it has a robust and useful tools like Atelier B. As shown in Fig. 1, the B method covers all the aspects in the software development of a system which is composed of three steps: (i) Specification translates the software requirement into a B abstract model based on the notion of abstract machine (Header, static and dynamic parts), (ii) Refinement refines the abstract model of a software system into another mathematical model that is more concrete named implementation, and (iii) Code generation translates automatically with the Atelier B tool all the implementations of the concrete model into C code. B method attracts more interest in the industry and has been used successfully in many safety applications, such as smart cards [54], METEOR [55], electronic circuits [56], automotive diagnostics [57], electronic voting machines [58] and medical systems [59]. ...
Article
Full-text available
This research paper deals with combining semi-formal and formal methods to develop distributed reconfigurable control systems (DRCSs). The reconfiguration consists in modifying the system behavior to adapt it to the changes in its related environment caused by user needs and operating constraints. A DRCS which consists of networked reconfigurable control systems (RCSs), is a set of functional operations such that only a subset is executed by adding or removing operations after a well-defined reconfiguration scenario. To dynamically handle reconfiguration scenarios at run-time, a defined multi-agent architecture is proposed and affects a reconfiguration agent (RA) for the local reconfiguration of each RCS and a global coordination agent (CA) to harmonize the different RCSs for a required coherence. To provide a documented and safe reconfigurable system, we propose a new methodology called DRec-UML-B that covers all software development phases from modeling and verification to code generation using UML and B. The DRec-UML-B development process consists of two complementary phases: UML specification and B specification. In the first phase, we model the different agents with UML to specify the static and dynamic aspects of the DRCS. The second phase translates the UML specification to obtain the B abstract model using defined DRec-rules, and reduces the number of operations to be transformed from UML class diagram to B ones. Then, we apply successive refinements to obtain the C code and we check the system using Atelier B and Check R-B tools for the consistency and accuracy of the specification, refinement and code generation levels to avoid the redundant control of B machines that share similar sequences of operations.We apply all the proposed contributions to two benchmark production systems FESTO and EnAS to discuss the benefits of DRec-UML-B methodology in terms of the number of generated B operations.
... Furthermore, B has been successfully used in some major safety applications such as METEOR. 20 smart cards, 21 automotive diagnostics, 22 electronic circuits, 23 medical systems, 24 and electronic voting machines. 25 Also, a strong point of B is to have robust and useful tools to support the specification, design, proof, and code generation such as Atelier B. 26 In this article, the goal is to propose a new Distributed Reconfigurable B (DReconf-B) approach that improves B method in order to model and verify dynamic, automatic, and flexible distributed reconfigurable control systems (DRCS). ...
Article
Full-text available
This research article proposes a novel approach called Distributed Reconfigurable B to specify and verify distributed reconfigurable control systems using B method. Reconfiguration signifies the dynamic adaptation of the system behavior to the evolution of its environment by applying a reconfiguration scenario. A multi-agent architecture is defined to affect a reconfiguration agent to ensure local reconfiguration for each subsystem and a coordination agent to manage the different subsystems to guarantee the coherence of the whole system. A reconfigurable system is a set of B operations where only a subset is executed by adding or removing operations after a well-defined reconfiguration scenario. Distributed Reconfigurable B defines two complementary steps to be applied in abstract model of B method: specification and verification. The first step models the agents according to Distributed Reconfigurable B formalism. The second verifies distributed reconfigurable control systems using Atelier B tool and avoids the redundant checking of different B machines by applying the implemented Check Reconfigurable B tool. We apply the contributions on the two benchmark production systems: FESTO and EnAS.
Chapter
Formal software development requires specifications that are both abstract and concrete, and in addition a mechanism to refine abstract specifications to concrete specifications. The B-Method is purposively designed to accomplish the goal of specification and refinement together along with proof obligations. Introduced by Jean-Raymond Abrial in the early 1990s, the B-Method includes the B language, refinement methods and proof methods to verify the satisfaction of refinements. This chapter provides a sound tutorial of the B-Method and includes several examples at varying levels of complexity. The specifications given in this chapter have been type checked using the Atelier-B-tool. As a result of using this tool, some of the symbols that were quite frequently used in previous chapters may look different in this chapter. For example, in this chapter, P\mathcal{P} denotes the power set, N\mathcal{N} denotes the natural numbers, N1\mathcal{N}_{1} denotes the positive numbers, and Z\mathcal{Z} denotes the integers.
Conference Paper
Task management is an important part of an operating system, safe and reliable task management program is crucial for operating system running. To overcome the limitations of traditional methods for operating system development, taking Embedded Real-Time Operating System MicroC/OS-II as chief reference, a formal model of task management based on B method is proposed in this paper. According to the idea of step-wised construction of B method, we refine the abstract specification models designed in the previous stage. This work achieves a realizable model of task management eventually. Task management developed based on B method may improve the system validity and security.
