Supporting software evolution for open smart cards by security-by-contract

Open multi-application smart cards that allow post-issuance evolution (i.e. loading of new applets) are potentially very attractive for both smart card developers and card users. Yet we find only few of them on the market as no satisfactory solution exists for the assurance that these coming-and-going applications will not exchange data unless permitted by their respective policies. If all applications could be loaded at the start this would boil down to information flow analysis for which many solutions exist, but this is precisely what we want to overcome. When applications are not known in advance and can be updated asynchronously and possibly without connection to trusted third parties, we must preserve the security policies of the various owners of the applets during such autonomous evolution. This chapter illustrates the extension of the Security-by-Contract approach from mobile phones to smart cards: Security-by-Contract is based on the loading time application certification on ...