Detecting Vulnerabilities in Java-Card Bytecode Verifiers Using Model-Based Testing

  • Aymerick Savary
  • Marc Frappier
  • Jean-Louis Lanet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7940)


Java Card security is based on different elements among which the bytecode verifier is one of the most important. Finding vulnerabilities is a complex, tedious and error-prone task. In the case of the Java bytecode verifier, vulnerability tests are typically derived by hand. We propose a new approach to generate vulnerability test suites using model-based testing. Each instruction of the Java bytecode language is represented by an event of an Event-B machine, with a guard that denotes security conditions as defined in the virtual machine specification. We generate vulnerability tests by negating guards of events and generating traces with these faulty events using the ProB model checker. This approach has been applied to a subset of twelve instructions of the bytecode language and tested on five Java Card bytecode verifiers. Vulnerabilities have been found for each of them. We have developed a complete tool chain to support the approach and provide a proof of concept.


Model Based Testing Java Card bytecode Verifier Vulnerability Testing Security Event-B 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
    Basin, D., Friedrich, S., Posegga, J., Vogt, H.: Java bytecode verification by model checking. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 491–494. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Bieber, P., Cazin, J., Girard, P., Lanet, J.L., Wiels, V., Zanon, G.: Checking secure interactions of smart card applets: Extended version. Journal of Computer Security 10(4), 369–398 (2002)Google Scholar
  5. 5.
    Casset, L.: Development of an embedded verifier for java card byte code using formal methods. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 290–309. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Coglio, A., Goldberg, A., Qian, Z.: Toward a provably-correct implementation of the JVM bytecode verifier. In: Proc. OOPSLA 1998 Workshop on Formal Underpinnings of Java, pp. 403–410 (1998)Google Scholar
  7. 7.
    Doyon, S.: On the security of Java: The Java Bytecode Verifier. Master’s thesis, Université Laval, Québec City, Canada (1999)Google Scholar
  8. 8.
    Faugeron, E.: How to hoax an off-card verifier. In: e-Smart, Sophia Antipolis, France, September 21-24. Strategies Telecoms & Multimedia, pp. 310–328 (2010)Google Scholar
  9. 9.
    Freund, S.N., Mitchell, J.C.: A type system for object initialization in the Java bytecode language. In: Freeman-Benson, B.N., Chambers, C. (eds.) ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications, pp. 310–327. ACM Press (1998)Google Scholar
  10. 10.
    Freund, S.N., Mitchell, J.C.: A formal framework for the Java bytecode language and verifier. In: Hailpern, B., Northrop, L.M., Berman, A.M. (eds.) ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications, pp. 147–166. ACM Press (1999)Google Scholar
  11. 11.
    Iguchi-Cartigny, J., Lanet, J.: Developing a Trojan applet in a Smart Card. Journal in Computer Virology 6, 343–351 (2010)CrossRefGoogle Scholar
  12. 12.
    Klein, G., Nipkow, T.: Verified lightweight bytecode verification. Concurrency and Computation: Practice and Experience 13(13), 1133–1151 (2001)zbMATHCrossRefGoogle Scholar
  13. 13.
    Klein, G., Nipkow, T.: Verified bytecode verifiers. Theor. Comput. Sci. 3(298), 583–626 (2003)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Lanet, J.L., Requet, A.: Formal proof of smart card applets correctness. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 14–16. Springer, Heidelberg (2000)Google Scholar
  15. 15.
    Leuschel, M., Butler, M.: ProB: An automated analysis toolset for the B method. International Journal on Software Tools for Technology Transfer 10(2), 185–203 (2008)CrossRefGoogle Scholar
  16. 16.
    Lindholm, T., Yellin, F.: Java Virtual Machine Specification, 2nd edn. Addison-Wesley Longman Publishing Co., Inc., Boston (1999)Google Scholar
  17. 17.
    Sun Microsystems: Connected, limited device configuration, specification 1.0a, Java 2 platform micro edition (2000)Google Scholar
  18. 18.
    Sun Microsystems: Virtual machine specification Java Card platform (May 2009),
  19. 19.
    Pusch, C.: Proving the soundness of a Java bytecode verifier specification in isabelle/HOL. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 89–103. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. 20.
    Qian, Z.: A formal specification of java-TM virtual machine instructions for objects, methods and subroutines. In: Alves-Foss, J. (ed.) Formal Syntax and Semantics of Java. LNCS, vol. 1523, pp. 271–312. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    Stata, R., Abadi, M.: A type system for Java bytecode subroutines. In: MacQueen, D.B., Cardelli, L. (eds.) Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1998, San Diego, CA, USA, January 19-21, pp. 149–160. ACM (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Aymerick Savary
    • 1
    • 2
  • Marc Frappier
    • 1
  • Jean-Louis Lanet
    • 2
  1. 1.University of SherbrookeCanada
  2. 2.University of LimogesFrance

Personalised recommendations