When Mobile Code and Smart Cards Meet:
Java Card Security
Gary McGraw, Ph.D.
Vice President, Corporate Technology
Cigital
http://www.cigital.com
This lecture made possible by...
• Software Risk Management authority:
– safety, security, reliability
– services and technology for making software behave
• Clients include:
– Visa, Agile, Microstrategy, Ericsson, Motorola,
Microsoft, NSF, DARPA, NIST’s Advanced Technology
Program
Why use mobile code?
• Offload processing
from servers
– CGI bottlenecks
– look and feel
problems
– cross-platform
solution desirable
• Mobile devices
– Phones
– Smart cards
– PDAs
• Managing highly
interconnected
distributed systems
– the famed Internet
toaster
– IP numbers for
everything!
– we’ve only scratched
the surface
3
Mobile code is smart
• Code that traverses the network during its
lifetime and executes at the destination
machine
– send around data that automatically executes
– the more platforms, the better
– embedded, mobile devices need this!
• Many forms
– Java, ActiveX, Postscript, TCL/tk, Word macros,
JavaScript, VBScript, ...
4
Mobile code is dumb
• Running somebody else’s
code is risky
• What might it do?
• What if it is hostile?
• How can we protect
against possible attack?
Not a new problem!
IEEE IC, 2(6), Nov/Dec 1998
5
A brief history
• 1980s
– downloading arbitrary
binaries and executing
them is a BAD IDEA
– Archie and ftp
– risks include:
• Trojan Horses
• viruses
– checksumming to the
rescue?
• 1992
– the Web arrives
– Archie dies
• 1995
– Java and Javascript
introduce widespread
mobile code
– the concept virus
appears
• 1999
– Melissa
• 2000
– The Love Bug
6
Mobile code and security
• JavaScript
– invasion of privacy
– denial of service
– Web spoofing
• Macro problems
– the concept virus
– the Melissa virus
– the Love Bug
• ActiveX
– system modification
attacks
– stealing money
• Java security
– more power equals
more risk
– attack applets in the
lab
7
The classic security tradeoff
8
Java’s answer
• Add as much
functionality as is
prudent while
managing security
risks
• JDK 1.0.2 Sandbox
• JDK 1.1 Code signing
• Java 2 Shades of
gray
• JVMs for mobility
• Java Virtual Machine
• A language-based
approach to mobile
code security is
complex
• Java is by far the
best approach
available
• Java has had real
security problems
9
A question of trust
10
Untrusted code is restricted
• The Virtual Machine mediates access
• Some code cannot make direct system calls
• Code can be forbidden to:
–
–
–
–
access the filesystem
open sockets (except back home)
interfere with other applets
spy on the local environment
• See Frank Yellin’s paper or Java Security
– Java Security Hotlist
– http://www.rstcorp.com/javasecurity/hotlist.html
Type safety
• Each piece of memory has a type
• Type system must work for security to work
– type safety is the cornerstone of Java security
– guarantee that a program can’t treat pointers as
integers and vice versa
• Java uses static type checking to ensure this
• Because the type system is complicated, it is
error prone
Note: type safety is NOT security
The original sandbox
The Byte Code Verifier
• Verify Java byte code before running it
The Class Loader System
• Load local and network classes separately
The Security Manager
• Keep tabs on “dangerous” methods
Four attack classes
• System modification
• Invasion of privacy
There is some
overlap among these
classes, but they
make the risks easier
to understand
• Denial of service
• Antagonism
A chronology of attack applets
• February 96: DNS flaw in JDK
1.0.1
• March 96: Path name bug
• March 96: Princeton Class
Loader bug
• May 96: type casting attack
• June 96: Array type
implementation error
• July 96: More type casting
problems
• August 96:Flaw in Microsoft’s
Java VM
• February 97: Invasion of
Privacy attack applets
• March 97: JVM hole
• April 97: Code signing flaw
• May 97: Verifier problems
discovered in many VMs
• July 97: Vacuum bug
• August 97: redirect bug
• July 98: ClassLoader bug
• March 99: Verifier hole
• August 99: Race condition
• October 99: Verifier hole 2
• August 2000: Brown Orifice
• October 2000: ActiveX/Java
All of these bugs have been fixed.
15
JDK 1.1
• Classes for developers of secure systems
– Crypto API started
• SHA, MD5, digital signatures
– More crypto in U.S.
• DES
• possibly RSA
• Signed applets
– JDK 1.1 signing makes classes “local” (system)
– trust models introduced
Java 2
• Fine-grained access
control
– no longer requires hacking
ClassLoader and
SecurityManager
• Configurable security
policy
– this is very hard to do
correctly
– managing policy
• Extensible access control
structure
– typed permissions and
automatic handling
• Trust little stance
– built-in code will no longer
be trusted
– signed local classes
– no more hacking the zip
archive!
