security on smart cards isabelle attali - inria · oasis isabelle attali - merida venezuela - 2002...

OASIS

Isabelle Attali - Merida Venezuela - 2002

Security on Smart CardsIsabelle Attali

1. Generalities on Cards

2. What is Java Card ?

3. A Formal Semantics at the source level

4. Testing before loading on the card

5. Static Analysis for object sharing

OASIS


• Memory cards– Telecartes : magnetic tape, no security

• Smart Cards– memory + treatment + security

– bank, medical, transport, gsm, pay-tv

– normative approach (as an insurance forthe future)

Two kinds of cards

OASIS


What is a Smart Card ?

• A plastic card, credit-card format, with anintegrated micro-controller.

• Standard with ISO 7816

• used for:

– Mobile phones: sim cards

– loyalty applications

– bank : credit-card or electronic purse

OASIS


• Mono-applicative Smart Cards– replacement of assemply language by a

high-level language

– Java Card, Multos, Windows forSmartCards

Today

OASIS


• Multi-applicative Smart Cards– write once , run everywhere

– independently of the platform

– one card for all needs but security issues

• Strong effort on Java Card– Java Card Forum (card builders, Sun and

JavaSoft, Visa)

– Standard for Java Card APIs and bytecode

Tomorrow

OASIS


Smart Card Architecture• A small computer:

– 8-bits microcontroller– Memory

• 200 KO ROM Read Only Memory

• 64 KO EEPROM Electrically Erasable Programmable Memory

• 4 KO RAM Random Access Memory

• ISO7816 is a standard for:

– position and dimension of electric contacts

– data exchange protocol with the card

– security

OASIS


What is a Java Card ?

• A smart card:

– Java Virtual Machine for running bytecode

• the standard is given by the Java Card Forum

– applications are applets

– standard library

– applets can be loaded on any standard JavaCard.

OASIS


Java Card Architecture

Physical level

OS OS

JCVM Native methods

JCRE API

applet applet applet

OASIS


Why not running Java on cards ?

• Physical constraints– less base types– simplified data structures

• Internal optimized bytecode– compactness + efficiency (tokens)– JCVM (smaller + security)

– CAP files (standardized format)

OASIS


Programming Smart Cardswith Java Card

• Small is beautiful !

• Scalability of produced tools (visualization)

• Java compiler, converter -> CapFile on card

• Specific problems:– Specific OS: JCRE

– Multi-Applications

– Specific APIs

– Limited resources

– APDU format for talking to the Card

– Security issues

OASIS


How to develop Java Cardapplets ?

• Programming: epurse.java– JDK 1.3– Java Card 2.1.1– Java Comm

• Compiling: javac … epurse.class– appropriate APIs

• Converting: converter … epurse.cap• Testing:

– jcwde: simulate the javacard– apdutool: simulates the terminal

OASIS


What is Java Card ?

• Java Card ��Java– No Thread ⇒ Synchronized– No float, double, long, transient, volatile– One Dimension Array– No Garbage Collector, no dynamic loading, usual APIs

• Java Card � Java– Persistent Objects (EEPROM) and Transient Objects

(RAM)

– Atomic Blocks– Object Sharing by Interface– APDUs

OASIS


What is Java Card ?

• APDU (Application Protocole Data Unit) ISO 7816-3Standardized data exchange format between the card and the card

reader (CAD = Card Acceptance Device) low level !!

• JCRE (Java Card Runtime Environment)virtual machine + classes

APDU de Commande

cla ins p1 p2 lc data le

APDU de Réponse

data sw1 sw2

Obligatoire

Falcultatif

OASIS


How to use applets

• An applet has to be loaded on thecard

• then, must be

– installed

– registered

• connected to JCRE via anAID

– selected

• only one selected at a time(even if many are on card)

• will get the next APDU

loaded Installed

registeredActive

select

deselect

register

install

OASIS


Our objectives with Java Card

• Establish a reference semantics

• Provide specific tools for editing, checking

• Simulate the application (=Applet) source code

before loading on a card (no compilation, no

installation)

• Help the developer to perform interactive tests

• Provide security analyses (object sharing)

OASIS


How does our Environment work?

Use Centaur, a generic Environment Generator

Java Card Program

Abstract Syntax TreeAST

Textual Presentationof the Tree

Parser PrettyPrinter

Simulator(Typol)

Results toInterpret

(for the AppletDeveloper)

APDU formatextractor(Typol)

Checker(Typol)

OASIS


The static checker

• Checks conformance to Java Card at thesource level (instead of the BC level)

• char, long, double, float, synchronized, volatile,transient

• Another example: one-dimensional arraysªint[] i ou int i[] but also int[] i[]

OASIS


AST

AST with a pretty printer

OASIS


Result of the APDU format extractor

Some Results of the Simulator

OASIS


Structure Editor

Aim: HelpBeginners to WritePrograms

All thePossiblePatterns

OASIS


APDU format extractorAim: Help the user to create APDUs.

