security on smart cards isabelle attali - inria · oasis isabelle attali - merida venezuela - 2002...
TRANSCRIPT
OASIS
Isabelle Attali - Merida Venezuela - 2002
Security on Smart CardsIsabelle Attali
1. Generalities on Cards
2. What is Java Card ?
3. A Formal Semantics at the source level
4. Testing before loading on the card
5. Static Analysis for object sharing
OASIS
Isabelle Attali - Merida Venezuela - 2002
• Memory cards– Telecartes : magnetic tape, no security
• Smart Cards– memory + treatment + security
– bank, medical, transport, gsm, pay-tv
– normative approach (as an insurance forthe future)
Two kinds of cards
OASIS
Isabelle Attali - Merida Venezuela - 2002
What is a Smart Card ?
• A plastic card, credit-card format, with anintegrated micro-controller.
• Standard with ISO 7816
• used for:
– Mobile phones: sim cards
– loyalty applications
– bank : credit-card or electronic purse
OASIS
Isabelle Attali - Merida Venezuela - 2002
• Mono-applicative Smart Cards– replacement of assemply language by a
high-level language
– Java Card, Multos, Windows forSmartCards
Today
OASIS
Isabelle Attali - Merida Venezuela - 2002
• Multi-applicative Smart Cards– write once , run everywhere
– independently of the platform
– one card for all needs but security issues
• Strong effort on Java Card– Java Card Forum (card builders, Sun and
JavaSoft, Visa)
– Standard for Java Card APIs and bytecode
Tomorrow
OASIS
Isabelle Attali - Merida Venezuela - 2002
Smart Card Architecture• A small computer:
– 8-bits microcontroller– Memory
• 200 KO ROM Read Only Memory
• 64 KO EEPROM Electrically Erasable Programmable Memory
• 4 KO RAM Random Access Memory
• ISO7816 is a standard for:
– position and dimension of electric contacts
– data exchange protocol with the card
– security
OASIS
Isabelle Attali - Merida Venezuela - 2002
What is a Java Card ?
• A smart card:
– Java Virtual Machine for running bytecode
• the standard is given by the Java Card Forum
– applications are applets
– standard library
– applets can be loaded on any standard JavaCard.
OASIS
Isabelle Attali - Merida Venezuela - 2002
Java Card Architecture
Physical level
OS OS
JCVM Native methods
JCRE API
applet applet applet
OASIS
Isabelle Attali - Merida Venezuela - 2002
Why not running Java on cards ?
• Physical constraints– less base types– simplified data structures
• Internal optimized bytecode– compactness + efficiency (tokens)– JCVM (smaller + security)
– CAP files (standardized format)
OASIS
Isabelle Attali - Merida Venezuela - 2002
Programming Smart Cardswith Java Card
• Small is beautiful !
• Scalability of produced tools (visualization)
• Java compiler, converter -> CapFile on card
• Specific problems:– Specific OS: JCRE
– Multi-Applications
– Specific APIs
– Limited resources
– APDU format for talking to the Card
– Security issues
OASIS
Isabelle Attali - Merida Venezuela - 2002
How to develop Java Cardapplets ?
• Programming: epurse.java– JDK 1.3– Java Card 2.1.1– Java Comm
• Compiling: javac … epurse.class– appropriate APIs
• Converting: converter … epurse.cap• Testing:
– jcwde: simulate the javacard– apdutool: simulates the terminal
OASIS
Isabelle Attali - Merida Venezuela - 2002
What is Java Card ?
• Java Card ��Java– No Thread ⇒ Synchronized– No float, double, long, transient, volatile– One Dimension Array– No Garbage Collector, no dynamic loading, usual APIs
• Java Card � Java– Persistent Objects (EEPROM) and Transient Objects
(RAM)
– Atomic Blocks– Object Sharing by Interface– APDUs
OASIS
Isabelle Attali - Merida Venezuela - 2002
What is Java Card ?
• APDU (Application Protocole Data Unit) ISO 7816-3Standardized data exchange format between the card and the card
reader (CAD = Card Acceptance Device) low level !!
• JCRE (Java Card Runtime Environment)virtual machine + classes
APDU de Commande
cla ins p1 p2 lc data le
APDU de Réponse
data sw1 sw2
Obligatoire
Falcultatif
OASIS
Isabelle Attali - Merida Venezuela - 2002
How to use applets
• An applet has to be loaded on thecard
• then, must be
– installed
– registered
• connected to JCRE via anAID
– selected
• only one selected at a time(even if many are on card)
• will get the next APDU
loaded Installed
registeredActive
select
deselect
register
install
OASIS
Isabelle Attali - Merida Venezuela - 2002
Our objectives with Java Card
• Establish a reference semantics
• Provide specific tools for editing, checking
• Simulate the application (=Applet) source code
before loading on a card (no compilation, no
installation)
• Help the developer to perform interactive tests
• Provide security analyses (object sharing)
OASIS
Isabelle Attali - Merida Venezuela - 2002
How does our Environment work?
Use Centaur, a generic Environment Generator
Java Card Program
Abstract Syntax TreeAST
Textual Presentationof the Tree
Parser PrettyPrinter
Simulator(Typol)
Results toInterpret
(for the AppletDeveloper)
APDU formatextractor(Typol)
Checker(Typol)
OASIS
Isabelle Attali - Merida Venezuela - 2002
The static checker
• Checks conformance to Java Card at thesource level (instead of the BC level)
• char, long, double, float, synchronized, volatile,transient
• Another example: one-dimensional arraysªint[] i ou int i[] but also int[] i[]
OASIS
Isabelle Attali - Merida Venezuela - 2002
AST
AST with a pretty printer
OASIS
Isabelle Attali - Merida Venezuela - 2002
Result of the APDU format extractor
Some Results of the Simulator
OASIS
Isabelle Attali - Merida Venezuela - 2002
Structure Editor
Aim: HelpBeginners to WritePrograms
All thePossiblePatterns
OASIS
Isabelle Attali - Merida Venezuela - 2002
APDU format extractorAim: Help the user to create APDUs.