Stack inspection
• Security decisions in
Java 2 are made by
searching the
runtime call stack
– this is an
implementation
dependent strategy
– seemingly ad hoc
– restricts compiler
optimization
• All three vendors use
variation of stack
inspection
• Very little prior art
– LISP dynamic binding
– effective UID in unix
• Formalized by the
Princeton team
Mobile code on smart cards
Java Virtual Machines get small
What is a smart card?
• A simple processor
embedded in a plastic
card
– Same size as a credit card
• New technology allows
multiple applications on
the same card
• Useful for hundreds of
applications
– Debit, credit, cash
– Identity, cryptography
20
How Java and smart cards mix
• Java Card is a stripped down version of Java for
smart cards
– up to version 2.1 (and security is improving)
– one major vendor behind Java Card is Visa
• Java Card makes multi-application cards based
on a common platform possible
– open up smart card development
– use a real language
21
How can Java fit on a card?
•
•
•
•
•
Supported Java
Features
packages
dynamic object
creation
virtual methods
interfaces
exceptions
•
•
•
•
•
•
Unsupported Java
Features
dynamic class loading
security manager
threading
object cloning
garbage collection
large data types
22
Multi-application cards
• Multi-application cards are an important goal
– getting more developers on board is essential
• Multiple applets can execute on a card
– credit, debit, e-cash, loyalty programs
• Explicit and covert channels between applets
must be eliminated
– software risk management
23
Java Card security != Java security
Good
• no dynamic class loading
– type safety issues
• only one active applet
• no threading
• objects include
rudimentary access
control
Bad
• applets added post
issuance (ARGH)
• no sandbox
– trusted code required
•
•
•
•
native method calls
no garbage collection
object sharing complexity
out of band verification
24
Security risks in Java Card 2.1
• protocol interactions
– sharing secrets
between protocols
introduces new
problems
• security is hard
– linking, export, CAP
files
– native methods
– verification
– object sharing
• multi-application risks
– applets MUST behave
• the usual suspects
apply
– physical attacks
– side-channel
monitoring (DPA)
– the terminal problem
25
Multi-application issues
Secure Features
• no dynamic class
loading
– reduces threat of
malicious applets
• no multi-threading
– non-interference
• applet firewalls
– prevents referencing
another applet’s
objects
Risks and Assumptions
• trust-based applet
model
– assume applets are
non-malicious
– security testing
• JCRE must be perfect
– prevents collusion
• more developers?!
26
Physical attacks still apply
• Physical attacks attempt to reverse engineer
card or monitor a running card to obtain card
secrets
– Differential power analysis (Kocher)
– No card is tamper proof (Anderson & Kuhn)
• Cards often include secrets from owner
• Some secrets could be used to add functionality
and/or add value
– Cost of hacking the card must be greater than return
on investment
27
The terminal problem
• No trusted interface for interacting with users
• A common solution is to use PCs
– but PCs are easily hacked
– windows 95/98 are inherently insecure
• Some suggestions
– palm pilot? (Felten’s Usenix 99 paper)
– simple dedicated devices
28
Protocol interaction risks
• Unintended protocol interactions pose risks:
– secure protocols do not necessarily compose
– different protocols share same key material
– observation of protocol P can be used against Q
• Shared key material is motivated by:
– digital certificates for multi-applications
– small memory for public/private key pairs
– crypto APIs
29
Security is harder than it sounds
• Java Card is not truly
“cross platform”
– byte code  CAP
– export files
• linking problems
– no strings, thus tables
• code verification?
– before conversion
• exception handling
• native methods BAD
• INT? (32 bits)
• applet testing and
debugging issues
• sharing methods among
applets (difficult)
• ISO 7816 APDU
problems
• hostile applets
– denial of service
30
What to do?
• Assume the platform is secure
– it really is getting better
• Applets must be carefully designed and
implemented
• Testing applets for security is essential
• Java Card Security = platform + applets
• Did I say security testing?
31
Conclusion
• Java Card and other flavors of Java will open
new markets
• New technologies pose significant risks when
deployed in security-critical applications
– Java Card mitigates some risks associated with Java
such as dynamic class loading
– Existence of multiple applets (mobile code) is a
significant risk that must be mitigated by solid
software risk management
32
Where to learn more
Cigital provides expert advice on
smart card and mobile system
software security issues.
• Contact Pat Higgens
(phiggens@cigital.com)
• http://www.securingjava.com
– Chapter 8: Java Card Security
http://www.cigital.com
gem@cigital.com
33