Skip to main content
Log in

Reversing the operating system of a Java based smart card

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Attacks on smart cards can only be based on a black box approach where the code of cryptographic primitives and operating system are not accessible. To perform hardware or software attacks, a white box approach providing access to the binary code is more efficient. In this paper, we propose a methodology to discover the romized code whose access is protected by the virtual machine. It uses a hooked code in an indirection table. We gained access to the real processor, thus allowing us to run a shell code written in 8051 assembly language. As a result, this code has been able to dump completely the ROM of a Java Card operating system. One of the issues is the possibility to reverse the cryptographic algorithm and all the embedded countermeasures. Finally, our attack is evaluated on different cards from distinct manufacturers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. Application programming interface.

  2. Writing in EEPROM needs to erase which is time consuming.

  3. The targeted card has not hidden mechanism for address.

  4. This function returns a value depending to the start offset of the output buffer plus the length of the copied data.

  5. Complex instruction set computer (CISC) is an architecture where each instruction can be executed with several low-level operations.

References

  1. Agoyan, M., Dutertre, J.M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Gollmann, D., Lanet, J.L., Iguchi-Cartigny, J. (eds.) Smart Card Research and Advanced Application, Lecture Notes in Computer Science, vol. 6035, pp. 182–193. Springer, Berlin Heidelberg (2010). doi:10.1007/978-3-642-12510_213

  2. Aranda, F.X., Lanet, J.L.: Smart card reverse-engineering binary code execution using side-channel analysis. Thorie des Nombres, Codes, Cryptographie et Systmes de Communication (NTCCCS) (2012)

  3. Aumller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski, B., Ko, E., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002, Lecture Notes in Computer Science, vol. 2523, pp. 81–95. Springer, Berlin Heidelberg (2003). doi:10.1007/3-540-36400-5_20

  4. Barbu, G.: On the security of Java Card™ platforms against hardware attacks. Ph.D. thesis, Grant-funded with Oberthur Technologies and Télécom ParisTech (2012)

  5. Barbu, G., Duc, G.: Java Card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff, E. (ed.) Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, pp. 297–313. Springer, Berlin Heidelberg (2011). doi:10.1007/978-3-642-27257-8_19

  6. Barbu, G., Giraud, C., Guerin, V.: Embedded eavesdropping on Java Card. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research, IFIP Advances in Information and Communication Technology, vol. 376. Springer, Berlin Heidelberg (2012). doi:10.1007/978-3-642-30436-1_4

  7. Barbu, G., Hoogvorst, P., Duc, G.: Application-replay attack on Java Cards: when the garbage collector gets confused. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) Engineering Secure Software and Systems, Lecture Notes in Computer Science, vol. 7159, pp. 1–13. Springer, Berlin Heidelberg (2012). doi:10.1007/978-3-642-28166-2_1

  8. Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.L., Iguchi-Cartigny, J. (eds.) Smart Card Research and Advanced Application, Lecture Notes in Computer Science, vol. 6035, pp. 148–163. Springer, Berlin Heidelberg (2010). doi:10.1007/978-3-642-12510-2_11

  9. Bouffard, G., Iguchi-Cartigny, J., Lanet, J.L.: Combined software and hardware attacks on the Java Card control flow. In: Prouff, E. (ed.) Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, vol. 7079, pp. 283–296. Springer, Berlin Heidelberg (2011). doi:10.1007/978-3-642-27257-8_18

  10. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES, Lecture Notes in Computer Science, vol. 3156, pp. 16–29. Springer, Berlin Hidelberg (2004). doi:10.1007/978-3-540-28632-5_2

  11. Clavier, C., Isorez, Q., Wurcker, A.: Complete SCARE of AES-like block ciphers by chosen plaintext collision power analysis. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT, Lecture Notes in Computer Science, vol. 8250, pp. 116–135. Springer, berlin Hidelberg (2013). doi:10.1007/978-3-319-03515-4_8

  12. Clavier, C., Wurcker, A.: Reverse engineering of a secret AES-like cipher by ineffective fault analysis. In: Fischer and Schmidt [15], pp. 119–128. doi:10.1109/FDTC.2013.16

  13. Daudigny, R., Ledig, H., Muller, F., Valette, F.: SCARE of the DES. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) Applied Cryptography and Network Security, Lecture Notes in Computer Science, vol. 3531, pp. 19–33. Springer, Berlin Heidelberg (2005). doi:10.1007/11496137_27

  14. Faugeron, E.: Manipulating the frame information with an underflow attack. In: CARDIS 2013 (2013)

  15. Fischer, W., Schmidt, J.M. (eds.): 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, August 20, 2013. IEEE (2013)

  16. Friedman, W.F.: The index of coincidence and its applications in cryptography. Cryptographic Series. Aegean Park Press (1996)

  17. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Ko, C.C., Naccache, D., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems ” CHES 2001, Lecture Notes in Computer Science, vol. 2162, pp. 251–261. Springer, Berlin Heidelberg (2001). doi:10.1007/3-540-44709-1_21

  18. GlobalPlatform: Card Specification. In: GlobalPlatform, 2.2.1 edn. GlobalPlatform Inc. (2011)

  19. Hamadouche, S., Bouffard, G., Lanet, J.L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting Byte Code Linker service to characterize Java Card API. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81 (2012)

  20. Hex Rays, S.: IDA Pro Disassembler and Debugger

  21. Huang, H., Quan, G., Fan, J.: Leakage temperature dependency modeling in system level analysis. In: ISQED, pp. 447–452. IEEE (2010). doi:10.1109/ISQED.2010.5450539

  22. Hubbers, E., Poll, E.: Transactions and non-atomic API calls in Java Card: specification ambiguity and strange implementation behaviours. University of Nijmegen (2004)

