Java Card Virtual Machine Compromising from a Bytecode Verified Applet

  • Julien Lancia
  • Guillaume BouffardEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9514)


The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.


Java card Software attack BCV vulnerabilities 


  1. 1.
    Barbu, G., Duc, G., Hoogvorst, P.: Java card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff, E. (ed.) [21], pp. 297–313 (2011)Google Scholar
  2. 2.
    Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Berlach, R., Lackner, M., Steger, C., Loinig, J., Haselsteiner, E.: Memory-efficient on-card byte code verification for Java cards. In: Proceedings of the First Workshop on Cryptography and Security in Computing Systems, CS2 2014, pp. 37–40. ACM, New York (2014)Google Scholar
  4. 4.
    Bouffard, G.: A generic approach for protecting Java card smart card against software attacks. Ph.D. thesis, University of Limoges, Limoges, France, October 2014Google Scholar
  5. 5.
    Bouffard, G., Iguchi-Cartigny, J., Lanet, J.: Combined software and hardware attacks on the java card control flow. In: Prouff, E. (ed.) [21], pp. 283–296Google Scholar
  6. 6.
    Bouffard, G., Lanet, J.: The ultimate control flow transfer in a Java based smart card. Comput. Secur. 50, 33–46 (2015)CrossRefGoogle Scholar
  7. 7.
    Calvagna, A., Fornaia, A., Tramontana, E.: Combinatorial interaction testing of a Java card static verifier. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation, Workshops Proceedings, March 31 - April 4, 2014, Cleveland, Ohio, USA, pp. 84–87. IEEE Computer Society (2014)Google Scholar
  8. 8.
    Calvagna, A., Tramontana, E.: Automated conformance testing of Java virtual machines. In: Barolli, L., Xhafa, F., Chen, H., Gómez-Skarmeta, A.F., Hussain, F. (eds.) Seventh International Conference on Complex, Intelligent, and Software Intensive Systems, CISIS 2013, Taichung, Taiwan, July 3–5, 2013, pp. 547–552. IEEE Computer Society (2013)Google Scholar
  9. 9.
    Casset, L.: Development of an embedded verifier for Java card byte code using formal methods. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 290–309. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Faugeron, E., Valette, S.: How to hoax an off-card verifier. e-smart (2010)Google Scholar
  12. 12.
    Hamadouche, S.: Étude de la sécurité dun vérifieur de Byte Code et génération de tests de vulnérabilité. Master’s thesis, University M’Hamed Bougara of Boumerdes, Faculty of Sciences, LIMOSE Laboratory, 5 Avenue de l’indpendance, 35000 Boumerdes, Algeria (2012)Google Scholar
  13. 13.
    Hamadouche, S., Bouffard, G., Lanet, J.L., Dorsemaine, B., Nouhant, B., Magloire, A., Reygnaud, A.: Subverting byte code linker service to characterize Java card API. In: Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 75–81, May 22rd to 25th 2012Google Scholar
  14. 14.
    Hamadouche, S., Lanet, J.: Virus in a smart card: myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013)Google Scholar
  15. 15.
    Lancia, J.: Java card combined attacks with localization-agnostic fault injection. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 31–45. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Leroy, X.: Bytecode verification on Java smart cards. Softw. Pract. Exper. 32(4), 319–340 (2002)CrossRefzbMATHGoogle Scholar
  17. 17.
    Liang, S.: The Java Native Interface: Programmer’s Guide and Specification, 1st edn. Addison-Wesley Professional, Reading (1999)Google Scholar
  18. 18.
    Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification: Java Series. Addison-Wesley, Reading (2014)Google Scholar
  19. 19.
    Mostowski, W., Poll, E.: Malicious code on java card smartcards: attacks and countermeasures. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 1–16. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Oracle: Java Card 3 Platform, Virtual Machine Specification, Classic Edition. No. Version 3.0.5, Oracle, Oracle America Inc, 500 Oracle Parkway, Redwood City, CA 94065 (2015)Google Scholar
  21. 21.
    Prouff, E. (ed.): CARDIS 2011. LNCS, vol. 7079. Springer, Heidelberg (2011)Google Scholar
  22. 22.
    Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Savary, A., Frappier, M., Lanet, J.-L.: Detecting vulnerabilities in Java-card bytecode verifiers using model-based testing. In: Johnsen, E.B., Petre, L. (eds.) IFM 2013. LNCS, vol. 7940, pp. 223–237. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  24. 24.
    Sirer, E.G.: Testing Java virtual machines. In: International Conference on Software Testing and Review, San Jose, California, November 1999Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.THALES Communications and Security S.A.S, Parc Technologique du CanalToulouseFrance
  2. 2.Agence Nationale de la Sécurité des Systèmes d’Informations (ANSSI)Paris 07 SPFrance

Personalised recommendations