The Hell Forgery

Self Modifying Codes Shoot Again
  • Abdelhak Mesbah
  • Leo Regnaud
  • Jean-Louis Lanet
  • Mohamed Mezghiche
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10146)


We present in this paper a new approach to gain access to assets of a smart card. It is based on the concept of reference forgery and array extension. We characterize the metadata of the objects and we use a weakness in the system to retrieve these data. We are able to generate arbitrary but well formed references which allow us to execute self modifying Java program inside the card. This hostile program is able to dump the complete Non Volatile Memory (NVM) memory segment.


Java Card Logical attack Reference forgery Self modifying code 


  1. 1.
    Barbu, G., Duc, G., Hoogvorst, P.: Java Card operand stack: fault attacks, combined attacks and countermeasures. In: Prouff [12], pp. 297–313Google Scholar
  2. 2.
    Barbu, G., Giraud, C., Guerin, V.: Embedded eavesdropping on Java Card. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 37–48. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30436-1_4 CrossRefGoogle Scholar
  3. 3.
    Barbu, G., Hoogvorst, P., Duc, G.: Application-replay attack on Java Cards: when the garbage collector gets confused. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 1–13. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28166-2_1 CrossRefGoogle Scholar
  4. 4.
    Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 combining fault and logical attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12510-2_11 CrossRefGoogle Scholar
  5. 5.
    Bouffard, G., Iguchi-Cartigny, J., Lanet, J.-L.: Combined software and hardware attacks on the Java Card control flow. In: Prouff [12], pp. 283–296Google Scholar
  6. 6.
    Bouffard, G., Lackner, M., Lanet, J.-L., Loinig, J.: Heap \(\ldots \) Hop! heap is also vulnerable. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 18–31. Springer, Cham (2015). doi: 10.1007/978-3-319-16763-3_2 Google Scholar
  7. 7.
    Bouffard, G., Lanet, J.: Reversing the operating system of a Java based smart card. J. Comput. Virol. Hacking Tech. 10(4), 239–253 (2014)CrossRefGoogle Scholar
  8. 8.
    Farhadi, M., Lanet, J.L.: Chronicle of a Java Card death. J. Comput. Virol. Hack. Tech., 1–15 (2016)Google Scholar
  9. 9.
    Faugeron, E.: Manipulating the frame information with an underflow attack. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 140–151. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-08302-5_10 Google Scholar
  10. 10.
    Hubbers, E., Poll, E.: Transactions and non-atomic API calls in java card: specification ambiguity and strange implementation behaviours. University of Nijmegen, Technical report (2004)Google Scholar
  11. 11.
    Iguchi-Cartigny, J., Lanet, J.L.: Developing a Trojan applets in a smart card. J. Comput. Virol. 6(4), 343–351 (2010)CrossRefGoogle Scholar
  12. 12.
    Prouff, E. (ed.): CARDIS 2011. LNCS, vol. 7079. Springer, Heidelberg (2011)Google Scholar
  13. 13.
    Razafindralambo, T., Bouffard, G., Lanet, J.-L.: A friendly framework for hidding fault enabled virus for Java based smartcard. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 122–128. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31540-4_10 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Abdelhak Mesbah
    • 1
  • Leo Regnaud
    • 2
  • Jean-Louis Lanet
    • 3
  • Mohamed Mezghiche
    • 1
  1. 1.LIMOSE Laboratory, Computer Science Department, Faculty of SciencesUniversity Mohamed Bougara of BoumerdesBoumerdesAlgeria
  2. 2.University of LimogesLimogesFrance
  3. 3.INRIA-RBA, LHS-PECRennesFrance

Personalised recommendations