Java Card Virtual Machine Compromising from a Bytecode Verified Applet

The Byte Code Verifier BCV is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.

[1]  Jean-Louis Lanet,et al.  A Friendly Framework for Hidding fault enabled virus for Java Based Smartcard , 2012, DBSec.

[2]  Jean-Louis Lanet,et al.  Combined Software and Hardware Attacks on the Java Card Control Flow , 2011, CARDIS.

[3]  Julien Lancia,et al.  Java Card Combined Attacks with Localization-Agnostic Fault Injection , 2012, CARDIS.

[4]  E. Sirer Testing Java Virtual Machines An Experience Report on Automatically Testing Java Virtual Machines , 1999 .

[5]  Sheng Liang,et al.  Java Native Interface: Programmer's Guide and Specification , 1999 .

[6]  Guillaume Barbu,et al.  Java Card Operand Stack: Fault Attacks, Combined Attacks and Countermeasures , 2011, CARDIS.

[7]  Emiliano Tramontana,et al.  Automated Conformance Testing of Java Virtual Machines , 2013, 2013 Seventh International Conference on Complex, Intelligent, and Software Intensive Systems.

[8]  Ludovic Casset Development of an Embedded Verifier for Java Card Byte Code Using Formal Methods , 2002, FME.

[9]  Marc Frappier,et al.  Detecting Vulnerabilities in Java-Card Bytecode Verifiers Using Model-Based Testing , 2013, IFM.

[10]  Guillaume Barbu,et al.  Attacks on Java Card 3.0 Combining Fault and Logical Attacks , 2010, CARDIS.

[11]  Jean-Louis Lanet,et al.  Subverting Byte Code Linker service to characterize Java Card API , 2012 .

[12]  Jean-Louis Lanet,et al.  Virus in a smart card: Myth or reality? , 2013, J. Inf. Secur. Appl..

[13]  Jean-Louis Lanet,et al.  The ultimate control flow transfer in a Java based smart card , 2015, Comput. Secur..

[14]  Emilie Faugeron,et al.  Manipulating the Frame Information with an Underflow Attack , 2013, CARDIS.

[15]  Andrea Fornaia,et al.  Combinatorial Interaction Testing of a Java Card Static Verifier , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops.

[16]  Christian Steger,et al.  Memory-efficient on-card byte code verification for Java cards , 2014, CS2 '14.

[17]  Xavier Leroy,et al.  Bytecode verification on Java smart cards , 2002 .

[18]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[19]  Sheng Liang,et al.  Java Native Interface: Programmer's Guide and Reference , 1999 .

[20]  Erik Poll,et al.  Malicious Code on Java Card Smartcards: Attacks and Countermeasures , 2008, CARDIS.

[21]  Ecole Doctorale,et al.  A Generic Approach for Protecting Java Card™ Smart Card Against Software Attacks , 2014 .