SlideShare a Scribd company logo

java-card202320249999999999999999999999999999999999999999999999999999999999999999999999999999999.ppt

Download as PPT, PDF
O
ouahibakellou

les base de la carte a puce

Engineering
1 of 33
When Mobile Code and Smart Cards Meet: Java Card Security Gary McGraw, Ph.D. Vice President, Corporate Technology Cigital http://www.cigital.com
This lecture made possible by... • Software Risk Management authority: – safety, security, reliability – services and technology for making software behave • Clients include: – Visa, Agile, Microstrategy, Ericsson, Motorola, Microsoft, NSF, DARPA, NIST’s Advanced Technology Program
3 Why use mobile code? • Offload processing from servers – CGI bottlenecks – look and feel problems – cross-platform solution desirable • Mobile devices – Phones – Smart cards – PDAs • Managing highly interconnected distributed systems – the famed Internet toaster – IP numbers for everything! – we’ve only scratched the surface
4 Mobile code is smart • Code that traverses the network during its lifetime and executes at the destination machine – send around data that automatically executes – the more platforms, the better – embedded, mobile devices need this! • Many forms – Java, ActiveX, Postscript, TCL/tk, Word macros, JavaScript, VBScript, ...
5 Mobile code is dumb • Running somebody else’s code is risky • What might it do? • What if it is hostile? • How can we protect against possible attack? Not a new problem! IEEE IC, 2(6), Nov/Dec 1998
6 A brief history • 1980s – downloading arbitrary binaries and executing them is a BAD IDEA – Archie and ftp – risks include: • Trojan Horses • viruses – checksumming to the rescue? • 1992 – the Web arrives – Archie dies • 1995 – Java and Javascript introduce widespread mobile code – the concept virus appears • 1999 – Melissa • 2000 – The Love Bug
7 Mobile code and security • JavaScript – invasion of privacy – denial of service – Web spoofing • Macro problems – the concept virus – the Melissa virus – the Love Bug • ActiveX – system modification attacks – stealing money • Java security – more power equals more risk – attack applets in the lab
8 The classic security tradeoff
9 Java’s answer • Add as much functionality as is prudent while managing security risks • JDK 1.0.2 Sandbox • JDK 1.1 Code signing • Java 2 Shades of gray • JVMs for mobility • Java Virtual Machine • A language-based approach to mobile code security is complex • Java is by far the best approach available • Java has had real security problems
10 A question of trust
Untrusted code is restricted • The Virtual Machine mediates access • Some code cannot make direct system calls • Code can be forbidden to: – access the filesystem – open sockets (except back home) – interfere with other applets – spy on the local environment • See Frank Yellin’s paper or Java Security – Java Security Hotlist – http://www.rstcorp.com/javasecurity/hotlist.html
Type safety • Each piece of memory has a type • Type system must work for security to work – type safety is the cornerstone of Java security – guarantee that a program can’t treat pointers as integers and vice versa • Java uses static type checking to ensure this • Because the type system is complicated, it is error prone Note: type safety is NOT security
The original sandbox The Byte Code Verifier • Verify Java byte code before running it The Class Loader System • Load local and network classes separately The Security Manager • Keep tabs on “dangerous” methods
Four attack classes • System modification • Invasion of privacy • Denial of service • Antagonism There is some overlap among these classes, but they make the risks easier to understand
15 A chronology of attack applets • February 96: DNS flaw in JDK 1.0.1 • March 96: Path name bug • March 96: Princeton Class Loader bug • May 96: type casting attack • June 96: Array type implementation error • July 96: More type casting problems • August 96:Flaw in Microsoft’s Java VM • February 97: Invasion of Privacy attack applets • March 97: JVM hole • April 97: Code signing flaw • May 97: Verifier problems discovered in many VMs • July 97: Vacuum bug • August 97: redirect bug • July 98: ClassLoader bug • March 99: Verifier hole • August 99: Race condition • October 99: Verifier hole 2 • August 2000: Brown Orifice • October 2000: ActiveX/Java All of these bugs have been fixed.
JDK 1.1 • Classes for developers of secure systems – Crypto API started • SHA, MD5, digital signatures – More crypto in U.S. • DES • possibly RSA • Signed applets – JDK 1.1 signing makes classes “local” (system) – trust models introduced
Java 2 • Fine-grained access control – no longer requires hacking ClassLoader and SecurityManager • Configurable security policy – this is very hard to do correctly – managing policy • Extensible access control structure – typed permissions and automatic handling • Trust little stance – built-in code will no longer be trusted – signed local classes – no more hacking the zip archive!
