jcat
play

JCAT An environment for attack and test on TM Java Card Serge - PowerPoint PPT Presentation

Feb 07, 2024 •115 likes •339 views

Laboratoire Bordelais de CCCT03 & ISAS03 Recherche en Informatique Equipe : Syst` emes et Objets Distribu es JCAT An environment for attack and test on TM Java Card Serge Chaumette , Iban Hatchondo , Damien Sauveron Damien

  1. Laboratoire Bordelais de CCCT’03 & ISAS’03 Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT An environment for attack and test on TM Java Card Serge Chaumette , Iban Hatchondo , Damien Sauveron Damien Sauveron sauveron@labri.fr 2 nd august 2003 http:/www.labri.fr/~sauveron/

  2. Laboratoire Bordelais de Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Plan 1) The Java Card Security project 3) JCAT Tools ➤ Context of our work ➤ Overview ➤ Partners ➤ Why developping JCAT Tools? 2) Java Card ➤ JCAT Emulator ➤ What is the Java Card Technology? 4) Problems in the specifications ➤ Applet Development ➤ Problem of the heap ➤ Architecture 5) Conclusion and future work Damien Sauveron Page 2 sauveron@labri.fr

  3. Laboratoire Bordelais de The Java Card Security project Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Context of our work In 2001, there was no evaluation methodology following Common Criteria (ISO 15408) for: ➤ the Java Card products; ➤ the applications running on these products. The French government wanted to improve the security assurance level of theses new IT products and has accepted our Java Card Security project. Damien Sauveron Page 3 sauveron@labri.fr

  4. Laboratoire Bordelais de The Java Card Security project Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Partners (1/2) The Distributed Systems and Objects team of the Laboratoire Bordelais de Recherche en Informatique (Bordeaux, FRANCE) provides software tools: ➤ to easily and securely develop applications based on distributed and mobile code; ➤ to use theses applications; ➤ that are proven to do what they pretend to. Damien Sauveron Page 4 sauveron@labri.fr

  5. Laboratoire Bordelais de The Java Card Security project Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Partners (2/2) The ITSEF (Information Technology Security Evaluation Facility) center of SERMA Technologies (Pessac, FRANCE): ➤ is specialized in the ITSEC & Common Criteria security evaluation of smart card products and especially Java Cards. The French gouvernment provides: ➤ from the French Ministry of Industry the label Soci´ et´ e de l’information and the funding for the project S´ ecurit´ e Java Card ; ➤ from the French Ministry of Research a part of the funding for a doctoral grant. Damien Sauveron Page 5 sauveron@labri.fr

  6. Laboratoire Bordelais de Java Card Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es What is the Java Card Technology? This technology enables programs written in Java programming language to run on: ➤ smart cards; ➤ other resource-constrained devices. Java Card Technology provides smart cards with a secured, hardware independant and multi-application framework that includes many assets of the Java programming language. Damien Sauveron Page 6 sauveron@labri.fr

  7. Laboratoire Bordelais de Java Card Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Applet Development java Java class Step 1 sources Compiler Files Files Java Card Step 2 Simulator Java Card export export Converter Files File(s) Step 3 CAP File(s) Java Card Step 4 Java Card Emulator Damien Sauveron Page 7 sauveron@labri.fr

  8. Laboratoire Bordelais de Java Card Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Architecture Java Card is a super-set of a subset of the Java programming language. Applet Applet Applet JCRE Main additional features: Industry specific APIs Installer extensions ➤ atomicity; System classes Applet Transaction Network I/O Other management communication services ➤ transaction; management Java Card Virtual Machine ➤ the firewall. Native methods (bytecode interpreter) Hardware and native operating system Damien Sauveron Page 8 sauveron@labri.fr

  9. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Overview JCAT Emulator : Tool to attack and test applets implementation. JCAT View : Tool that enables to parse the CAP file format of different manufacturers to view it ( e.g. IBM, Oberthur Card Systems, Sun microsystems, etc.). JCAT Converter : Tool to convert a CAP file format from a manufacturer to an other. Other JCAT Tools : for instance, a tool to help to modify the bytecode = ⇒ enable an easy creation of test and attack suites. Developed in Java . Damien Sauveron Page 9 sauveron@labri.fr

  10. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Why developping the JCAT Tools? (1/2) Java Card implementations are mainly commercial and closed solutions. = ⇒ low-level details of effective implementation are kept confidential. Java Card simulators provided in toolkits are incomplete (no transaction, no firewall, etc.). Security certification requires: ➤ the validation of Virtual Machine; ➤ the validation of parts of resident applets. = ⇒ Needs are contextual. Damien Sauveron Page 10 sauveron@labri.fr