  23. Iguchi-Cartigny, J., Lanet, J.L.: Developing a trojan applets in a Smart Card. J. Comput. Virol. 6, 343–351 (2010). doi:10.1007/s11416-009-0135-3

    Article  Google Scholar 

  24. Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) Advances in Cryptology - CRYPTO’96, Lecture Notes in Computer Science, vol. 1109, pp. 104–113. Springer, Berlin Heidelberg (1996). doi:10.1007/3-540-68697-5_9

  25. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) Advances in Cryptology - CRYPTO’99, Lecture Notes in Computer Science, vol. 1666, pp. 789–789. Springer, Berlin Heidelberg (1999). doi:10.1007/3-540-48405-1_25

  26. Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology. WOST’99, pp. 2–2. USENIX Association, Berkeley, CA, USA (1999)

  27. Meterelliyoz, M., Kulkarni, J.P., Roy, K.: Analysis of SRAM and eDRAM cache memories under spatial temperature variations. Comput. Aided Design Integrated Circuits Syst., IEEE Trans. On 29(1), 2–13 (2009). doi:10.1109/TCAD.2009.2035535

    Article  Google Scholar 

  28. Circuits, O., Ral, D., Guilley, S., Flament, F., Danger, J.L., Valette, F.: Characterization of the Electromagnetic Side Channel in Frequency Domain. In: Lai, X., Yung, M., D, D. (eds.) Information Security and Cryptology, Lecture Notes in Computer Science, vol. 6584, pp. 471–486. Springer, Berlin Heidelberg (2011). doi:10.1007/978-3-642-21518-6_33

  29. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit Microcontroller. In: Fischer, W., Schmidt, J.M. (eds.) FDTC. Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, August 20, 2013, pp. 77–88. IEEE (2013). doi:10.1109/FDTC.2013.9

  30. Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. Version 3.0.4. Oracle, Oracle America Inc, 500 Oracle Parkway, Redwood City, CA 94065 (2011)

  31. Quisquater, J., Samyde, D.: Eddy current for magnetic analysis with active sensor. In: Proceedings of E-Smart (2002)

  32. Quisquater, J.J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for Smart Cards. In: Attali, I., Jensen, T. (eds.) Smart Card Programming and Security, Lecture Notes in Computer Science, vol. 2140, pp. 200–210. Springer, Berlin Heidelberg (2001). doi:10.1007/3-540-45418-7_17

  33. Razafindralambo, T., Bouffard, G., Lanet, J.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Nora Cuppens-Boulahia Frédéic Cuppens, J.G.A. (ed.) Data and Applications Security and Privacy XXVI, Lecture Notes in Computer Science, vol. 7371, pp. 122–128. Springer, Berlin Heidelberg (2012). doi:10.1007/978-3-642-31540-4

    Chapter  Google Scholar 

  34. Razafindralambo, T., Bouffard, G., Thampi, B.N., Lanet, J.L.: A Dynamic Syntax Interpretation for Java Based Smart Card to Mitigate Logical Attacks. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Calero, J.M.A., Thomas, T. (eds.) SNDS, Communications in Computer and Information Science, vol. 335, pp. 185–194. Springer, Trivandrum (2012). doi:10.1007/978-3-642-34135-9_19

  35. Savary, A., Frappier, M., Lanet, J.: Automatic Generation of Vulnerability Tests for the Java Card Byte Code Verifier. In: Network and Information Systems Security (SAR-SSI), 2011 Conference on, pp. 1–7 (2011). doi:10.1109/SAR-SSI.2011.5931379

  36. Savary, A., Frappier, M., Lanet, J.L.: Detecting Vulnerabilities in Java-Card Bytecode Verifiers Using Model-Based Testing. In: Johnsen, E., Petre, L. (eds.) Integrated Formal Methods, Lecture Notes in Computer Science, vol. 7940, pp. 223–237. Springer, Berlin Heidelberg (2013). doi:10.1007/978-3-642-38613-8_16

  37. Schmidt, J., Hutter, M.: Optical and EM fault-attacks on crt-based RSA: Concrete results. In: Proceedings of the Austrochip, pp. 61–67. Citeseer (2007).

  38. Skorobogatov, S.P., Anderson, R.: Optical Fault Induction Attacks. In: Kaliski, B., Ko, E., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2002, vol. 2523, pp. 31–48. Springer, Berlin Heidelberg (2003). doi:10.1007/3-540-36400-5_2

  39. Standard, S.H.: Federal information processing standard publication# 180. US Department of Commerce, National Institute of Standards and Technology 56, 57–71 (1993)

    Google Scholar 

  40. Vermoen, D.: Reverse engineering of Java Card applets using power analysis. Master’s thesis, Faculty of Electrical Engineering, Mathematics and Computer Science, Delft University of Technology, Computer Engineering, Mekelweg 4, 2628 CD Delft, The Netherlands (2006).

  41. Viraraghavan, J., Amrutur, B., Visvanathan, V.: Voltage and Temperature Aware Statistical Leakage Analysis Framework Using Artificial Neural Networks. IEEE Trans. on CAD of Integrated Circuits and Systems 29(7), 1056–1069 (2010). doi:10.1109/TCAD.2010.2049059

Download references

Acknowledgments

The authors would thank to Julien Boutet for his contribution during this work.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Guillaume Bouffard.

Appendices

Native code in the EEPROM area

figure o

Native code to dump ROM area

figure p

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bouffard, G., Lanet, JL. Reversing the operating system of a Java based smart card. J Comput Virol Hack Tech 10, 239–253 (2014). https://doi.org/10.1007/s11416-014-0218-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0218-7

Keywords

Navigation