Stack inspection • Security decisions in Java 2 are made by searching the runtime call stack – this is an implementation dependent strategy – seemingly ad hoc – restricts compiler optimization • All three vendors use variation of stack inspection • Very little prior art – LISP dynamic binding – effective UID in unix • Formalized by the Princeton team
Mobile code on smart cards Java Virtual Machines get small
20 What is a smart card? • A simple processor embedded in a plastic card – Same size as a credit card • New technology allows multiple applications on the same card • Useful for hundreds of applications – Debit, credit, cash – Identity, cryptography
21 How Java and smart cards mix • Java Card is a stripped down version of Java for smart cards – up to version 2.1 (and security is improving) – one major vendor behind Java Card is Visa • Java Card makes multi-application cards based on a common platform possible – open up smart card development – use a real language
22 How can Java fit on a card? Supported Java Features • packages • dynamic object creation • virtual methods • interfaces • exceptions Unsupported Java Features • dynamic class loading • security manager • threading • object cloning • garbage collection • large data types
23 Multi-application cards • Multi-application cards are an important goal – getting more developers on board is essential • Multiple applets can execute on a card – credit, debit, e-cash, loyalty programs • Explicit and covert channels between applets must be eliminated – software risk management
24 Java Card security != Java security Good • no dynamic class loading – type safety issues • only one active applet • no threading • objects include rudimentary access control Bad • applets added post issuance (ARGH) • no sandbox – trusted code required • native method calls • no garbage collection • object sharing complexity • out of band verification
25 Security risks in Java Card 2.1 • protocol interactions – sharing secrets between protocols introduces new problems • security is hard – linking, export, CAP files – native methods – verification – object sharing • multi-application risks – applets MUST behave • the usual suspects apply – physical attacks – side-channel monitoring (DPA) – the terminal problem
26 Multi-application issues Secure Features • no dynamic class loading – reduces threat of malicious applets • no multi-threading – non-interference • applet firewalls – prevents referencing another applet’s objects Risks and Assumptions • trust-based applet model – assume applets are non-malicious – security testing • JCRE must be perfect – prevents collusion • more developers?!
27 Physical attacks still apply • Physical attacks attempt to reverse engineer card or monitor a running card to obtain card secrets – Differential power analysis (Kocher) – No card is tamper proof (Anderson & Kuhn) • Cards often include secrets from owner • Some secrets could be used to add functionality and/or add value – Cost of hacking the card must be greater than return on investment
28 The terminal problem • No trusted interface for interacting with users • A common solution is to use PCs – but PCs are easily hacked – windows 95/98 are inherently insecure • Some suggestions – palm pilot? (Felten’s Usenix 99 paper) – simple dedicated devices
29 Protocol interaction risks • Unintended protocol interactions pose risks: – secure protocols do not necessarily compose – different protocols share same key material – observation of protocol P can be used against Q • Shared key material is motivated by: – digital certificates for multi-applications – small memory for public/private key pairs – crypto APIs
30 Security is harder than it sounds • Java Card is not truly “cross platform” – byte code  CAP – export files • linking problems – no strings, thus tables • code verification? – before conversion • exception handling • native methods BAD • INT? (32 bits) • applet testing and debugging issues • sharing methods among applets (difficult) • ISO 7816 APDU problems • hostile applets – denial of service
31 What to do? • Assume the platform is secure – it really is getting better • Applets must be carefully designed and implemented • Testing applets for security is essential • Java Card Security = platform + applets • Did I say security testing?
32 Conclusion • Java Card and other flavors of Java will open new markets • New technologies pose significant risks when deployed in security-critical applications – Java Card mitigates some risks associated with Java such as dynamic class loading – Existence of multiple applets (mobile code) is a significant risk that must be mitigated by solid software risk management
33 Where to learn more Cigital provides expert advice on smart card and mobile system software security issues. • Contact Pat Higgens (phiggens@cigital.com) • http://www.securingjava.com – Chapter 8: Java Card Security http://www.cigital.com gem@cigital.com

