Evaluation of the Ability to Transform SIM Applications into Hostile Applications

  • Guillaume Bouffard
  • Jean-Louis Lanet
  • Jean-Baptiste Machemie
  • Jean-Yves Poichotte
  • Jean-Philippe Wary
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7079)


The ability of Java Cards to withstand attacks is based on software and hardware countermeasures, and on the ability of the Java platform to check the correct behavior of Java code (by using byte code verification). Recently, the idea of combining logical attacks with a physical attack in order to bypass byte code verification has emerged. For instance, correct and legitimate Java Card applications can be dynamically modified on-card using a laser beam. Such applications become mutant applications, with a different control flow from the original expected behaviour. This internal change could lead to bypass controls and protections and thus offer illegal access to secret data and operations inside the chip. This paper presents an evaluation of the application ability to become mutant and a new countermeasure based on the runtime checks of the application control flow to detect the deviant mutations.


Virtual Machine Smart Card Basic Block Mobile Network Operator Fault Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Erlingsson, M.B.U., Ligatti, J.: Control-flow integrity. In: CCS 2005: Proceedings of the 12th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, November 7-11, p. 340. Citeseer (2005)Google Scholar
  2. 2.
    Akkar, M.L., Goubin, L., Ly, O.: Automatic integration of counter-measures against fault injection attacks. Pre-print found (2003),
  3. 3.
    ANSSI. Protection Profile (U)SIM Java Card Platform Protection Profile - Basic Configuration, ANSSI-CC-PP-2010/04 12/07/2010. ANSSI (2010)Google Scholar
  4. 4.
    ANSSI. Protection Profile (U)SIM Java Card Platform Protection Profile - SCWS Configuration, ANSSI-CC-PP-2010/05, 12/07/2010. ANSSI (2010)Google Scholar
  5. 5.
    Aumuller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.P.: Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proceedings of the IEEE 94(2), 370–382 (2006)CrossRefGoogle Scholar
  7. 7.
    Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 Combining Fault and Logical Attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Blomer, J., Otto, M., Seifert, J.P.: A new CRT-RSA algorithm secure against Bellcore attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 311–320. ACM, New York (2003)CrossRefGoogle Scholar
  9. 9.
    Bouffard, G., Cartigny, J., Lanet, J.-L.: Combined Software and Hardware Attacks on the Java Card Control Flow. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 283–296. Springer, Heidelberg (2011)Google Scholar
  10. 10.
    ETSI. 3GPP TS 31.102, Technical Specification Group Core Network and Terminals. ETSI (2005)Google Scholar
  11. 11.
    Gadella, K.: Fault Attacks on Java Card (Masters Thesis). Master thesis, Universidade de Eindhoven (2005)Google Scholar
  12. 12.
    GP. Global platform official site (2010)Google Scholar
  13. 13.
    Hemme, L.: A Differential Fault Attack Against Early Rounds of (Triple-)DES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 254–267. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Iguchi-Cartigny, J., Lanet, J.L.: Developing a trojan applet in a smart card. Journal in Computer Virology 6(4), 343–351 (2010)CrossRefGoogle Scholar
  15. 15.
    Oh, N., Shirvani, P.P., McCluskey, E.J., et al.: Control-flow checking by software signatures. IEEE Transactions on Reliability 51(1), 111–122 (2002)CrossRefGoogle Scholar
  16. 16.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Reis, G.A., Chang, J., Vachharajani, N., Rangan, R., August, D.I.: Swift: Software implemented fault tolerance. In: Proceedings of the International Symposium on Code Generation and Optimization, pp. 243–254. IEEE Computer Society, Washington, DC, USA (2005)CrossRefGoogle Scholar
  18. 18.
    Scott, K., Davidson, J.: Safe virtual execution using software dynamic translation. In: Proceedings of the 18th Annual Computer Security Applications Conference, p. 209. Citeseer (2002)Google Scholar
  19. 19.
    Sere, A.A., Iguchi-Cartigny, J., Lanet, J.-L.: Automatic detection of fault attack and countermeasures. In: Proceedings of the 4th Workshop on Embedded Systems Security, pp. 1–7. ACM (2009)Google Scholar
  20. 20.
    Sere, A.A., Iguchi-Cartigny, J., Lanet, J.-L.: A path check detection mechanism for embedded systems. In: Proceedings of SecTech 2010, vol. 6485, pp. 459–469 (2010)Google Scholar
  21. 21.
    Skorobogatov, S.P., Anderson, R.J.: Optical Fault Induction Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    SunMicrosystems. Java Card 3.0.1 Specification. Sun Microsystems (2009)Google Scholar
  23. 23.
    Vetillard, E., Ferrari, A.: Combined Attacks and Countermeasures. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 133–147. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Wagner, D.: Cryptanalysis of a provably secure crt-rsa algorithm. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 92–97. ACM, New York (2004)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Guillaume Bouffard
    • 1
  • Jean-Louis Lanet
    • 1
  • Jean-Baptiste Machemie
    • 1
  • Jean-Yves Poichotte
    • 2
  • Jean-Philippe Wary
    • 2
  1. 1.SSD - XLIM LabsUniversity of LimogesLimogesFrance
  2. 2.Direction Fraud and Information SecuritySFRParis la DefenseFrance

Personalised recommendations