Abstract
The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The BCV included in the Java Card SDK 3.0.5u1 prevents the introduced attack. This version was released on 19 August 2015.
References
Barbu, G., Duc, G., Hoogvorst, P.: Java card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff, E. (ed.) [21], pp. 297–313 (2011)
Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)
Berlach, R., Lackner, M., Steger, C., Loinig, J., Haselsteiner, E.: Memory-efficient on-card byte code verification for Java cards. In: Proceedings of the First Workshop on Cryptography and Security in Computing Systems, CS2 2014, pp. 37–40. ACM, New York (2014)
Bouffard, G.: A generic approach for protecting Java card smart card against software attacks. Ph.D. thesis, University of Limoges, Limoges, France, October 2014
Bouffard, G., Iguchi-Cartigny, J., Lanet, J.: Combined software and hardware attacks on the java card control flow. In: Prouff, E. (ed.) [21], pp. 283–296
Bouffard, G., Lanet, J.: The ultimate control flow transfer in a Java based smart card. Comput. Secur. 50, 33–46 (2015)
Calvagna, A., Fornaia, A., Tramontana, E.: Combinatorial interaction testing of a Java card static verifier. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation, Workshops Proceedings, March 31 - April 4, 2014, Cleveland, Ohio, USA, pp. 84–87. IEEE Computer Society (2014)
Calvagna, A., Tramontana, E.: Automated conformance testing of Java virtual machines. In: Barolli, L., Xhafa, F., Chen, H., Gómez-Skarmeta, A.F., Hussain, F. (eds.) Seventh International Conference on Complex, Intelligent, and Software Intensive Systems, CISIS 2013, Taichung, Taiwan, July 3–5, 2013, pp. 547–552. IEEE Computer Society (2013)
Casset, L.: Development of an embedded verifier for Java card byte code using formal methods. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 290–309. Springer, Heidelberg (2002)
Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Heidelberg (2014)
Faugeron, E., Valette, S.: How to hoax an off-card verifier. e-smart (2010)
Hamadouche, S.: Étude de la sécurité dun vérifieur de Byte Code et génération de tests de vulnérabilité. Master’s thesis, University M’Hamed Bougara of Boumerdes, Faculty of Sciences, LIMOSE Laboratory, 5 Avenue de l’indpendance, 35000 Boumerdes, Algeria (2012)
Hamadouche, S., Bouffard, G., Lanet, J.L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting byte code linker service to characterize Java card API. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81, May 22rd to 25th 2012
Hamadouche, S., Lanet, J.: Virus in a smart card: myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013)
Lancia, J.: Java card combined attacks with localization-agnostic fault injection. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 31–45. Springer, Heidelberg (2013)
Leroy, X.: Bytecode verification on Java smart cards. Softw. Pract. Exper. 32(4), 319–340 (2002)
Liang, S.: The Java Native Interface: Programmer’s Guide and Specification, 1st edn. Addison-Wesley Professional, Reading (1999)
Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification: Java Series. Addison-Wesley, Reading (2014)
Mostowski, W., Poll, E.: Malicious code on java card smartcards: attacks and countermeasures. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 1–16. Springer, Heidelberg (2008)
Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.0.5, Oracle, Oracle America Inc, 500 Oracle Parkway, Redwood City, CA 94065 (2015)
Prouff, E. (ed.): CARDIS 2011. LNCS, vol. 7079. Springer, Heidelberg (2011)
Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012)
Savary, A., Frappier, M., Lanet, J.-L.: Detecting vulnerabilities in Java-card bytecode verifiers using model-based testing. In: Johnsen, E.B., Petre, L. (eds.) IFM 2013. LNCS, vol. 7940, pp. 223–237. Springer, Heidelberg (2013)
Sirer, E.G.: Testing Java virtual machines. In: International Conference on Software Testing and Review, San Jose, California, November 1999
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Lancia, J., Bouffard, G. (2016). Java Card Virtual Machine Compromising from a Bytecode Verified Applet. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-31271-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31270-5
Online ISBN: 978-3-319-31271-2
eBook Packages: Computer ScienceComputer Science (R0)