{"id":144,"date":"2009-01-18T17:27:20","date_gmt":"2009-01-18T16:27:20","guid":{"rendered":"http:\/\/172.22.49.24\/?p=144"},"modified":"2009-01-18T17:27:20","modified_gmt":"2009-01-18T16:27:20","slug":"keynote-sstic-2009-injection-de-code-dans-une-javacard","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/","title":{"rendered":"Keynote SSTIC 2009 \u2013 Code injection into a Javacard"},"content":{"rendered":"<p>Presentation :\u00a0<strong>Jean-Louis LANET, Julien IGUCHI-CARTIGNY<\/strong><\/p>\n<p>Javacards include a Java VM. To what extent is it possible to<strong>bypassing normal application usage<\/strong>\u00a0on these smart cards?<\/p>\n<ul>\n<li>\u00a0The system uses\u00a0<span style=\"text-decoration: underline;\">strong typing<\/span>, the bytecode is verified, therefore it is a priori more difficult to access arbitrary memory spaces.<\/li>\n<\/ul>\n<ul>\n<li>\u00a0The applications are isolated from each other by the &quot;\u00ab\u00a0<span style=\"text-decoration: underline;\">firewall<\/span>\u00ab&quot;, which controls access rights from one application to another. Despite this, it turns out that only instances are filtered, not the classes themselves (and their static methods)!&quot;<\/li>\n<\/ul>\n<ul>\n<li>Finally, loading an applet can only be done after prior authentication of the application.<\/li>\n<\/ul>\n<p>What&#039;s interesting is that\u00a0<strong>The bytecode verification is not performed on the card itself.<\/strong>\u00a0(in most cases). It is then possible to modify the code after this verification, and then load it onto the card.<br \/>\nFor example, to replace a call made in case of an invalid PIN code (standard application) the attack will be carried out in 3 steps.<\/p>\n<p>1.\u00a0<strong>Modify the CAP file (bytecode verified):<\/strong>\u00a0By manipulating the Java stack, we are able to modify a method of our application, to make it return the memory address of the argument we pass to it.<br \/>\nThis method is used to retrieve the address of the array that contains code to be executed, as well as the address of the &quot;trojan&quot; instance.<\/p>\n<p>2.\u00a0<strong>Modify the code itself (JVM):<\/strong>\u00a0The Java linker will modify the addresses used in the code, particularly for referencing them. This behavior prevents the<br \/>\nspecification of an arbitrary memory address.<br \/>\nTherefore, the &quot;\u00ab\u00a0<span style=\"text-decoration: underline;\">reference location<\/span>\u00a0\u00bb&quot;From the compiled file, remove the address translation from this reference.&quot;.<br \/>\nThus, by placing an arbitrary address there, it will not be replaced, and modification of the javacard memory will be possible, it&#039;s a success.<\/p>\n<p><strong>3. Replace the &quot;invoke&quot; method<\/strong>\u00a0to be erased by an invoke to the address of the array containing the bytecode which will do nothing (sort of like shellcode in short), using putstatic with the address of the array, as long as it is a valid method structure.<\/p>\n<p>With all that, we just need to scan the memory for the pattern to nop, replace the invoke with our invoke &quot;nop&quot;, which does nothing.<\/p>\n<p>However,\u00a0<strong>Not all cards are compatible.<\/strong>, especially if they contain an integrated bytecode checker, the cards &quot;commit suicide&quot;.<br \/>\nOther methods allow traversing memory, such as type casting (works quite well, but is based on a flaw in the VM)<\/p>\n<p>Countermeasures exist; bytecode checks at runtime have been implemented for testing, and they work very well. It doesn&#039;t make the binary too big, but the execution time is lengthened.<br \/>\nThe option remains to activate it only on certain sensitive methods.<\/p>\n<p>The next step in this study:\u00a0<strong>execute native code<\/strong>\u00a0(exit the JVM) for example, to dump the ROM.<\/p>","protected":false},"excerpt":{"rendered":"<p>Presentation: Jean-Louis LANET, Julien IGUCHI-CARTIGNY. Javacards include a Java VM. To what extent [\u2026]<\/p>","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,22],"tags":[65],"class_list":["post-144","post","type-post","status-publish","format-standard","hentry","category-evaluation-securite","category-veille-securite","tag-sstic"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.8) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Keynote SSTIC 2009 - Injection de code dans une javacard - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Keynote SSTIC 2009 - Injection de code dans une javacard\" \/>\n<meta property=\"og:description\" content=\"Pr\u00e9sentation :\u00a0Jean-Louis\u00a0 LANET , Julien\u00a0 IGUCHI-CARTIGNY Les Javacards embarquent une VM Java. Dans quelle mesure [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2009-01-18T16:27:20+00:00\" \/>\n<meta name=\"author\" content=\"Cyrille BARTHELEMY\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cyrille BARTHELEMY\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/\"},\"author\":{\"name\":\"Cyrille BARTHELEMY\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\"},\"headline\":\"Keynote SSTIC 2009 &#8211; Injection de code dans une javacard\",\"datePublished\":\"2009-01-18T16:27:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/\"},\"wordCount\":545,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"keywords\":[\"SSTIC\"],\"articleSection\":[\"S\u00e9curit\u00e9 offensive &amp; Audit\",\"Veille S\u00e9curit\u00e9\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/\",\"name\":\"Keynote SSTIC 2009 - Injection de code dans une javacard - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"datePublished\":\"2009-01-18T16:27:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/keynote-sstic-2009-injection-de-code-dans-une-javacard\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Keynote SSTIC 2009 &#8211; Injection de code dans une javacard\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\",\"name\":\"Cyrille BARTHELEMY\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"caption\":\"Cyrille BARTHELEMY\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/cby\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Keynote SSTIC 2009 - Code injection into a Javacard - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/","og_locale":"en_US","og_type":"article","og_title":"Keynote SSTIC 2009 - Injection de code dans une javacard","og_description":"Pr\u00e9sentation :\u00a0Jean-Louis\u00a0 LANET , Julien\u00a0 IGUCHI-CARTIGNY Les Javacards embarquent une VM Java. Dans quelle mesure [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/","og_site_name":"INTRINSEC","article_published_time":"2009-01-18T16:27:20+00:00","author":"Cyrille BARTHELEMY","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Cyrille BARTHELEMY","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/"},"author":{"name":"Cyrille BARTHELEMY","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109"},"headline":"Keynote SSTIC 2009 &#8211; Injection de code dans une javacard","datePublished":"2009-01-18T16:27:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/"},"wordCount":545,"commentCount":0,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"keywords":["SSTIC"],"articleSection":["S\u00e9curit\u00e9 offensive &amp; Audit","Veille S\u00e9curit\u00e9"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/","url":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/","name":"Keynote SSTIC 2009 - Code injection into a Javacard - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"datePublished":"2009-01-18T16:27:20+00:00","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-injection-de-code-dans-une-javacard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Keynote SSTIC 2009 &#8211; Injection de code dans une javacard"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109","name":"Cyrille BARTHELEMY","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","caption":"Cyrille BARTHELEMY"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/cby\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=144"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/144\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}