幺力视频

No code checker can't be broken

Java Card technology is used today in billions of SIM cards and chip-and-pin bankcards around the world. A critical security vulnerability in the Java Card byte code verifier was exposed Guillaume Bouffard (ANSSI[1]) and Julien Lancia (Thales) in 2015, and their work has made these cards significantly more secure.

 
Thanks to Java Card, multiple Java-based applications (applets) can be run on a single smartcard and new applications can be installed by card manufacturers at any time to meet user demand. Verification of the bytecode[2] is crucially important to prevent any malicious code from being installed and subsequently allowing sensitive information to be accessed. This check can be performed off-card, before the bytecode is installed, or on-card, after installation.

Over a year-long period, Guillaume Bouffard, based at ANSSI鈥檚 LSC component security laboratory, and Julien Lancia, an engineer at Thales鈥檚 ITSEF[3] facility, combined their skills and resources to fuzz-test[4] Oracle鈥檚 Byte Code Verifier (BCV), a crucial element in the installation chain for applications in the Java Card environment. Before being installed, each application is checked and signed by a trusted authority to prove its validity with respect to the BCV.

 

An exploitable vulnerability, now corrected

The two researchers demonstrated a vulnerability in the BCV, which was not detecting certain ill-formed applets. Attackers exploiting this vulnerability would have access to everything on a card: PIN code, 2G/3G network authentication keys, banking keys involved in mobile payment鈥
The researchers reported the problem to Oracle so it could be fixed before their work was published, in accordance with the principle of responsible disclosure. Oracle acted quickly and the fault no longer appears in the new version of the BCV, used today by Java Card developers.
 

A successful partnership

Guillaume Bouffard and Julien Lancia鈥檚 work was commended in the embedded security community and their paper was presented at the and conferences and again at , where it was cited as one of the most significant publications of the year.

Illustrating the continuing ties between Thales鈥檚 ITSEF facility and ANSSI, the authors are pursuing their collaboration on other issues. At the ITSEF, Julien Lancia, who has a PhD in computer science,[5] is currently focusing on trusted execution environments and continues to investigate attack pathways into embedded systems 鈥 just some of the ways that Thales鈥檚 ethical hackers are working every day to evaluate the security and dependability of critical applications for the benefit of customers.
 
Find out more:
Download the article 鈥溾 by Guillaume Bouffard and Julien Lancia.
 
Further reading:
Ethical hackers vs. Cyberpirates
Secure embedded systems: the dedicated Thales lab that measures component reliability and security

 
[1] France鈥檚 national agency for information system security.
[2] Intermediary code between machine instructions and source code. It is called bytecode because of its format, where each instruction is coded in binary.
[3] Thales ITSEF (Information Technology Security Evaluation Facility, called CESTI in France).
[4] Fuzzing is a form of automated, random testing, often used to identify security problems in software or computer systems.
[5] He completed his thesis 鈥淎 service-oriented infrastructure for the development of ubiquitous applications鈥 at the University of Bordeaux 1 in 2008.
 
 

Other news

As cyber attacks rise, Thales chooses OVHcloud for Made in France hosting of Citadel Team encrypted messaging data
Thales granted license to hunt down cyber criminals
Thales alerts on the risks linked to cybercrime in its new edition of the 鈥淐yberThreat Handbook: organised cybercrime鈥
Thales launches a new integrated 24/7 NOC-SOC in the Netherlands

Quick links

All articles