Recommended

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 

Recommended

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptxJhansigali
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Cryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsCryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsSashank Dara
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptxMuhib Ahmad Sherwani
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Iddan Halevy
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 

More Related Content

Similar to java-card202320249999999999999999999999999999999999999999999999999999999999999999999999999999999.ppt

19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptxJhansigali
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Cryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsCryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsSashank Dara
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Iddan Halevy
 

Similar to java-card202320249999999999999999999999999999999999999999999999999999999999999999999999999999999.ppt (20)

19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptx
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Cryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsCryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public Clouds
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysis
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010
 

Recently uploaded

Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 

Recently uploaded (20)

Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 

java-card202320249999999999999999999999999999999999999999999999999999999999999999999999999999999.ppt

  • 1. When Mobile Code and Smart Cards Meet: Java Card Security Gary McGraw, Ph.D. Vice President, Corporate Technology Cigital http://www.cigital.com
  • 2. This lecture made possible by... • Software Risk Management authority: – safety, security, reliability – services and technology for making software behave • Clients include: – Visa, Agile, Microstrategy, Ericsson, Motorola, Microsoft, NSF, DARPA, NIST’s Advanced Technology Program
  • 3. 3 Why use mobile code? • Offload processing from servers – CGI bottlenecks – look and feel problems – cross-platform solution desirable • Mobile devices – Phones – Smart cards – PDAs • Managing highly interconnected distributed systems – the famed Internet toaster – IP numbers for everything! – we’ve only scratched the surface
  • 4. 4 Mobile code is smart • Code that traverses the network during its lifetime and executes at the destination machine – send around data that automatically executes – the more platforms, the better – embedded, mobile devices need this! • Many forms – Java, ActiveX, Postscript, TCL/tk, Word macros, JavaScript, VBScript, ...
  • 5. 5 Mobile code is dumb • Running somebody else’s code is risky • What might it do? • What if it is hostile? • How can we protect against possible attack? Not a new problem! IEEE IC, 2(6), Nov/Dec 1998
  • 6. 6 A brief history • 1980s – downloading arbitrary binaries and executing them is a BAD IDEA – Archie and ftp – risks include: • Trojan Horses • viruses – checksumming to the rescue? • 1992 – the Web arrives – Archie dies • 1995 – Java and Javascript introduce widespread mobile code – the concept virus appears • 1999 – Melissa • 2000 – The Love Bug
  • 7. 7 Mobile code and security • JavaScript – invasion of privacy – denial of service – Web spoofing • Macro problems – the concept virus – the Melissa virus – the Love Bug • ActiveX – system modification attacks – stealing money • Java security – more power equals more risk – attack applets in the lab
  • 9. 9 Java’s answer • Add as much functionality as is prudent while managing security risks • JDK 1.0.2 Sandbox • JDK 1.1 Code signing • Java 2 Shades of gray • JVMs for mobility • Java Virtual Machine • A language-based approach to mobile code security is complex • Java is by far the best approach available • Java has had real security problems
  • 11. Untrusted code is restricted • The Virtual Machine mediates access • Some code cannot make direct system calls • Code can be forbidden to: – access the filesystem – open sockets (except back home) – interfere with other applets – spy on the local environment • See Frank Yellin’s paper or Java Security – Java Security Hotlist – http://www.rstcorp.com/javasecurity/hotlist.html
  • 12. Type safety • Each piece of memory has a type • Type system must work for security to work – type safety is the cornerstone of Java security – guarantee that a program can’t treat pointers as integers and vice versa • Java uses static type checking to ensure this • Because the type system is complicated, it is error prone Note: type safety is NOT security
  • 13. The original sandbox The Byte Code Verifier • Verify Java byte code before running it The Class Loader System • Load local and network classes separately The Security Manager • Keep tabs on “dangerous” methods
  • 14. Four attack classes • System modification • Invasion of privacy • Denial of service • Antagonism There is some overlap among these classes, but they make the risks easier to understand
  • 15. 15 A chronology of attack applets • February 96: DNS flaw in JDK 1.0.1 • March 96: Path name bug • March 96: Princeton Class Loader bug • May 96: type casting attack • June 96: Array type implementation error • July 96: More type casting problems • August 96:Flaw in Microsoft’s Java VM • February 97: Invasion of Privacy attack applets • March 97: JVM hole • April 97: Code signing flaw • May 97: Verifier problems discovered in many VMs • July 97: Vacuum bug • August 97: redirect bug • July 98: ClassLoader bug • March 99: Verifier hole • August 99: Race condition • October 99: Verifier hole 2 • August 2000: Brown Orifice • October 2000: ActiveX/Java All of these bugs have been fixed.