  11. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es Why developping the JCAT Tools? (2/2) Our goals: ➤ Doing a complete and open source emulator tool. = ⇒ To be adaptable to different contexts; ➤ Enable both hardware and software attacks simulation. = ⇒ To be as closed as possible to an embedded implementation; For instance an electromagnetic radiation just modifies the contents of the smart card memory cells, thus modifies the value of some system object. ➤ Get a tool allowing the usage of formal tools as plugins. Damien Sauveron Page 11 sauveron@labri.fr

  12. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT Emulator (1/3) Complete implementation of the specifications Java Card 2.1.1 : ☞ VM and APIs ☞ JCRE (firewall and transaction) Goal : ➤ To test and debug Java Card applets; ➤ To detect some problems of behaviour. Damien Sauveron Page 12 sauveron@labri.fr

  13. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT Emulator (2/3) Features : ☞ execution step by step; ☞ view of the memories, objects, transaction buffer, frame stack, etc.; ☞ provides statistics on the execution; ☞ performs tearing and laser attacks; ☞ choices of memory size; ☞ available from PC/SC. Damien Sauveron Page 13 sauveron@labri.fr

  14. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT Emulator (3/3) Towards an evaluation methodology for a Java Card platform : Listing of the important security points in the specifications that are obscure. Example : What is the behaviour of the platform when a transaction is aborted in install() after a call to register() . To do : ➤ improve the statistic reports; ➤ improve the simulation of physical attacks; ➤ improve the implementation of crypto APIs; ➤ add the support of Java Card 2.2 (RMI, multi-channels) and Open Platform. Damien Sauveron Page 14 sauveron@labri.fr

  15. 15

  16. 16

  17. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT Emulator Kernel Bridge to Bridge to Bridge to private IMPL 3 private IMPL 3 private IMPL 3 Bridge to Bridge to Bridge to private IMPL 2 private IMPL 2 private IMPL 2 Bridge to Bridge to Bridge to private IMPL 1 private IMPL 1 private IMPL 1 Memory API Transactions API Debug API JCVM kernel Checker 1 Checker 2 Damien Sauveron Page 17 sauveron@labri.fr

  18. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT Emulator extensibility Factory design patterns is used several times: For instance, the CAP file reader uses it to be extensible. Indeed, in the next specifications, the CAP file may be augmented with new components and it is an easy way to support them. Native interfaces : Theses calls are forbidden for the end-user but needed for the Java Card APIs implementors (i.e. Transaction). The specifications do not impose a specific way to deal with native interfaces. Choices: Using the impdep1 private bytecode. Damien Sauveron Page 18 sauveron@labri.fr

  19. Laboratoire Bordelais de JCAT Tools Recherche en Informatique ´ Equipe : Syst` emes et Objets Distribu´ es JCAT Emulator adaptability In the Java Card specification, we have discovered some unclear parts regarding: ➤ the persistence of objects; ➤ the heap location. Thus we have designed the JCAT Emulator to be adaptable to the choice that will be done by the Java Card Forum. Damien Sauveron Page 19 sauveron@labri.fr

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CAT Game and JCAT Platform Jinzhong Niu Computer Science The Graduate Center, CUNY March 17,

CAT Game and JCAT Platform Jinzhong Niu Computer Science The Graduate Center, CUNY March 17,

CAT Game and JCAT Platform Jinzhong Niu Computer Science The Graduate Center, CUNY March 17, 2009 Background Market Design Competition ( CAT ) [Gerding et al., 2007] A CAT game has multiple players, each as a market, and includes trading

470 views • 30 slides
Existential Psychotherapy and Counselling Mick Cooper mick.cooper77@gmail.com Sage, 2003, 2017

Existential Psychotherapy and Counselling Mick Cooper mick.cooper77@gmail.com Sage, 2003, 2017

Existential Psychotherapy and Counselling Mick Cooper mick.cooper77@gmail.com Sage, 2003, 2017 PCCS, 2012 Sage, 2015 A Pluralistic Framework for Existential Therapy There is no one best therapy Different clients benefit

822 views • 68 slides
Interactive Classification by Asking Informative Questions Lili Yu, Howard Chen, Sida Wang, Tao

Interactive Classification by Asking Informative Questions Lili Yu, Howard Chen, Sida Wang, Tao

Interactive Classification by Asking Informative Questions Lili Yu, Howard Chen, Sida Wang, Tao Lei, Yoav Artzi Intent Classification Classical classification problems operate on a single user input But natural language input can be

571 views • 28 slides
AUTOMATIC PARALLELISATION OF SOFTWARE USING GENETIC IMPROVEMENT Bobby R. Bruce INSPIRATION

