International Journal of Information Security

, Volume 17, Issue 4, pp 395–409 | Cite as

When time meets test

  • Jean-Louis LanetEmail author
  • Hélène Le Bouder
  • Mohammed Benattou
  • Axel Legay
Regular Contribution


One of the main challenges in system’s development is to give a proof of evidence that its functionalities are correctly implemented. This objective is mostly achieved via testing techniques, which include software testing to check whether a system meets its functionalities, or security testing to express what should not happen. For the latter case, fuzzing is considered as first class citizen. It consists in exercising the system with (randomly) generated and eventually modified inputs in order to test its resistance. While fuzzing is definitively the fastest and the easiest way for testing applications, it suffers from severe limitations. Indeed, the precision of the model used for input generation: a random and/or simple model cannot reach all states and significant values. Moreover, a higher model precision can result in a combinatorial explosion of test cases. In this paper, we suggest a new approach whose main ingredient is to combine timing attacks with fuzzing techniques. This new approach, which is dedicated to work on Java Card, allows not only reducing the test space explosion, but also to simplify the fuzzing process configuration. The technique has been implemented, and we present the results obtained on two applets loaded in a Java Card.


Security Software testing Fuzzing Timing attacks Smart card Java Card 


  1. 1.
    Jorgensen, P.C.: Software Testing: A Craftsman’s Approach. CRC press, Boca Raton (2013)zbMATHGoogle Scholar
  2. 2.
    Myers, G.J., Sandler, C., Badgett, T.: The Art of Software Testing. Wiley, New York (2011)Google Scholar
  3. 3.
    Baresel, A., Pohlheim, H., Sadeghipour, S.: Structural and functional sequence test of dynamic and state-based software with evolutionary algorithms. In: Genetic and Evolutionary Computation–GECCO 2003, pp. 2428–2441. Springer, Berlin (2003)Google Scholar
  4. 4.
    Utting, M., Legeard, B.: Practical Model-Based Testing: A Tools Approach. Morgan Kaufmann Publishers Inc., San Francisco (2007)Google Scholar
  5. 5.
    Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall Inc, Upper Saddle River (1994)zbMATHGoogle Scholar
  6. 6.
    Robling, D., Dorothy, E.: Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc, Boston (1982)zbMATHGoogle Scholar
  7. 7.
    Bishop, M., Bailey, D.: A critical analysis of vulnerability taxonomies. Technical report, DTIC Document (1996)Google Scholar
  8. 8.
    Takanen, A., DeMott, J., Miller, C.: Fuzzing for Software Security Testing and Quality Assurance, 1st edn. Artech House Inc, Norwood (2008)zbMATHGoogle Scholar
  9. 9.
    Takanen, A.: Fuzzing: the past, the present and the future. SSTIC (2009)Google Scholar
  10. 10.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer, Berlin (2008)zbMATHGoogle Scholar
  11. 11.
    Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Information Security and Cryptology–ICISC 2002, pp. 343–358. Springer, Berlin (2003)Google Scholar
  12. 12.
    Quisquater, J-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: Smart Card Programming and Security, pp. 200–210. Springer, Berlin (2001)Google Scholar
  13. 13.
    Kocher, P.C..: Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’96, pp. 104–113, London, UK. Springer, Berlin (1996)Google Scholar
  14. 14.
    Dhem, J.-F., Koeune, F., Leroux, P.-A., Mestré, P., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: International Conference on Smart Card Research and Advanced Applications, pp. 167–182. Springer, Berlin (1998)Google Scholar
  15. 15.
    Foo Kune, D., Kim, Y.: Timing attacks on pin input devices. In: Proceedings of the 17th ACM conference on Computer and communications security, pp. 678–680. ACM (2010)Google Scholar
  16. 16.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In Proceedings of the 12th USENIX Security Symposium, pp. 1–14 (2003)Google Scholar
  17. 17.
    Bernstein, D.J.: Cache-timing attacks on AES (2005)Google Scholar
  18. 18.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 7th ACM Conference on Computer and Communications Security. CCS ’00, pp. 25–32. NY, USA, ACM, New York (2000)Google Scholar
  19. 19.
    Putt, B., Putt, E., Lanet, J.-L.: Using side channel information for improving data partitioning strategy to test smart cards. In: SAR-SSI conference (2014)Google Scholar
  20. 20.
    Common Criteria. Common Criteria for Information Technology Security Evaluation-version 3.0 Rev. 2 (2005)Google Scholar
  21. 21.
    Integrated circuit card specifications for payment systems, book 3 : application specification, version 4.3 ed., emvco.
  22. 22.
    Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Proceedings of the 22Nd USENIX Conference on Security, SEC’13, pp. 49–64 (2013)Google Scholar
  23. 23.
    Eddington, M.: Peach fuzzing platform 3 (2004).
  24. 24.
    Amini, P.: Sulley fuzzing platform (2004).
  25. 25.
    Barreaud, M., Bouffard, G., Kamel, N., Lanet, J.-L.: Fuzzing on the http protocol implementation in mobile embedded web server. In: Caesar (2011)Google Scholar
  26. 26.
    Lancia, J.: Un framework de fuzzing pour cartes a puce: application aux protocoles. SSTIC (2011)Google Scholar
  27. 27.
    Guyot, V.: Smart card the invisible bullet. In: Proceeding of the 9th European Conference on Information Warfare and Security (2010)Google Scholar
  28. 28.
    Alimi, V.: Contribution au déploiement des services mobiles et à l’analyse de la sécurité des transactions. Ph.D. thesis, University of Caen, France (2012)Google Scholar
  29. 29.
    Richardson, D.J., Clarke, L.A.: Partition analysis: a method combining testing and verification. IEEE Trans. Softw. Eng. 11(12), 1477–1490 (1985)CrossRefGoogle Scholar
  30. 30.
    Ostrand, T.J., Balcer, M.J.: The category-partition method for specifying and generating functional tests. Commun. ACM 31(6), 676–686 (1988)CrossRefGoogle Scholar
  31. 31.
    Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing cpu emulators. In: Proceedings of the eighteenth International Symposium on Software testing and analysis, pp. 261–272. ACM (2009)Google Scholar
  32. 32.
    Yang, X., Chen, Y., Eide, E., Regehr, J.: Finding and understanding bugs in c compilers. In: Mary, W.H., David, A.P. (eds.) PLDI, pp. 283–294. ACM, New York (2011)Google Scholar
  33. 33.
    Gauthier, A., Mazin, C., Iguchi-Cartigny, J., Lanet, J.-L.: Enhancing fuzzing technique for okl4 syscalls testing. In: ARES, pp. 728–733. IEEE (2011)Google Scholar
  34. 34.
    Kasmi, M.A., Azizi, M., Lanet, J.-L.: Reversing bytecode of obfuscated java based smart card using side chanel analysis. Int J Secur Appl 9(11), 347–356 (2015)Google Scholar
  35. 35.
    Jacoco java code coverage.

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  • Jean-Louis Lanet
    • 1
    Email author
  • Hélène Le Bouder
    • 1
  • Mohammed Benattou
    • 2
  • Axel Legay
    • 1
  1. 1.INRIA-RBA, LHS-PECRennesFrance
  2. 2.Laboratoire LARITUniversité Ibn TofailKenitraMorocco

Personalised recommendations