Article
Full-text available
This paper presents a methodology for the rigorous de-velopment of Java Card smart card applications, using the B Method. Its main feature is to abstract the particularities of Java Card and smart card aware applications from the specifier as much as possible. In the proposed approach, the specification of the aplication logic does not need to take into account the specific aspects of the Java Card plat-form (in particular, communication between the card accep-tance device and the smart card itself). A sequence of pre-established refinements is then applied to the original spec-ification to yield an implementation-level B description of the component, which can then be used to synthesize Java Card code. An interesting side-effect of this approach is that the specification may be reused with any other platform of implementation.
Article
Full-text available
Java Card is a version of Java developed to run on devices with severe storage and processing restrictions. The applets that run on these devices are frequently intended for use in critical, highly distributed, mobile conditions. They are required to be portable and safe. Often, the requirements of the application impose the use of dynamic, on-card verifications, but most of the research developed to improve safety of Java Card applets concentrates on static verification methods. This work presents a runtime verification approach based on Design by Contract to improve the safety of Java Card applications. To this end, we propose JCML (Java Card Modeling Language) a specification language derived from JML (Java Modeling Language) and its implementation: a compiler that generates runtime verification code. We also present some experiments and quality indicators.
Conference Paper
Full-text available
A smart card is a portable computer device able to store data and execute commands. Java Card [1] is a specialization of Java, providing vendor inter-operability for smart cards, and has now reached a de facto standard status in this industry. The strategic importance of this market and the requirement for a high reliability motivate the use of rigorous software development processes for smart card aware applications based on the Java Card technology. The B method [2] is a good candidate for such process, since it is a formal method with a successful record to address industrial-level software development. In [3,4], we proposed two versions of a Java Card software development method (called BSmart) based on the B method. The main feature of these methods is to abstract the particularities of smart card systems to the applications developers as much as possible. This abstract presents the current version of a tool, also called BSmart, to support the method. The tool provides the automatable steps required by the method and some guidelines and library machines that are useful during the development process. It includes B development tools (type checker, PO generator) and specific BSmart tools (refinement generator, Java Card translator, etc.). In this approach, the card services specifier only needs to apply some refinement steps to his abstract (implementation platform independent) B specification. The generation of these refinements adapts the specification to Java Card standards and introduces platform specific aspects gradually. Finally, from the concrete B refinements the Java Card code implementing the services provided by the card will be automatically generated by the tool. The tool also provides the generation of a Java API for the host-side application from the original abstract specification, encapsulating all the communication protocol details. Thus, the client application code can then be developed in a completely platform independent way. The definition of the method is in a mature stage, and our attention is now focused on the implementation of more robust versions of the BSmart tools and packaging them in a user-friendly environment. The integration of verification and animation tools is also planned for a next release of the tool.
Conference Paper
Full-text available
This paper presents a method for the rigorous development of Java Card smart card applications, using the B Method. Its main feature is to abstract the particularities of Java Card and smart card aware applications from the specifier as much as possible. In the proposed approach, the specification of the application logic does not need to take into account the specific aspects of the Java Card platform (in particular, communication between the card acceptance device and the smart card itself). A sequence of preestablished refinements is then applied to the original specification to yield an implementation-level B description of the component, which can then be used to synthesize Java Card code. This method reduces significantly the required amount of user-interaction and improves productivity. An interesting side-effect of this approach is that the specification may be reused with any other platform of implementation.
Article
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
Conference Paper
This paper presents a method for the rigorous development of Java Card smart card applications, using the B method. Its main feature is to abstract the particularities of Java Card and smart card aware applications from the specifier as much as possible. In the proposed approach, the specification of the application logic does not need to take into account the specific aspects of the Java Card platform (in particular, communication between the card acceptance device and the smart card itself). A sequence of pre-established refinements is then applied to the original specification to yield an implementation-level B description of the component, which can then be used to synthesize Java Card code. This method reduces significantly the required amount of user-interaction and improves productivity. An interesting side-effect of this approach is that the specification may be reused with any other platform of implementation
Article
This Master's thesis discusses the development of OCL specifications for Java Card API,and is part of the KeY project. OCL is a specification language, i.e. it is used to express formallythe requirements on a system. The KeY tool is a CASE tool, in which formal methods(formal specification and formal verification) are integrated with contemporary software developmenttechniques. The main purpose of the OCL specifications is to simplify the verificationof Java Card programs within the KeY...
Conference Paper
The B method, developed by Jean-Raymond Abrial, is a formal method which enables an incremental development process (also known as the refinement process). The distribution of the B Method and the creation of experimental research tools face constraints of the market for existing tools: cost, limited access, and limited number of systems (hardware and software) requiring this kind of support. The purpose of the jBTools project is to solve this problem by proposing an open-source platform. In this article, we will present the architecture of the platform, the available base tools (User Interface, Parser, Type Checker) producing an XML format and the optimized code generator for the French project RNTL BOM.