AUTOMATIC PARALLELISATION OF SOFTWARE USING GENETIC IMPROVEMENT Bobby R. Bruce INSPIRATION

AUTOMATIC PARALLELISATION OF SOFTWARE USING GENETIC IMPROVEMENT Bobby R. Bruce INSPIRATION Samsung Galaxy S7 BOBBY R. BRUCE INSPIRATION Mali-T880 MP12 Samsung Galaxy S7 BOBBY R. BRUCE INSPIRATION Intel i7-2500K (overclocked to

416 views • 40 slides
i ns ruct i on C nstruc on Cac ache and and BRANCH T TARGET BU BUFFER Dead Samira

i ns ruct i on C nstruc on Cac ache and and BRANCH T TARGET BU BUFFER Dead Samira

Explor oring Predictive Replacement Policies for for i ns ruct i on C nstruc on Cac ache and and BRANCH T TARGET BU BUFFER Dead Samira Mirbagher Ajorpaz Elba Garza Sangam Jindal Daniel A. Jimnez Explor oring Predictive

1.03k views • 56 slides
X-Ray Microscopy Techniques L. J. Heyderman The Swiss Light Source, Paul Scherrer Institut 3

X-Ray Microscopy Techniques L. J. Heyderman The Swiss Light Source, Paul Scherrer Institut 3

1 X-Ray Microscopy Techniques L. J. Heyderman The Swiss Light Source, Paul Scherrer Institut 3 The electrons are accelerated close to the speed of light in a linear accelerator and injected into the storage ring Bending magnets or

824 views • 61 slides
Chapter 3 Management History and Practice Management & the Arts, 5e (c) Wm. Byrnes 2014

Chapter 3 Management History and Practice Management & the Arts, 5e (c) Wm. Byrnes 2014

Chapter 3 Management History and Practice Management & the Arts, 5e (c) Wm. Byrnes 2014 Chapter Overview This chapter examines the evolution of management thought and applies several of the main theory tracks to the arts. This chapter

378 views • 11 slides
Comprehensive Elastic Resource Management to Ensure Predictable Performance for Scientific

Comprehensive Elastic Resource Management to Ensure Predictable Performance for Scientific

Comprehensive Elastic Resource Management to Ensure Predictable Performance for Scientific Applications on Public IaaS Clouds. In Kee Kim , Jacob Steele, Yanjun Qi, Marty Humphrey CS@University of Virginia Motivation Goals Meet Job

681 views • 18 slides
Lets Help Melly Today, over half of American workers effectively hate their jobs. Maybe

Lets Help Melly Today, over half of American workers effectively hate their jobs. Maybe

Lets Help Melly Today, over half of American workers effectively hate their jobs. Maybe well be happier if we perform better? We can help with that! scientific management project management structured programming You all play a

753 views • 56 slides
The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE Collaboration 2009 Fermi Symposium 2 - 5 November 2009, Washington AGILE on PSLV-C8 Sriharikota, India The AGILE April 15, 2007 Payload: the most

853 views • 38 slides
Webinar Department of Fisheries and Wildlife American Water Resources Association May 4, 2016

Webinar Department of Fisheries and Wildlife American Water Resources Association May 4, 2016

Robert T. Lackey Webinar Department of Fisheries and Wildlife American Water Resources Association May 4, 2016 Oregon State University 1 2 3 4 5 information g athered in a rational, systematic, testable, and reproducible manner 6

906 views • 54 slides
Publishing astronomical data: an ESO perspective Alberto Micol 27 June 2018 Asterics European

Publishing astronomical data: an ESO perspective Alberto Micol 27 June 2018 Asterics European

Publishing astronomical data: an ESO perspective Alberto Micol 27 June 2018 Asterics European Data Provider Forum and Training Event 2018 Heidelberg Alberto Micol, Archive Science Group, Data Management and Operations Division, ESO ESO

452 views • 14 slides
CS449/649: Human-Computer Interaction Spring 2017 Lecture XV Anastasia Kuzminykh Poster -

CS449/649: Human-Computer Interaction Spring 2017 Lecture XV Anastasia Kuzminykh Poster -

CS449/649: Human-Computer Interaction Spring 2017 Lecture XV Anastasia Kuzminykh Poster - advertisement to your work, keep it visual Information Text Organisation Images Bullets, numbering, Always All important points Headings should be

415 views • 17 slides
SCUBA: the (not-so) dangerous underwater sport Dilan Ustek The what SCUBA = Self-Contained

SCUBA: the (not-so) dangerous underwater sport Dilan Ustek The what SCUBA = Self-Contained

SCUBA: the (not-so) dangerous underwater sport Dilan Ustek The what SCUBA = Self-Contained Underwater Breathing Apparatus Snorkeling != SCUBA Free diving != SCUBA SCUBA Snorkeling SCUBA Free diving SCUBA The how - How to float

