Abstract
Compiling Java Card applets is based on the assumption that export files used to translate Java class item to Java Card CAP tokens are legitimate. Bouffard et al. [2] reversed the translation mechanism. Based on malicious Application Programming Interface (API) embedded in a target, they succeeded in making a man-in-the-middle attack where cryptographic keys can leak.
In this article, we disclose that, on a pool of legitimate export files, Java Card Virtual Machine (JCVM) implementations can be confused by a CAP file verified by the Java Card Bytecode Verifier (BCV). The disclosed vulnerability leads to Java Card class hierarchy rewriting. The introduced vulnerability is exploitable up to Java Card 3.0.5. Recently, Java Card 3.1.0 provides a new export file format which prevents this vulnerability.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The Java Card converter is included in the Java Card SDK available on the Oracle’s website: https://www.oracle.com/fr/java/technologies/java-card-tech.html.
References
Bouffard, G., Iguchi-Cartigny, J., Lanet, J.-L.: Combined software and hardware attacks on the Java card control flow. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 283–296. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-27257-8_18
Bouffard, G., Khefif, T., Lanet, J., Kane, I., Salvia, S.C.: Accessing secure information using export file fraudulence. In: Crispo, B., Sandhu, R.S., Cuppens-Boulahia, N., Conti, M., Lanet, J. (eds.) 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS), La Rochelle, France, 23–25 October 2013, pp. 1–5. IEEE (2013). https://doi.org/10.1109/CRiSIS.2013.6766346
Bouffard, G., Lanet, J.-L.: Reversing the operating system of a Java based smart card. J. Comput. Virol. Hacking Tech. 10(4), 239–253 (2014). https://doi.org/10.1007/s11416-014-0218-7
Bouffard, G., Lanet, J.: The ultimate control flow transfer in a Java based smart card. Comput. Secur. 50, 33–46 (2015). https://doi.org/10.1016/j.cose.2015.01.004
Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_10
Faugeron, E., Valette, S.: How to hoax an off-card verifier. e-smart (2010)
GlobalPlatform: Card Specification. GlobalPlatform Inc., 2.2.1 edn. (January 2011)
Hamadouche, S., et al.: Subverting byte code linker service to characterize Java card API. In: 7th Conference on Network and Information Systems Security (SAR-SSI), 22–25 May 2012, pp. 75–81 (2012)
Hamadouche, S., Lanet, J.: Virus in a smart card: myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013). https://doi.org/10.1016/j.jisa.2013.08.005
Lancia, J.: Java card combined attacks with localization-agnostic fault injection. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 31–45. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37288-9_3
Lancia, J., Bouffard, G.: Java card virtual machine compromising from a bytecode verified applet. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 75–88. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31271-2_5
Mostowski, W., Poll, E.: Malicious code on Java card smartcards: attacks and countermeasures. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 1–16. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85893-5_1
Oracle: Java Card Technology - Providing a secure and ubiquitous platform for smart cards. Technical report, Oracle, Security Evaluations, Oracle Corporation, 500 Oracle Parkway, Redwood Shores, CA 94065 (2012). www.oracle.com/technetwork/java/embedded/javacard/documentation/datasheet-149940.pdf
Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.0.5, Oracle, Oracle America Inc., 500 Oracle Parkway, Redwood City, CA 94065 (2015)
Oracle: Java card system - open configuration protection profile. Protection Profile versoin 3.0.5, Oracle, Security Evaluations, Oracle Corporation, 500 Oracle Parkway, Redwood Shores, CA 94065 (December 2017)
Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.1, Oracle, Oracle America Inc., 500 Oracle Parkway, Redwood City, CA 94065 (February 2021)
Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31540-4_10
Acknowledgments
A very special thanks to my wife, Marie-Philomène Dubreuil, who accompanied me during all these hours of work on this research topic. This attack is named after her.
Jean Dubreuil
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Dubreuil, J., Bouffard, G. (2022). PhiAttack. In: Grosso, V., Pöppelmann, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2021. Lecture Notes in Computer Science(), vol 13173. Springer, Cham. https://doi.org/10.1007/978-3-030-97348-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-97348-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-97347-6
Online ISBN: 978-3-030-97348-3
eBook Packages: Computer ScienceComputer Science (R0)