Verification of safety properties in the presence of transactions

Abstract

The JAVA CARD transaction mechanism can ensure that a sequence of statements either is executed to completion or is not executed at all. Transactions make verification of JAVA CARD programs considerably more difficult, because they cannot be formalised in a logic based on pre- and postconditions. The KeY system includes an interactive theorem prover for JAVA CARD source code that models the full JAVA CARD standard including transactions. Based on a case study of realistic size we show the practical difficulties encountered during verification of safety properties. We provide an assessment of current JAVA CARD source code verification, and we make concrete suggestions towards overcoming the difficulties by design for verification. The main conclusion is that largely automatic verification of realistic JAVA CARD software is possible provided that it is designed with verification in mind from the start. © Springer-Verlag Berlin Heidelberg 2005.