Heap \(\ldots \) Hop! Heap Is Also Vulnerable

  • Guillaume BouffardEmail author
  • Michael Lackner
  • Jean-Louis Lanet
  • Johannes Loinig
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8968)


Several logical attacks against Java based smart card have been published recently. Most of them are based on the hypothesis that the type verification was not performed, thus allowing to obtain dynamically a type confusion. To mitigate such attacks, typed stack have been introduced on recent smart card. We propose here a new attack path for performing a type confusion even in presence of a typed stack. Then we propose using a Fault Tree Analysis a way to design efficiently counter measure in a top down approach. These counter measures are then evaluated on a Java Card virtual machine


Java Card Logical attack Transient persistent heap Counter measures 


  1. 1.
    Barbu, G., Duc, G., Hoogvorst, P.: Java card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff [19], pp. 297–313Google Scholar
  2. 2.
    Barbu, G., Giraud, C., Guerin, V.: Embedded eavesdropping on java card. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 37–48. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  3. 3.
    Barbu, G., Hoogvorst, P., Duc, G.: Application-replay attack on java cards: when the garbage collector gets confused. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 1–13. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  4. 4.
    Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  5. 5.
    Berlach, R., Lackner, M., Steger, C., Loinig, J., Haselsteiner, E.: Memory-efficient On-card Byte Code Verification for Java Cards. In: Proceedings of the First Workshop on Cryptography and Security in Computing Systems. CS2 2014, pp. 37–40. ACM, New York (2014)Google Scholar
  6. 6.
    Bouffard, G., Iguchi-Cartigny, J., Lanet, J.L.: Combined software and hardware attacks on the java card control flow. In: Prouff [19], pp. 283–296Google Scholar
  7. 7.
    Dubreuil, J., Bouffard, G., Thampi, B.N., Lanet, J.L.: Mitigating Type Confusion on Java Card. IJSSE 4(2), 19–39 (2013)Google Scholar
  8. 8.
    Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  9. 9.
    GlobalPlatform: Card Specification. GlobalPlatform Inc., 2.2.1 edn., January 2011Google Scholar
  10. 10.
    Hamadouche, S., Bouffard, G., Lanet, J.L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting byte code linker service to characterize java card api. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81 (22–25 May 2012)Google Scholar
  11. 11.
    Hamadouche, S., Lanet, J.L.: Virus in a smart card: Myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013)Google Scholar
  12. 12.
    Iguchi-Cartigny, J., Lanet, J.L.: Developing a Trojan applets in a smart card. J. Comput. Virol. 6(4), 343–351 (2010)CrossRefGoogle Scholar
  13. 13.
    Lancia, J.: Java card combined attacks with localization-agnostic fault injection. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 31–45. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  14. 14.
    Leroy, X.: Bytecode verification on Java smart cards. Softw. Pract. Exper. 32(4), 319–340 (2002)CrossRefzbMATHGoogle Scholar
  15. 15.
    Morana, G., Tramontana, E., Zito, D.: Detecting Attacks on Java Cards by Fingerprinting Applets. In: Reddy, S., Jmaiel, M. (eds.) WETICE, pp. 359–364. IEEE (2013)Google Scholar
  16. 16.
    Nohl, K.: Rooting SIM Cards. Speak at the Black Hat USA 2013 (2013)Google Scholar
  17. 17.
    Oracle: Java Card 3 Platform, Runtime Environment Specification, Classic Edition. No. Version 3.0.4, Oracle. Oracle America Inc., Redwood City, September 2011Google Scholar
  18. 18.
    Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.0.4, Oracle. Oracle America Inc., Redwood City (2011)Google Scholar
  19. 19.
    Prouff, E. (ed.): CARDIS 2011, vol. 7079. Springer, Heidelberg (2011) Google Scholar
  20. 20.
    Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  21. 21.
    Razafindralambo, T., Bouffard, G., Thampi, B.N., Lanet, J.-L.: A dynamic syntax interpretation for java based smart card to mitigate logical attacks. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Alcaraz Calero, J.M., Thomas, T. (eds.) SNDS 2012. CCIS, vol. 335, pp. 185–194. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  22. 22.
    Sere, A., Iguchi-Cartigny, J., Lanet, J.L.: Evaluation of Countermeasures Against Fault Attacks on Smart Cards. Int. J. Secur. Appl. 5(2), 49–61 (2011)Google Scholar
  23. 23.
    Séré, A.A.K., Iguchi-Cartigny, J., Lanet, J.L.: Automatic detection of fault attack and countermeasures. In: Serpanos, D.N., Wolf, W. (eds.) WESS. ACM (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Guillaume Bouffard
    • 1
    • 2
    Email author
  • Michael Lackner
    • 3
  • Jean-Louis Lanet
    • 4
  • Johannes Loinig
    • 5
  1. 1.University of LimogesLimogesFrance
  2. 2.Agence Nationale de la Sécurité des Systèmes D’InformationsParis 07 SPFrance
  3. 3.Institute for Technical InformaticsGraz University of TechnologyGrazAustria
  4. 4.INRIA LHS-PECRennesFrance
  5. 5.NXP Semiconductors Austria GmbHGratkornAustria

Personalised recommendations