The Applet Developer’s view

Untreated Result

OASIS


How is the extraction done?

Analyses accesses to the APDU buffer to:

– Retrieve the possible values of CLA, INS →list of possible commands.

– Extract the list of parameters (of the data field)for each command.

OASIS

Isabelle Attali - Merida Venezuela - 2002Length

Applet

AID

Name

[Commands]

Incorrect {CLA}and {INS}

Command{CLA}

{INS}{P1}, {P2} Lc, Le

[Parameters]

Parameter

Name Position in the Data field

Response

Unused{} Set[] List

Name

Extracted Data Structure

OASIS


public class MyApplet extends Applet{ final static byte sendValue = 0x50; final static byte My_CLA = 0xE5; … public void process(APDU apdu)

throws ISOException { byte[] buffer = apdu.getBuffer(); if (buffer[ISO.OFFSET_CLA] == My_CLA) if (buffer[ISO.OFFSET_INS] ==

sendValue) { apdu.setIncomingAndReceive(); short Value= Util.getShort(buffer, 5); } ... } }

E5 50 00 00 02 Value

Command

CLA:E5

INS:50 Parameters

Parameter

Length: 2 Position: 5 Name:« Value »

Format of the APDU to send:APDU format: CLA INS P1 P2 Lc Data Le

Name:«sendValue»

Example of Analysis

OASIS


Applet simulator

The Simulator

JCRE Purse

FrequentFlyer

Applets

APDUs

• CAD simulator:based on the commanddescription given by theAPDU format extractor

• Applet simulator:dynamic semantics ofJavaCard + APIs + JCRE

CAD simulator

OASIS


Java Card Semantics

• Interpret the source code

• functionalities:– Record a sequence of APDUs and reuse it for Regression tests,

– Send APDU created from a sequence of bytes or from the APDUformat extracted,

– Save and restore the data of the card

• The JCRE dispatches APDUs sent by the CAD simulatorto applets

Java Card semantics Some APIs(APDU, AID, JCSystem, Applet)

JCRE

OASIS


Java Card vs Java Semantics

• No multi-threading on cards (yet)

• Thread interleaving has been changed: a thread executes

until dead or suspended

• Build the APDU structure

• Different APIs

OASIS


Overview of the Environment

OASIS


Static Analysis of object sharing

• Analyse sharing/security mechanisms

• Statically detect instructions which may raise a security

exception.

• Help the applet developer !

OASIS


Java Card Security

• Partition of objects: a context for each package.

• Contexts

– Active context,

– Object creation context.

• Active context = object accessed context⇒ Αllowed

• Shareable interface method ⇒ Context switch

Context 1 Context 2

Applet 1

A Fire

wal

l

Applet 2

OASIS


Analysis features

• Based on Java Card Byte Code

• Static Analysis

• Object access classification

– secure,

– non-secure (security exception thrown),

– undecided.

Applets

Byte code

Set ofsecure/non-secureinstructions

SharingAnalysis

OASIS


Sharing Analysis

• Code must be Byte Code verifier compliant

• Infer a set of possible creation contexts for every variable

• Compare abstract object contexts and execution contexts

for every access

– field modification

– field access

– method call

• Control flow insensitive.

OASIS


Classification of object accesses• no security exception:

– abstract contexts are identical singletons

– static access

– shareable interface method call

• possible security exception:– abstract contexts are compatible

• always security exception:– abstract contexts are incompatible

{Purse} {Purse}

{FrequentFlyer 1} {FrequentFlyer 1, FrequentFlyer 2}

{Purse, FrequentFlyer} {Loyalty}

OASIS


OASIS


Future Work

• a development environment with the 3 levels (source,

class, cap) and correspondances

• execution at the bytecode level

• a set of analyses, verifications, and optimizations

• informations (static & dynamic) shown in a graphical way

OASIS


OASIS ProjectActive Object, Semantics, Internet and Security

http://www.inria.fr/oasis/

http://www.inria.fr/oasis/java

http://www.inria.fr/oasis/javacard

��Isabelle Attali, Denis Caromel, Carine Courbis,Ludovic Henrio, Henrik Nilsson, Marjorie Russo

��7KLV�ZRUN�ZDV�SDUWLDOO\�IXQGHG�E\

security on smart cards isabelle attali - inria · oasis isabelle attali - merida venezuela - 2002...

Documents