The Applet Developer’s view
Untreated Result
OASIS
Isabelle Attali - Merida Venezuela - 2002
How is the extraction done?
Analyses accesses to the APDU buffer to:
– Retrieve the possible values of CLA, INS →list of possible commands.
– Extract the list of parameters (of the data field)for each command.
OASIS
Isabelle Attali - Merida Venezuela - 2002Length
Applet
AID
Name
[Commands]
Incorrect {CLA}and {INS}
Command{CLA}
{INS}{P1}, {P2} Lc, Le
[Parameters]
Parameter
Name Position in the Data field
Response
Unused{} Set[] List
Name
Extracted Data Structure
OASIS
Isabelle Attali - Merida Venezuela - 2002
public class MyApplet extends Applet{ final static byte sendValue = 0x50; final static byte My_CLA = 0xE5; … public void process(APDU apdu)
throws ISOException { byte[] buffer = apdu.getBuffer(); if (buffer[ISO.OFFSET_CLA] == My_CLA) if (buffer[ISO.OFFSET_INS] ==
sendValue) { apdu.setIncomingAndReceive(); short Value= Util.getShort(buffer, 5); } ... } }
E5 50 00 00 02 Value
Command
CLA:E5
INS:50 Parameters
Parameter
Length: 2 Position: 5 Name:« Value »
Format of the APDU to send:APDU format: CLA INS P1 P2 Lc Data Le
Name:«sendValue»
Example of Analysis
OASIS
Isabelle Attali - Merida Venezuela - 2002
Applet simulator
The Simulator
JCRE Purse
FrequentFlyer
Applets
APDUs
• CAD simulator:based on the commanddescription given by theAPDU format extractor
• Applet simulator:dynamic semantics ofJavaCard + APIs + JCRE
CAD simulator
OASIS
Isabelle Attali - Merida Venezuela - 2002
Java Card Semantics
• Interpret the source code
• functionalities:– Record a sequence of APDUs and reuse it for Regression tests,
– Send APDU created from a sequence of bytes or from the APDUformat extracted,
– Save and restore the data of the card
• The JCRE dispatches APDUs sent by the CAD simulatorto applets
Java Card semantics Some APIs(APDU, AID, JCSystem, Applet)
JCRE
OASIS
Isabelle Attali - Merida Venezuela - 2002
Java Card vs Java Semantics
• No multi-threading on cards (yet)
• Thread interleaving has been changed: a thread executes
until dead or suspended
• Build the APDU structure
• Different APIs
OASIS
Isabelle Attali - Merida Venezuela - 2002
Overview of the Environment
OASIS
Isabelle Attali - Merida Venezuela - 2002
Static Analysis of object sharing
• Analyse sharing/security mechanisms
• Statically detect instructions which may raise a security
exception.
• Help the applet developer !
OASIS
Isabelle Attali - Merida Venezuela - 2002
Java Card Security
• Partition of objects: a context for each package.
• Contexts
– Active context,
– Object creation context.
• Active context = object accessed context⇒ Αllowed
• Shareable interface method ⇒ Context switch
Context 1 Context 2
Applet 1
A Fire
wal
l
Applet 2
OASIS
Isabelle Attali - Merida Venezuela - 2002
Analysis features
• Based on Java Card Byte Code
• Static Analysis
• Object access classification
– secure,
– non-secure (security exception thrown),
– undecided.
Applets
Byte code
Set ofsecure/non-secureinstructions
SharingAnalysis
OASIS
Isabelle Attali - Merida Venezuela - 2002
Sharing Analysis
• Code must be Byte Code verifier compliant
• Infer a set of possible creation contexts for every variable
• Compare abstract object contexts and execution contexts
for every access
– field modification
– field access
– method call
• Control flow insensitive.
OASIS
Isabelle Attali - Merida Venezuela - 2002
Classification of object accesses• no security exception:
– abstract contexts are identical singletons
– static access
– shareable interface method call
• possible security exception:– abstract contexts are compatible
• always security exception:– abstract contexts are incompatible
{Purse} {Purse}
{FrequentFlyer 1} {FrequentFlyer 1, FrequentFlyer 2}
{Purse, FrequentFlyer} {Loyalty}
OASIS
Isabelle Attali - Merida Venezuela - 2002
OASIS
Isabelle Attali - Merida Venezuela - 2002
Future Work
• a development environment with the 3 levels (source,
class, cap) and correspondances
• execution at the bytecode level
• a set of analyses, verifications, and optimizations
• informations (static & dynamic) shown in a graphical way
OASIS
Isabelle Attali - Merida Venezuela - 2002
OASIS ProjectActive Object, Semantics, Internet and Security
http://www.inria.fr/oasis/
http://www.inria.fr/oasis/java
http://www.inria.fr/oasis/javacard
�����Isabelle Attali, Denis Caromel, Carine Courbis,Ludovic Henrio, Henrik Nilsson, Marjorie Russo
���������������������������7KLV�ZRUN�ZDV�SDUWLDOO\�IXQGHG�E\