Application-Replay attack on java cards: when the garbage collector gets confused

Authors:
Guillaume Barbu;Philippe Hoogvorst;Guillaume Duc
Affiliations:
Département COMELEC, Institut Télécom / Télécom ParisTech, CNRS LTCI, Paris Cedex 13, France;Département COMELEC, Institut Télécom / Télécom ParisTech, CNRS LTCI, Paris Cedex 13, France;Département COMELEC, Institut Télécom / Télécom ParisTech, CNRS LTCI, Paris Cedex 13, France
Venue:
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Year:
2012

Citing 7
Cited 1

Using Memory Errors to Attack a Virtual Machine

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Malicious Code on Java Card Smartcards: Attacks and Countermeasures

CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Developing a Trojan applets in a smart card

Journal in Computer Virology
Combined attacks and countermeasures

CARDIS'10 Proceedings of the 9th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Application
Attacks on java card 3.0 combining fault and logical attacks

CARDIS'10 Proceedings of the 9th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Application
Combined software and hardware attacks on the java card control flow

CARDIS'11 Proceedings of the 10th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Java card operand stack: fault attacks, combined attacks and countermeasures

CARDIS'11 Proceedings of the 10th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications

Load time code validation for mobile phone Java Cards

Journal of Information Security and Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Java Card 3.0 specifications have brought many new features in the Java Card world, amongst which a true garbage collection mechanism. In this paper, we show how one could use this specific feature to predict the references that will be assigned to object instances to be created. We also exploit this reference prediction process in a combined attack. This attack stands as a kind of "application replay" attack, taking advantage of an unspecified behavior of the Java Card Runtime Environment (JCRE) on application instance deletion. It reveals quite powerful, since it potentially permits the attacker to circumvent the application firewall: a fundamental and historical Java Card security mechanism. Finally, we point out that this breach comes from the latest specification update and more precisely from the introduction of the automatic garbage collection mechanism, which leads to a straightforward countermeasure to the exposed attack.