Abstract
Various attacks are designed to gain access to the assets of Java Card Platforms. These attacks use software, hardware or a combination of both. Manufacturers have improved their countermeasures to protect card assets from these attacks. In this paper, we attempt to gain access to assets of a recent Java Card Platform by combining various logical attacks. As we did not have any information about the internal structure of the targeted platform, we had to execute various attacks and analyze the results. Our investigation on the targeted Java Card Platform lead us to introduce two generic methods to gain access to the assets of Java Card Platforms. One of the new methods we present in this paper is based on the misuse of the Java Card API to build a type confusion and get access to the objects (including cryptographic keys) of a Java Card applet. The other method is a new approach to get access to the return address of the methods in Java Cards with Separate Stack countermeasure. We also propose a pattern that the targeted platform uses to store data and code of applets on the card plus the ability to read and write in the data and code area of the applets in different security contexts. These new attacks occur even in the presence of countermeasures such as Separate Stack for kernel and user data, indirect mapping for objects addressing and firewall mechanisms.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 combining fault and logical attacks. In: Smart Card Research and Advanced Application, pp. 148–163. Springer, Berlin (2010)
Barbu, G., Andouard, P., Giraud, C.: Dynamic fault injection countermeasure. In: Mangard, S. (ed.) Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, vol. 7771, pp. 16–30. Springer, Berlin (2013). doi:10.1007/9783642372889_2
Barenghi, A., Breveglieri, L., Koren, I., Pelosi, G., Regazzoni, F.: Countermeasures against fault attacks on software implemented aes: effectiveness and cost. In: Proceedings of the 5th Workshop on Embedded Systems Security, WESS ’10, pp. 7:1–7:10. ACM, New York (2010). doi:10.1145/1873548.1873555
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: The First International Conference on Availability, Reliability and Security, 2006. ARES 2006, IEEE (2006)
Bouffard, G.: A generic approach for protecting java card smart card against software attacks, Ph.D. thesis, University of Limoges, 123 Avenue Albert Thomas, 87060 LIMOGES CEDEX (2014)
Bouffard, G., Lanet, J.-L.: The next smart card nightmare - logical attacks, combined attacks, mutant applications and other funny things. In: Cryptography and Security: From Theory to Applications—Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday (2012)
Bouffard, G., Lanet, J.-L.: The ultimate control fow transfer in a Java based smart card. Comput. Secur. 50, 3346 (2015). doi:10.1016/j.cose.2015.01.004
Bouffard, G., Lackner, M., Lanet, J.-L., Loinig, J.: Heap ... Hop! Heap is also vulnerable. In: Joye, M., Moradi A. (eds.) Smart Card Research and Advanced Applications—13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers, Lecture Notes in Computer Science, vol. 8968, pp. 18–31. Springer, Berlin (2014). doi:10.1007/9783319167633_2
Bouissou, M., Bon, J.: A new formalism that combines advantages of faulttrees and markov models: Boolean logic driven markov processes. Rel. Eng. Syst. Saf. 82(2), 149163 (2003). doi:10.1016/S09518320(03)001431
Chen, Z.: Java Card Technology for Smart Cards: architecture and programmer’s guide. Addison-Wesley. https://books.google.co.uk/books?id=4WDj4H6pT50C (2000)
Common Criteria, Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model (2009) version 3.1, Revision 3 (CCMB-2009-07-001) (2009)
Dubreuil, J., Lanet, J.-L., Bouffard, G., Thampi, B.N.: Mitigating type confusion on Java Card. Int. J. Secure Softw. Eng. (IJSSE) 4(1), 19–39 (2013)
El-Idrissi, N.E.J., El-Hajji, S., Lanet, J.-L.: Countermeasures mitigation for designing rich shell code in Java Card. In: Codes, Cryptology, and Information Security - First International Conference, C2SI 2015, Rabat, Morocco, May 26-28, 2015, Proceedings—In Honor of Thierry Berger, pp. 149–161 (2015). doi:10.1007/9783319186818_12
Faugeron, E.: Manipulating the frame information with an underflow attack. In: Smart Card Research and Advanced Applications—12th International Conference, CARDIS 2013, Berlin, Germany, November 27- 29, 2013. Revised Selected Papers, pp. 140–151 (2013). doi:10.1007/9783319083025_10
Faugeron, E., Valette, S.: How to hoax an on-card verifier, Accepted Talk at e-Smart, vol. 10 (2010)
Hamadouche, S., Bouffard, G., Lanet, J.-L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting Byte Code Linker service to characterize Java Card API. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81 (2012)
Hogenboom, J., Mostowski, W.: Full memory read attack on a Java Card. In: 4th Benelux Workshop on Information and System Security Proceedings (WISSEC09) (2009)
Hubbers, E., Poll, E.: Transactions and Non-atomic api Calls in Java Card: Specification Ambiguity and Strange Implementation Behaviors. Radboud University Nijmegen, Nijmegen
Iguchi-Cartigny, J., Lanet, J.-L.: Developing a Trojan applets in a smart card. J. Comput. Virol. 6(4), 343–351 (2010). doi:10.1007/s11416-009-0135-3
Lancia, J., Bouffard, G.: Java Card virtual machine compromising from a byte code verified applet. In: Smart Card Research and Advanced Applications—14th International Conference, CARDIS 2015, Bochum (2015)
Laugier, B., Razafindralambo, T.: Misuse of frame creation to exploit stack underflow attacks on Java Card. In: Smart Card Research and Advanced Applications—14th International Conference, CARDIS 2015, Bochum (2015)
Mostowski, W.: Formal development of safe and secure java card applets, Tech. rep. (2005)
Mostowski, W., Poll, E.: Malicious code on java card smartcards: attacks and countermeasures. In: Grimaud, G., Standaert, F.-X. (eds.) Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, vol. 5189, p. 116. Springer, Berlin (2008). doi:10.1007/9783540858935_1
Oracle, Java Card 3 Platform, Virtual Machine Specification, Classic Edition, no. Version 3.0.4, Oracle, Oracle America, Inc., Redwood City (2011)
Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (act): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)
Schneier, B.: Attack trees. Dr. Dobb J. 24(12), 21–29 (1999)
Sun Microsystems, Java Card Platform Security, Technical White Paper, October 2001
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Farhadi, M., Lanet, JL. Chronicle of a Java Card death. J Comput Virol Hack Tech 13, 109–123 (2017). https://doi.org/10.1007/s11416-016-0276-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-016-0276-0