Guillaume Barbu

Attacks on java card 3.0 combining fault and logical attacks

Java Cards have been threatened so far by attacks using ill-formed applications which assume that the application bytecode is not verified. This assumption remained realistic as long as the bytecode verifier was commonly executed off-card and could thus be bypassed. Nevertheless it can no longer be applied to the Java Card 3 Connected Edition context where the bytecode verification is necessarily performed on-card. Therefore Java Card 3 Connected Edition seems to be immune against this kind of attacks. In this paper, we demonstrate that running ill-formed application does not necessarily mean loading and installing ill-formed application. For that purpose, we introduce a brand new kind of attack which combines fault injection and logical tampering. By these means, we describe two case studies taking place in the new Java Card 3 context. The first one shows how ill-formed applications can still be introduced and executed despite the on-card bytecode verifier. The second example leads to the modification of any method already installed on the card into any malicious bytecode. Finally we successfully mount these attacks on a recent device, emphasizing the necessity of taking into account these new threats when implementing Java Card 3 features.

Java card operand stack: fault attacks, combined attacks and countermeasures

Until 2009, Java Cards have been mainly threatened by Logical Attacks based on ill-formed applications. The publication of the Java Card 3.0 Connected Edition specifications and their mandatory on-card byte code verification may have then lead to the end of software-based attacks against such platforms. However, the introduction in the Java Card field of Fault Attacks, well-known from the cryptologist community, has proven this conclusion wrong. Actually, the idea of combining Fault Attacks and Logical Attacks to tamper with Java Cards appears as an even more dangerous threat. Although the operand stack is a fundamental element of all Java Card Virtual Machines, the potential consequences of a physical perturbation of this element has never been studied so far. In this article, we explore this path by presenting both Fault Attacks and Combined Attacks taking advantage of an alteration of the operand stack. In addition, we provide experimental results proving the practical feasibility of these attacks and illustrating their efficiency. Finally, we describe different approaches to protect the operand stacks integrity and compare their cost with a particular interest on the time factor.

Embedded Eavesdropping on Java Card

In this article we present the first Combined Attack on a Java Card targeting the APDU buffer itself, thus threatening both the security of the platform and of the hosted applications as well as the privacy of the cardholder. We show that such an attack, which combines malicious application and fault injection, is achievable in practice on the latest release of the Java Card specifications by presenting several case studies taking advantage for instance of the well-known GlobalPlatform and (U)SIM Application ToolKit.

Dynamic fault injection countermeasure: a new conception of java card security

Nowadays Fault Injection is the main threat for any sensitive applications being executed on embedded devices. Indeed, such an attack allows one to efficiently recover any secret or to gain unauthorized privileges if no appropriate countermeasure is implemented. In the context of Java Card applications, the main method to counteract Fault Injection consists in adding redundancy for sensitive operations and integrity verification for sensitive variables. While being efficient from a security point of view, such a method substantially impacts the performance of the application. In this article we introduce a new pragmatic approach to counteract Fault Injection by dynamically increasing the security level of the application. This methodology, based on upgrading the Java Card Virtual Machine, allows us to optimize the performance of sensitive applications in every day life while providing a strong security level as soon as an attacker tries to disturb their executions.

Synchronized attacks on multithreaded systems - application to java card 3.0 -

Up to now devices in charge of performing secure transactions mainly remained limited regarding their functionalities. However the trend has recently gone towards an increasing integration of features and technologies, which could potentially represent a source of additional threats. This article introduces an innovative attack exploiting advanced functionalities and offering unrivalled opportunities. This attack targets specifically the multithreaded systems featuring network capabilities. By the way of a network flooding we show how a process can be interrupted at the precise time a sensitive operation is being executed. This interruption aims at subsequently modifying the execution context and consequently breaking the sensitive operation. The practical feasibility of this attack is illustrated on a Java Card 3.0 Connected Edition platform. This description reveals that going through with the full attack scenario is not obvious. However this apparent complexity must not conceal the potential breach, which may significantly alter any application running on the system. Finally the goal of this work is to emphasize that the increasing products complexity may generate new security issues rather than to highlight a specific weakness on released products.

New Countermeasures against Fault and Software Type Confusion Attacks on Java Cards

Attacks based on type confusion against Java Card platforms have been widely studied in the literature over the past few years. Until now, no generic countermeasure has ever been proposed to cover simultaneously and efficiently direct and indirect type confusions. In this article we bridge this gap by introducing two different schemes which cover both type confusions. First, we show that an adequate random transformation of all the manipulated data on the platform according to their type can bring a very good resistance against type confusion exploits. Secondly, we describe how a so-called Java Card Virtual Machine Abstract Companion can allow one to detect all type confusions between integers and Objects all across the platform. While the second solution stands as a strong but resource-demanding mechanism, we show that the first one is a particularly efficient memory/security trade-off solution to secure the whole platform.

Combined Attack on CRT-RSA Why Public Verification Must Not Be Public?

This article introduces a new Combined Attack on a CRT-RSA implementation resistant against Side-Channel Analysis and Fault Injection attacks. Such implementations prevent the attacker from obtaining the signature when a fault has been induced during the computation. Indeed, such a value would allow the attacker to recover the RSA private key by computing the

Analysis of a Code-Based Countermeasure Against Side-Channel and Fault Attacks

gcd

Method for testing the security of an electronic device against an attack, and electronic device implementing countermeasures

of the public modulus and the faulty signature. The principle of our attack is to inject a fault during the signature computation and to perform a Side-Channel Analysis targeting a sensitive value processed during the Fault Injection countermeasure execution. The resulting information is then used to factorize the public modulus, leading to the disclosure of the whole RSA private key. After presenting a detailed account of our attack, we explain how its complexity can be significantly reduced by using lattice reduction techniques. We also provide simulations that confirm the efficiency of our attack as well as two different countermeasures having a very small impact on the performance of the algorithm. As it performs a Side-Channel Analysis during a Fault Injection countermeasure to retrieve the secret value, this article recalls the need for Fault Injection and Side-Channel Analysis countermeasures as monolithic implementations.

Method for writing in a non-volatile memory of an electronic entity, and related electronic entity

The design of robust countermeasures against Side-Channel Analysis or Fault Attacks is always a challenging task. At WISTP’14, a single countermeasure designed to thwart in the same effort both kinds of attacks was presented. This countermeasure is based on coding theory and consists in a specific encoding of the manipulated data acting in the same time as a random masking and an error detector. In this paper, we prove that this countermeasure does not meet the ambitious objectives claimed by its authors. Indeed, we exhibit a bias in the distribution of the masked values that can be exploited to retrieve the sensitive data from the observed side-channel leakage. Going further, we show that this bias is inherent to the nature of the encoding and that randomizing the code itself can be useful to reduce the bias but cannot completely fix the scheme.