661 views • 17 slides
buoyfriend no stress decompress the issues diver manually releasing air to divers waiting at a

buoyfriend no stress decompress the issues diver manually releasing air to divers waiting at a

A buoyfriend no stress decompress the issues diver manually releasing air to divers waiting at a decompression safety stop tethered to surface achieve or maintain desired depth the current solutions diving shot dive table manually

187 views • 7 slides
Galatians Living in Grace what we believe about God defines how we live. The Gospel not just

Galatians Living in Grace what we believe about God defines how we live. The Gospel not just

Galatians Living in Grace what we believe about God defines how we live. The Gospel not just for the non-believer The present value of the blood of Christ every day Jesus did more than just pay our debt! Judaizers Jesus AND

552 views • 15 slides
In Insig ights from Socia ial l Scie iences Sahaya G. Selvam, sdb Tangaza University College:

In Insig ights from Socia ial l Scie iences Sahaya G. Selvam, sdb Tangaza University College:

Reli ligious Antecedents of Secula larisation, and Secula larist Consequents on Relig ligion: In Insig ights from Socia ial l Scie iences Sahaya G. Selvam, sdb Tangaza University College: Teaching Minds, Touching Hearts, Transforming

786 views • 42 slides
Christian Life Analogies 1. Athlete (II Timothy 2:5) 2. Farmer (James 5:7) 3. Bride (Revelation

Christian Life Analogies 1. Athlete (II Timothy 2:5) 2. Farmer (James 5:7) 3. Bride (Revelation

Christian Life Analogies 1. Athlete (II Timothy 2:5) 2. Farmer (James 5:7) 3. Bride (Revelation (19:7) 4. Steward ( I Corinthians 4:1-2) 5. Temple (I Corinthians 3:16-17) Christian Life Analogies 6. Servant/Slave (I Peter 2:16) 7. Field

1.53k views • 20 slides
Videos 1 and 2 Inadequate Lacking credibility Formation and development of leaders for the

Videos 1 and 2 Inadequate Lacking credibility Formation and development of leaders for the

Videos 1 and 2 Inadequate Lacking credibility Formation and development of leaders for the Catholic health ministry occur in an ongoing, multifaceted process that enables them to know and confidently act on behalf of the mission of the

698 views • 34 slides
Hymn #154 Be Thou Our Vision Please stand if able Hymn #139, I Celebrate the Inward Light Mark

Hymn #154 Be Thou Our Vision Please stand if able Hymn #139, I Celebrate the Inward Light Mark

Hymn #154 Be Thou Our Vision Please stand if able Hymn #139, I Celebrate the Inward Light Mark 8 31 Then he began to teach them that the Son of Man would have to suffer a great deal and be rejected by the elders, the high priests, and the

281 views • 27 slides
creative writing four genres in brief table of contents creative writing worksheet for grade 6

creative writing four genres in brief table of contents creative writing worksheet for grade 6

1 2 1 Homework help grammar 2 Dbq essay help 3 Research concept paper format 4 it consultant business plan 5 Review of literature on employee retention 6 Dregg report 7 Topics about argumentative essay 8 consultant business plan 9

196 views • 5 slides
GoldenTree Asset Management MIT Golub Center for Finance and Policy 3 rd Annual Conference Joseph

GoldenTree Asset Management MIT Golub Center for Finance and Policy 3 rd Annual Conference Joseph

GoldenTree Asset Management MIT Golub Center for Finance and Policy 3 rd Annual Conference Joseph Naggar, Partner & Senior Portfolio Manager September 2016 1 Securitized Products Overview and CLO Deep Dive 2 Financial Innovation

484 views • 33 slides
ARRC Fallback Consultation Webinar: Securitizations Consultation Regarding More Robust LIBOR

ARRC Fallback Consultation Webinar: Securitizations Consultation Regarding More Robust LIBOR

ARRC Fallback Consultation Webinar: Securitizations Consultation Regarding More Robust LIBOR Fallback Contract Language for New Originations of LIBOR Securitizations Speakers Lisa Pendergast, Executive Director, CREFC Sairah Burki, Senior

501 views • 37 slides
Agenda Item 10: Public Sector Specific Financial Instruments Ross Smith, Technical Manager

Agenda Item 10: Public Sector Specific Financial Instruments Ross Smith, Technical Manager

Agenda Item 10: Public Sector Specific Financial Instruments Ross Smith, Technical Manager IPSASB Meeting June 24-27, 2014 Toronto, Canada Page 1 | Confidential and Proprietary Information Public Sector Specific Financial Instruments

516 views • 23 slides

More recommend