Skip to main content
SpringerLink
Log in

Java Card Virtual Machine Compromising from a Bytecode Verified Applet

  • Conference paper
  • First Online:
Book cover Smart Card Research and Advanced Applications (CARDIS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9514))

Abstract

The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The BCV included in the Java Card SDK 3.0.5u1 prevents the introduced attack. This version was released on 19 August 2015.

References

  1. Barbu, G., Duc, G., Hoogvorst, P.: Java card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff, E. (ed.) [21], pp. 297–313 (2011)

    Google Scholar 

  2. Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  3. Berlach, R., Lackner, M., Steger, C., Loinig, J., Haselsteiner, E.: Memory-efficient on-card byte code verification for Java cards. In: Proceedings of the First Workshop on Cryptography and Security in Computing Systems, CS2 2014, pp. 37–40. ACM, New York (2014)

    Google Scholar 

  4. Bouffard, G.: A generic approach for protecting Java card smart card against software attacks. Ph.D. thesis, University of Limoges, Limoges, France, October 2014

    Google Scholar 

  5. Bouffard, G., Iguchi-Cartigny, J., Lanet, J.: Combined software and hardware attacks on the java card control flow. In: Prouff, E. (ed.) [21], pp. 283–296

    Google Scholar 

  6. Bouffard, G., Lanet, J.: The ultimate control flow transfer in a Java based smart card. Comput. Secur. 50, 33–46 (2015)

    Article  Google Scholar 

  7. Calvagna, A., Fornaia, A., Tramontana, E.: Combinatorial interaction testing of a Java card static verifier. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation, Workshops Proceedings, March 31 - April 4, 2014, Cleveland, Ohio, USA, pp. 84–87. IEEE Computer Society (2014)

    Google Scholar 

  8. Calvagna, A., Tramontana, E.: Automated conformance testing of Java virtual machines. In: Barolli, L., Xhafa, F., Chen, H., Gómez-Skarmeta, A.F., Hussain, F. (eds.) Seventh International Conference on Complex, Intelligent, and Software Intensive Systems, CISIS 2013, Taichung, Taiwan, July 3–5, 2013, pp. 547–552. IEEE Computer Society (2013)

    Google Scholar 

  9. Casset, L.: Development of an embedded verifier for Java card byte code using formal methods. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 290–309. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  10. Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Heidelberg (2014)

    Google Scholar 

  11. Faugeron, E., Valette, S.: How to hoax an off-card verifier. e-smart (2010)

    Google Scholar 

  12. Hamadouche, S.: Étude de la sécurité dun vérifieur de Byte Code et génération de tests de vulnérabilité. Master’s thesis, University M’Hamed Bougara of Boumerdes, Faculty of Sciences, LIMOSE Laboratory, 5 Avenue de l’indpendance, 35000 Boumerdes, Algeria (2012)

    Google Scholar 

  13. Hamadouche, S., Bouffard, G., Lanet, J.L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting byte code linker service to characterize Java card API. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81, May 22rd to 25th 2012

    Google Scholar 

  14. Hamadouche, S., Lanet, J.: Virus in a smart card: myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013)

    Google Scholar 

  15. Lancia, J.: Java card combined attacks with localization-agnostic fault injection. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 31–45. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  16. Leroy, X.: Bytecode verification on Java smart cards. Softw. Pract. Exper. 32(4), 319–340 (2002)

    Article  MATH  Google Scholar 

  17. Liang, S.: The Java Native Interface: Programmer’s Guide and Specification, 1st edn. Addison-Wesley Professional, Reading (1999)

    Google Scholar 

  18. Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification: Java Series. Addison-Wesley, Reading (2014)

    Google Scholar 

  19. Mostowski, W., Poll, E.: Malicious code on java card smartcards: attacks and countermeasures. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 1–16. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  20. Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.0.5, Oracle, Oracle America Inc, 500 Oracle Parkway, Redwood City, CA 94065 (2015)

    Google Scholar 

  21. Prouff, E. (ed.): CARDIS 2011. LNCS, vol. 7079. Springer, Heidelberg (2011)

    Google Scholar 

  22. Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  23. Savary, A., Frappier, M., Lanet, J.-L.: Detecting vulnerabilities in Java-card bytecode verifiers using model-based testing. In: Johnsen, E.B., Petre, L. (eds.) IFM 2013. LNCS, vol. 7940, pp. 223–237. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  24. Sirer, E.G.: Testing Java virtual machines. In: International Conference on Software Testing and Review, San Jose, California, November 1999

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. THALES Communications and Security S.A.S, Parc Technologique du Canal, Campus 2 – Bat.A, 3 Avenue de l’Europe, 31400, Toulouse, France

    Julien Lancia

  2. Agence Nationale de la Sécurité des Systèmes d’Informations (ANSSI), 51, Boulevard de La Tour-Maubourg, 75700, Paris 07 SP, France

    Guillaume Bouffard

Authors
  1. Julien Lancia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guillaume Bouffard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guillaume Bouffard .

Editor information

Editors and Affiliations

  1. Tohoku University, Sendai, Japan

    Naofumi Homma

  2. NXP Semiconductors, Gratkorn, Austria

    Marcel Medwed

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Lancia, J., Bouffard, G. (2016). Java Card Virtual Machine Compromising from a Bytecode Verified Applet. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31271-2_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31270-5

  • Online ISBN: 978-3-319-31271-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation