Abstract
The Java Card uses two components to ensure the security of its model. On the one hand, the byte code verifier (BCV) checks, during an applet installation, if the Java Card security model is ensured. This mechanism may not be present in the card. On the other hand, the firewall dynamically checks if there is no illegal access. This paper describes two attacks to modify the Java Card control flow and to execute our own malicious byte code. In the first attack, we use a card without embedded security verifier and we show how it is simple to change the return address of a current function. In the second attack, we consider the hypothesis that the card embeds a partial implementation of a BCV. With the help of a laser beam, we are able to change the execution flow.
Keywords
Download to read the full chapter text
Chapter PDF
References
Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.: Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)
Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 Combining Fault and Logical Attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)
Global Platform: Card Specification v2.2 (2006)
Hemme, L.: A Differential Fault Attack Against Early Rounds of (Triple-) DES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 254–267. Springer, Heidelberg (2004)
Hubbers, E., Poll, E.: Transactions and non-atomic API calls in Java Card: specification ambiguity and strange implementation behaviours. Dept. of Computer Science NIII-R0438, Radboud University Nijmegen (2004)
Iguchi-Cartigny, J., Lanet, J.: Developing a Trojan applet in a Smart Card. Journal in Computer Virology (2010)
Lanet, J.L., Bouffard, G., Machemie, J.B., Poichotte, J.Y., Wary, J.P.: Evaluation of the Ability to Transform SIM Application into Hostile Applications. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 1–17. Springer, Heidelberg (2011)
Oracle: Java Card Platform Specification
Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)
Smart Secure Devices (SSD) Team – XLIM, Université de Limoges: OPAL: An Open Platform Access Library, http://secinfo.msi.unilim.fr/
Smart Secure Devices (SSD) Team – XLIM, Université de Limoges: The CAP file manipulator, http://secinfo.msi.unilim.fr/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bouffard, G., Iguchi-Cartigny, J., Lanet, JL. (2011). Combined Software and Hardware Attacks on the Java Card Control Flow. In: Prouff, E. (eds) Smart Card Research and Advanced Applications. CARDIS 2011. Lecture Notes in Computer Science, vol 7079. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27257-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-27257-8_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27256-1
Online ISBN: 978-3-642-27257-8
eBook Packages: Computer ScienceComputer Science (R0)