  • 16. JDK 1.1 • Classes for developers of secure systems – Crypto API started • SHA, MD5, digital signatures – More crypto in U.S. • DES • possibly RSA • Signed applets – JDK 1.1 signing makes classes “local” (system) – trust models introduced
  • 17. Java 2 • Fine-grained access control – no longer requires hacking ClassLoader and SecurityManager • Configurable security policy – this is very hard to do correctly – managing policy • Extensible access control structure – typed permissions and automatic handling • Trust little stance – built-in code will no longer be trusted – signed local classes – no more hacking the zip archive!
  • 18. Stack inspection • Security decisions in Java 2 are made by searching the runtime call stack – this is an implementation dependent strategy – seemingly ad hoc – restricts compiler optimization • All three vendors use variation of stack inspection • Very little prior art – LISP dynamic binding – effective UID in unix • Formalized by the Princeton team
  • 19. Mobile code on smart cards Java Virtual Machines get small
  • 20. 20 What is a smart card? • A simple processor embedded in a plastic card – Same size as a credit card • New technology allows multiple applications on the same card • Useful for hundreds of applications – Debit, credit, cash – Identity, cryptography
  • 21. 21 How Java and smart cards mix • Java Card is a stripped down version of Java for smart cards – up to version 2.1 (and security is improving) – one major vendor behind Java Card is Visa • Java Card makes multi-application cards based on a common platform possible – open up smart card development – use a real language
  • 22. 22 How can Java fit on a card? Supported Java Features • packages • dynamic object creation • virtual methods • interfaces • exceptions Unsupported Java Features • dynamic class loading • security manager • threading • object cloning • garbage collection • large data types
  • 23. 23 Multi-application cards • Multi-application cards are an important goal – getting more developers on board is essential • Multiple applets can execute on a card – credit, debit, e-cash, loyalty programs • Explicit and covert channels between applets must be eliminated – software risk management
  • 24. 24 Java Card security != Java security Good • no dynamic class loading – type safety issues • only one active applet • no threading • objects include rudimentary access control Bad • applets added post issuance (ARGH) • no sandbox – trusted code required • native method calls • no garbage collection • object sharing complexity • out of band verification
  • 25. 25 Security risks in Java Card 2.1 • protocol interactions – sharing secrets between protocols introduces new problems • security is hard – linking, export, CAP files – native methods – verification – object sharing • multi-application risks – applets MUST behave • the usual suspects apply – physical attacks – side-channel monitoring (DPA) – the terminal problem
  • 26. 26 Multi-application issues Secure Features • no dynamic class loading – reduces threat of malicious applets • no multi-threading – non-interference • applet firewalls – prevents referencing another applet’s objects Risks and Assumptions • trust-based applet model – assume applets are non-malicious – security testing • JCRE must be perfect – prevents collusion • more developers?!
  • 27. 27 Physical attacks still apply • Physical attacks attempt to reverse engineer card or monitor a running card to obtain card secrets – Differential power analysis (Kocher) – No card is tamper proof (Anderson & Kuhn) • Cards often include secrets from owner • Some secrets could be used to add functionality and/or add value – Cost of hacking the card must be greater than return on investment
  • 28. 28 The terminal problem • No trusted interface for interacting with users • A common solution is to use PCs – but PCs are easily hacked – windows 95/98 are inherently insecure • Some suggestions – palm pilot? (Felten’s Usenix 99 paper) – simple dedicated devices
  • 29. 29 Protocol interaction risks • Unintended protocol interactions pose risks: – secure protocols do not necessarily compose – different protocols share same key material – observation of protocol P can be used against Q • Shared key material is motivated by: – digital certificates for multi-applications – small memory for public/private key pairs – crypto APIs
  • 30. 30 Security is harder than it sounds • Java Card is not truly “cross platform” – byte code  CAP – export files • linking problems – no strings, thus tables • code verification? – before conversion • exception handling • native methods BAD • INT? (32 bits) • applet testing and debugging issues • sharing methods among applets (difficult) • ISO 7816 APDU problems • hostile applets – denial of service
  • 31. 31 What to do? • Assume the platform is secure – it really is getting better • Applets must be carefully designed and implemented • Testing applets for security is essential • Java Card Security = platform + applets • Did I say security testing?
  • 32. 32 Conclusion • Java Card and other flavors of Java will open new markets • New technologies pose significant risks when deployed in security-critical applications – Java Card mitigates some risks associated with Java such as dynamic class loading – Existence of multiple applets (mobile code) is a significant risk that must be mitigated by solid software risk management
  • 33. 33 Where to learn more Cigital provides expert advice on smart card and mobile system software security issues. • Contact Pat Higgens (phiggens@cigital.com) • http://www.securingjava.com – Chapter 8: Java Card Security http://www.cigital.com gem@cigital.com