A B model for ensuring soundness of a large subset of the Java Card virtual machine

Java Cards are a new generation of smart cards that use the Java programming language. As smart cards are usually used to supply security to an information system, security requirements are very strong. The byte code interpreter and verifier are crucial components of such cards, and proving their safety can become a competitive advantage. Previous works have been done on methodology for proving the soundness of the byte code interpreter and verifier using the B method. It refines an abstract defensive interpreter into a byte code verifier and a byte code interpreter. However, this work had only been tested on a very small subset of the Java Card instruction set. This paper presents a work aiming at verifying the scalability of this previous work. The original instruction subset of about 10 instructions has been extended to a larger subset of more than one hundred instructions, and the additional cost of the proof has been managed by modifying the specification in order to group opcodes by properties.