This Article 
 Bibliographic References 
 Add to: 
Stack and Queue Integrity on Hostile Platforms
January 2002 (vol. 28 no. 1)
pp. 100-108

When computationally intensive tasks have to be carried out on trusted, but limited, platforms such as smart cards, it becomes necessary to compensate for the limited resources (memory, CPU speed) by off-loading implementations of data structures on to an available (but insecure, untrusted) fast coprocessor. However, data structures, such as stacks, queues, RAMs, and hash tables, can be corrupted (and made to behave incorrectly) by a potentially hostile implementation platform or by an adversary knowing or choosing data structure operations. This paper examines approaches that can detect violations of datastructure invariants, while placing limited demands on the resources of the secure computing platform.

[1] Sun Micro-Systems, Inc., Javacard 2.0, Application Programming Interfaces, Oct. 1997, .
[2] Spyrus, Inc., Spyrus Product Guide, 1997. http:/
[3] Mondex Int'l Limited, The Mondex Magazine, July 1997. http:/
[4] N.M. Amato and M.C. Loui, “Checking Linked Data Structures,” Proc. 24th Ann. Int'l Symp. Fault-Tolerant Computing (FTCS), 1994.
[5] M. Blum, W. Evans, P. Gemmell, S. Kannan, and M. Noar, “Checking the Correctness of Memories,” Algorithmica, vol. 12, nos. 2/3, pp. 225–244, 1994, originally appeared in Proc. FOCS '91.
[6] P. Devanbu, P.W. Fong, and S. Stubblebine, “Techniques for Trusted Software Engineering,” Proc. 20th Int'l Conf. Software Eng., 1998.
[7] P. Devanbu and S.G. Stubblebine, “Cryptographic Verification of Test Coverage Claims,” Proc. Fifth ACM/SIGSOFT Symp. Foundations of Software Eng., Sept. 1997.
[8] O. Goldreich, “Towards a Theory of Software Protection and Simulation by Oblivious RAMs,” Proc. 19th Ann. Symp. Theory of Computing, 1987.
[9] J. Guttag, J. Horning, S. Garland, K. Jones, A. Modet, and J. Wing, Larch: Languages and Tools for Formal Specification. Springer-Verlag, 1993.
[10] L. Lamport, "Password Authentication with Insecure Communication," Comm. ACM, Vol. 24, Nov. 1981, pp. 770-774.
[11] T. Lindholm and F. Yellin, The Java Virtual Machine Specification, Addison-Wesley, Reading, Mass., 1997.
[12] R.C. Merkle, “A Certified Digital Signature,” Advances in Cryptology (Crypto '89), 1989.
[13] M. Naor and A. Wool, “Access Control and Signatures via Quorum Secret Sharing,” Proc. Third ACM Conf. Computer and Comm. Security, 1996.
[14] G. Necula, “Proof-Carrying Code,” Conf. Record 24th Symp. Principles of Programming Languages, pp. 106–116, Paris, ACM Press, Jan. 1997.
[15] R. Ostrovsky, “Efficient Computations on Oblivious RAMs,” Proc. 19th Ann. Symp. Theory of Computing, 1990.
[16] R. Wahbe, S. Lucco, T. Anderson, and S. Graham, Efficient Software-Based Fault Isolation Proc. 14th ACM Symp. Operating System Principles, pp. 203-216, Dec. 1993.
[17] B. Yee and D. Tygar, “Secure Coprocessors in Electronic Commerce Applications,” Proc. First USENIX Workshop Electronic Commerce, July 1995.

Index Terms:
data structures, security, correctness of memories, software protection, oblivious ram
P.T. Devanbu, S.G. Stubblebine, "Stack and Queue Integrity on Hostile Platforms," IEEE Transactions on Software Engineering, vol. 28, no. 1, pp. 100-108, Jan. 2002, doi:10.1109/32.979991
Usage of this product signifies your acceptance of the Terms of Use.