1. h28.1 6-Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of Auckland

2. h28.2 6-Apr-01 Clark Thomborson New Security issues Raised by Java Card This paper discusses the solution on smart cards regarding the market needs and the flexibility for card applications. The strong typing of Java enforces the language based security, but is not sufficient. The security problems and solutions on the features which Java card bring to application developers and end users were described here: download framework from open card architecture is proposed, with the off-card byte code verification performed by a third-party. The program Applet Firewall is invoked when codes in one context attempt to access data or codes in another context. The sharable interface concept is also introduced here. Platform and application securities were also discussed. The application security relies on a proven implementation of the OS and the associated Java Card Runtime Environment. Ensuring the correctness of this implementation is the basis of the platform security. This can be done through a mathematical proof of the implementation.

3. h28.3 6-Apr-01 Clark Thomborson Java Cards Security Issues In this paper, the author introduced new security issues raised by Java Cards in four aspects. One is to download code securely on card. The verification must be done off- card by a third-party, card issuer. The second security is the Java Card platform level security which is under the issuer's responsibility. The third one is the application security which is under the provider's responsibility. The last issue is about data and objectssharing on the card. This mechanism prevents unauthorized access to data and objects.

4. h28.4 6-Apr-01 Clark Thomborson Two Security Issues about Java Card I introduce two concerns about java card security. One is the post-issuance applet download feature. Another one is multi- services feature. And give an interesting point from where you can start your attack.

5. h28.5 6-Apr-01 Clark Thomborson A Secure Java Smart Card System: Visa Open Platform Traditional smart card technologies are difficult to develop and have a long time-to-market. Open smart card systems offer several advantages, including short development cycles, dynamic updating of cards and the ability for one card to provide services from many providers. However they raise new security concerns to ensure that both users and providers of services are protected from malicious tampering. We discuss how the VISA Open Platform addresses these concerns. Methods include off card verification and digital signing of applets, formal proof of correctness of major software components, and sandbox firewalling of executions domains. The resulting system is a powerful frame work for developing and deploying smart card applications, but security can only be ensured by the careful use of its facilities.