Load time code validation for mobile phone Java Cards

Over-the-air (OTA) application installation and updates have become a common experience for many end-users of mobile phones. In contrast, OTA updates for applications on the secure elements (such as smart cards) are still hindered by the challenging hardware and certification requirements. The paper describes a security framework for Java Card-based secure element applications. Each application can declare a set of services it provides, a set of services it wishes to call, and its own security policy. An on-card checker verifies compliance and enforces the policy; thus an off-card validation of the application is no longer required. The framework has been optimized in order to be integrated with the run-time environment embedded into a concrete card. This integration has been tried and tested by a smart card manufacturer. In this paper we present the architecture of the framework and provide the implementation footprint which demonstrates that our solution fits on a real secure element. We also report the intricacies of integrating a research prototype with a real Java Card platform.

[1]  Guillaume Barbu,et al.  Application-Replay Attack on Java Cards: When the Garbage Collector Gets Confused , 2012, ESSoS.

[2]  T. Mexia,et al.  Author ' s personal copy , 2009 .

[3]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[4]  Peng Li,et al.  Advanced control flow in Java card programming , 2004, LCTES '04.

[5]  Nicoletta De Francesco,et al.  JCSI: A tool for checking secure information flow in Java Card applications , 2012, J. Syst. Softw..

[6]  Erik Poll,et al.  Malicious Code on Java Card Smartcards: Attacks and Countermeasures , 2008, CARDIS.

[7]  Xuefei Leng,et al.  Smart card applications and security , 2009, Inf. Secur. Tech. Rep..

[8]  Erik Poll,et al.  A comparison of Java Cards : state-of-affairs 2006 , 2007 .

[9]  Isabelle Simplot-Ryl,et al.  Verifiable Control Flow Policies for Java Bytecode , 2011, Formal Aspects in Security and Trust.

[10]  Jean-Louis Lanet,et al.  The Next Smart Card Nightmare - Logical Attacks, Combined Attacks, Mutant Applications and Other Funny Things , 2012, Cryptography and Security.

[11]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[12]  Frank Piessens,et al.  The Belgian Electronic Identity Card: a Verification Case Study , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[13]  Jean-Louis Lanet,et al.  Evaluation of the Ability to Transform SIM Applications into Hostile Applications , 2011, CARDIS.

[14]  Wouter Joosen,et al.  Security-by-contract on the .NET platform , 2008, Inf. Secur. Tech. Rep..

[15]  N. Asokan,et al.  On-board credentials with open provisioning , 2009, ASIACCS '09.

[16]  Fabio Massacci,et al.  Load Time Security Verification , 2011, ICISS.

[17]  Jean-Louis Lanet,et al.  Type Classification against Fault Enabled Mutant in Java Based Smart Card , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[18]  Christian Steger,et al.  Towards the Hardware Accelerated Defensive Virtual Machine - Type and Bound Protection , 2012, CARDIS.

[19]  J. Langer,et al.  Practical Attack Scenarios on Secure Element-Enabled Mobile Devices , 2012, 2012 4th International Workshop on Near Field Communication.

[20]  Ksheerabdhi Krishna,et al.  Secure object sharing in java card , 1999 .

[21]  Damien Sauveron,et al.  Multiapplication smart card: Towards an open smart card? , 2009, Inf. Secur. Tech. Rep..

[22]  Fabio Massacci,et al.  A Load Time Policy Checker for Open Multi-application Smart Cards , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[23]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[24]  Frank Piessens,et al.  The Belgian Electronic Identity Card: a Verification Case Study , 2011 .

[25]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[26]  Guillaume Barbu,et al.  Java Card Operand Stack: Fault Attacks, Combined Attacks and Countermeasures , 2011, CARDIS.

[27]  Axel Schairer,et al.  Verification of a Formal Security Model for Multiapplicative Smart Cards , 2000, ESORICS.

[28]  Pierre Girard Which Security Policy for Multiplication Smart Cards? , 1999, Smartcard.

[29]  Isabelle Simplot-Ryl,et al.  On Practical Information Flow Policies for Java-Enabled Multiapplication Smart Cards , 2008, CARDIS.

[30]  Keith Mayes,et al.  Application-Binding Protocol in the User Centric Smart Card Ownership Model , 2011, ACISP.

[31]  Guillaume Barbu,et al.  Dynamic Fault Injection Countermeasure - A New Conception of Java Card Security , 2012, CARDIS.

[32]  Todd Millstein,et al.  Dr. Android and Mr. Hide: Fine-grained security policies on unmodified Android , 2011 .

[33]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[34]  Fabio Massacci,et al.  Java Card Architecture for Autonomous Yet Secure Evolution of Smart Cards Applications , 2010, NordSec.

[35]  Jean-Louis Lanet,et al.  New security issues raised by open cards , 1999, Inf. Secur. Tech. Rep..

[36]  Anamaria Martins Moreira,et al.  JCML: A specification language for the runtime verification of Java Card programs , 2012, Sci. Comput. Program..

[37]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[38]  Fabio Massacci,et al.  Matching in security-by-contract for mobile code , 2009, J. Log. Algebraic Methods Program..

[39]  Jean-Louis Lanet,et al.  Checking Secure Interactions of Smart Card Applets: Extended Version , 2002, J. Comput. Secur..

[40]  Jean-Louis Lanet,et al.  Report highlights: New security issues raised by open cards , 1999 .

[41]  Fabio Massacci,et al.  Supporting Software Evolution for Open Smart Cards by Security-by-Contract , 2012 .

[42]  David Naccache,et al.  Cryptography and Security: From Theory to Applications , 2012, Lecture Notes in Computer Science.

[43]  Keith Mayes,et al.  A Paradigm Shift in Smart Card Ownership Model , 2010, 2010 International Conference on Computational Science and Its Applications.

[44]  Isabelle Simplot-Ryl,et al.  On-Device Control Flow Verification for Java Programs , 2011, ESSoS.

[45]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[46]  N. Asokan,et al.  Scheduling execution of credentials in constrained secure environments , 2008, STC '08.

[47]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[48]  Jean-Louis Lanet,et al.  Combined Software and Hardware Attacks on the Java Card Control Flow , 2011, CARDIS.

[49]  Marco Avvenuti,et al.  Java bytecode verification for secure information flow , 2003, SIGP.

[50]  Gerhard P. Hancke,et al.  Attacking smart card systems: Theory and practice , 2009, Inf. Secur. Tech. Rep..

[51]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[52]  Keith Mayes,et al.  Coopetitive Architecture to Support a Dynamic and Scalable NFC Based Mobile Services Architecture , 2012, ICICS.

[53]  Marieke Huisman,et al.  Checking Absence of Illicit Applet Interactions: A Case Study , 2004, FASE.

[54]  Iman Narasamdya,et al.  Certification of smart-card applications in common criteria , 2009, SAC '09.

[55]  Jean-Louis Lanet,et al.  JACK - A Tool for Validation of Security and Behaviour of Java Applications , 2006, FMCO.