Abstract
The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The BCV included in the Java Card SDK 3.0.5u1 prevents the introduced attack. This version was released on 19 August 2015.
References
Barbu, G., Duc, G., Hoogvorst, P.: Java card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff, E. (ed.) [21], pp. 297–313 (2011)
Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)
Berlach, R., Lackner, M., Steger, C., Loinig, J., Haselsteiner, E.: Memory-efficient on-card byte code verification for Java cards. In: Proceedings of the First Workshop on Cryptography and Security in Computing Systems, CS2 2014, pp. 37–40. ACM, New York (2014)
Bouffard, G.: A generic approach for protecting Java card smart card against software attacks. Ph.D. thesis, University of Limoges, Limoges, France, October 2014
Bouffard, G., Iguchi-Cartigny, J., Lanet, J.: Combined software and hardware attacks on the java card control flow. In: Prouff, E. (ed.) [21], pp. 283–296
Bouffard, G., Lanet, J.: The ultimate control flow transfer in a Java based smart card. Comput. Secur. 50, 33–46 (2015)
Calvagna, A., Fornaia, A., Tramontana, E.: Combinatorial interaction testing of a Java card static verifier. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation, Workshops Proceedings, March 31 - April 4, 2014, Cleveland, Ohio, USA, pp. 84–87. IEEE Computer Society (2014)
Calvagna, A., Tramontana, E.: Automated conformance testing of Java virtual machines. In: Barolli, L., Xhafa, F., Chen, H., Gómez-Skarmeta, A.F., Hussain, F. (eds.) Seventh International Conference on Complex, Intelligent, and Software Intensive Systems, CISIS 2013, Taichung, Taiwan, July 3–5, 2013, pp. 547–552. IEEE Computer Society (2013)
Casset, L.: Development of an embedded verifier for Java card byte code using formal methods. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 290–309. Springer, Heidelberg (2002)
Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Heidelberg (2014)
Faugeron, E., Valette, S.: How to hoax an off-card verifier. e-smart (2010)
Hamadouche, S.: Étude de la sécurité dun vérifieur de Byte Code et génération de tests de vulnérabilité. Master’s thesis, University M’Hamed Bougara of Boumerdes, Faculty of Sciences, LIMOSE Laboratory, 5 Avenue de l’indpendance, 35000 Boumerdes, Algeria (2012)
Hamadouche, S., Bouffard, G., Lanet, J.L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting byte code linker service to characterize Java card API. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81, May 22rd to 25th 2012
Hamadouche, S., Lanet, J.: Virus in a smart card: myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013)
Lancia, J.: Java card combined attacks with localization-agnostic fault injection. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 31–45. Springer, Heidelberg (2013)
Leroy, X.: Bytecode verification on Java smart cards. Softw. Pract. Exper. 32(4), 319–340 (2002)
Liang, S.: The Java Native Interface: Programmer’s Guide and Specification, 1st edn. Addison-Wesley Professional, Reading (1999)
Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification: Java Series. Addison-Wesley, Reading (2014)
Mostowski, W., Poll, E.: Malicious code on java card smartcards: attacks and countermeasures. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 1–16. Springer, Heidelberg (2008)
Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.0.5, Oracle, Oracle America Inc, 500 Oracle Parkway, Redwood City, CA 94065 (2015)
Prouff, E. (ed.): CARDIS 2011. LNCS, vol. 7079. Springer, Heidelberg (2011)
Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012)
Savary, A., Frappier, M., Lanet, J.-L.: Detecting vulnerabilities in Java-card bytecode verifiers using model-based testing. In: Johnsen, E.B., Petre, L. (eds.) IFM 2013. LNCS, vol. 7940, pp. 223–237. Springer, Heidelberg (2013)
Sirer, E.G.: Testing Java virtual machines. In: International Conference on Software Testing and Review, San Jose, California, November 1999
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Lancia, J., Bouffard, G. (2016). Java Card Virtual Machine Compromising from a Bytecode Verified Applet. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-31271-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31270-5
Online ISBN: 978-3-319-31271-2
eBook Packages: Computer ScienceComputer Science (R0)