Combined Software and Hardware Attacks on the Java Card Control Flow

  • Guillaume Bouffard
  • Julien Iguchi-Cartigny
  • Jean-Louis Lanet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7079)


The Java Card uses two components to ensure the security of its model. On the one hand, the byte code verifier (BCV) checks, during an applet installation, if the Java Card security model is ensured. This mechanism may not be present in the card. On the other hand, the firewall dynamically checks if there is no illegal access. This paper describes two attacks to modify the Java Card control flow and to execute our own malicious byte code. In the first attack, we use a card without embedded security verifier and we show how it is simple to change the return address of a current function. In the second attack, we consider the hypothesis that the card embeds a partial implementation of a BCV. With the help of a laser beam, we are able to change the execution flow.


Java Card control flow laser Java Card Stack attack 


  1. 1.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.: Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 Combining Fault and Logical Attacks. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 148–163. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Global Platform: Card Specification v2.2 (2006)Google Scholar
  4. 4.
    Hemme, L.: A Differential Fault Attack Against Early Rounds of (Triple-) DES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 254–267. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Hubbers, E., Poll, E.: Transactions and non-atomic API calls in Java Card: specification ambiguity and strange implementation behaviours. Dept. of Computer Science NIII-R0438, Radboud University Nijmegen (2004)Google Scholar
  6. 6.
    Iguchi-Cartigny, J., Lanet, J.: Developing a Trojan applet in a Smart Card. Journal in Computer Virology (2010)Google Scholar
  7. 7.
    Lanet, J.L., Bouffard, G., Machemie, J.B., Poichotte, J.Y., Wary, J.P.: Evaluation of the Ability to Transform SIM Application into Hostile Applications. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 1–17. Springer, Heidelberg (2011)Google Scholar
  8. 8.
    Oracle: Java Card Platform SpecificationGoogle Scholar
  9. 9.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Smart Secure Devices (SSD) Team – XLIM, Université de Limoges: OPAL: An Open Platform Access Library,
  11. 11.
    Smart Secure Devices (SSD) Team – XLIM, Université de Limoges: The CAP file manipulator,

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Guillaume Bouffard
    • 1
  • Julien Iguchi-Cartigny
    • 1
  • Jean-Louis Lanet
    • 1
  1. 1.Smart Secure Devices (SSD) Team – XLIM LabsUniversité de LimogesLimogesFrance

Personalised recommendations