CN105282156A - Method and device for detecting firewall holes of Java card - Google Patents
Method and device for detecting firewall holes of Java card Download PDFInfo
- Publication number
- CN105282156A CN105282156A CN201510686816.9A CN201510686816A CN105282156A CN 105282156 A CN105282156 A CN 105282156A CN 201510686816 A CN201510686816 A CN 201510686816A CN 105282156 A CN105282156 A CN 105282156A
- Authority
- CN
- China
- Prior art keywords
- card
- compartment wall
- fire compartment
- java card
- java
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and device for detecting firewall holes of a Java card. The solution is as follows: the structure or the operational process of the Java card is modified in a disassembling manner, such that any memory on the card can try to be accessed. When illegal data in the Java card can be accessed, the current card has firewall holes; if the firewall holes exist, a range, in which data can be illegally accessed, on the card is continuously found; and thus, the sizes of the holes can be determined.
Description
Technical field
The present invention relates to field of intelligent cards, particularly relate to detection method and the device of a kind of Java card fire compartment wall leak in field of intelligent cards.
Background technology
Java smart card becomes the mainstream applications of cybertimes with the many merits such as support, good security feature, OO programmed environment, application program dynamic download of its many application, also becomes a large focus simultaneously.It has not only deepened the application level of Java, also overcomes some shortcomings that conventional smart card exists simultaneously, has formulated the platform of a multifunctional safety.
In Java card, the importance of data confidentiality is unquestionable.Bank card used from actual life, social security card etc. can find out the importance of data confidentiality.But Java card platform is the environment of application more than, multiple different Applet can co-exist on an independent card, so in order to ensure that the sensitive informations such as account password in the application of Java card are by other application arbitrarily access, need to arrange application firewall between applications to isolate unauthorized access.
For some special attack technologies of Java card at development, Java card also presents security breaches thereupon, thus causes whole Java card system fail safe to reduce.Therefore, also just very urgent to the fail safe detection of Java card.And fire compartment wall leak is exactly the common leak of one of Java card.Assailant utilizes this leak illegally to read data on card across fire compartment wall, causes the leakage of private data on card.Mainly avoid Java card fire compartment wall leak by a series of specification at present, but for the fire compartment wall leak that Java card may occur, also lack effective detection means.
Therefore, how to improve the present situation of the means of effective detection java card fire compartment wall leak that present stage lacks, the potential safety hazard that the data utilizing fire compartment wall leak to access other application program or kernel objects to take precautions against application program on Java card may be brought, having become people must problem demanding prompt solution.
Summary of the invention
The object of the invention is to solve the problems of the technologies described above, a kind of method and apparatus of effective detection Java card fire compartment wall leak is provided.
To achieve these goals, the invention provides a kind of method detecting Java card fire compartment wall leak, it is characterized in that comprising the following steps:
By the mode of dis-assembling, the structure of amendment Java card or operational process, make any internal memory on card can attempt accessed;
When the invalid data finding can access in Java card, then judge that current card exists fire compartment wall leak;
For certain object ID on card, if find fire compartment wall leak, then continuing to search on card can the scope of unauthorized access data, to determine leak size.
Present invention also offers a kind of device detecting Java card fire compartment wall leak, described device comprises:
Card upper module, after revising structure or operational process by the mode of dis-assembling, to attempt any internal memory on access card;
Card reader module, for sending request, makes card upper module can attempt any region of memory on access card, and judge whether to there is fire compartment wall leak according to the response that card upper module returns, and for certain object ID on card, searching on card can the scope of unauthorized access data, to determine leak size.
According to detection method and the device of Java card fire compartment wall leak of the present invention, can solve and cannot effectively detect the problem whether Java card existing fire compartment wall leak, the potential safety hazard that the data avoiding application program on Java card to utilize fire compartment wall leak to access other application program or kernel objects are brought.
After reading the detailed description of embodiment of the present invention by reference to the accompanying drawings, the other features and advantages of the invention will become clearly.
Accompanying drawing explanation
Fig. 1 is that the card end of the preferred embodiment of leak detection method provided by the invention performs schematic flow sheet.
Fig. 2 is that the card reader end of the preferred embodiment of leak detection method provided by the invention performs schematic flow sheet.
Fig. 3 is the structural representation of Hole Detection device provided by the invention.
Fig. 4 is the card end CMOS macro cell schematic diagram of the preferred embodiment of Hole Detection device provided by the invention.
Embodiment
The specific embodiment of the present invention is described in detail below in conjunction with accompanying drawing.
Fig. 1 is that the card end of the preferred embodiment of leak detection method provided by the invention performs schematic flow sheet.As shown in Figure 1, in step S101, Java card receives the request that card reader is sent, and reads object ID (short type) wherein.
In step s 102, the array of an initialization byte type.
In step s 103, judge whether array object ID represents the ID of legal object.If the judged result of step S103 is " Y ", then processing procedure performs step S104; Otherwise, perform step S105.
In step S104, return the response of reading invalid data failure to card reader.
In step S105, from request, read data length L.
In step s 106, attempt from array object, read the data that length is L.If sense data, then perform step S107; Otherwise perform step S104.
Finally, returning length in array object to card reader is the data of L.
Fig. 2 is that the card reader end of the preferred embodiment of leak detection method provided by the invention performs schematic flow sheet.As shown in Figure 2, in step s 201, current object ID is set to initial object ID, the length of read data is set to 1byte.
In step S202, current object ID and current read data length are placed in the data field of request by card reader, and send this request to Java card.
In step S203, card reader receives the response returned from Java card, and judges whether to read data from Java card.If the judged result of step S203 is " Y ", represent that this Java card exists fire compartment wall leak, then processing procedure proceeds to step S204; Otherwise, proceed to step S209.
In step S204, the length of read data increases 1byte.
In step S205, current object ID and current read data length are placed in the data field of request by card reader, and send this request to Java card.
In step S206, card reader receives the response returned from Java card, and judges whether to read data from Java card.If the judged result of step S206 is " Y ", then processing procedure proceeds to step S207; Otherwise, proceed to step S208.
In step S207, the length of read data increases 1byte.
In step S208, record the maximum number of byte that this object ID can read.
In step S209, judge whether object ID has read.If the judged result of step S209 is " N ", then processing procedure performs step S210; Otherwise, perform step S211.
In step S210, object ID increases by 1, and the length of read data is set to 1byte, then performs step S202.
In step S211, attack unsuccessfully, illustrate that this Java card does not exist fire compartment wall leak, then detect end.
Fig. 3 is the structural representation of Hole Detection device provided by the invention.As shown in Figure 3, S301 represents card reader module, and S302 represents card upper module, and S303 represents card reader, and S304 represents Java card.Card reader module is arranged in card reader, and card upper module is arranged in Java card.
Card reader module sends query-attack to card upper module, card upper module is made to attempt any region of memory on access card, and judge whether to there is fire compartment wall leak according to the response that device on card returns, and for certain object ID on card, searching on card can the scope of unauthorized access data, to determine leak size.
Card upper module, after revising structure or operational process by the mode of dis-assembling, to attempt any internal memory on access card.
Fig. 4 is the card end CMOS macro cell schematic diagram of the preferred embodiment of Hole Detection device provided by the invention.As shown in Figure 4, in step S401, generate class file.Device in class file runs by step S101-S106.
In step S402, the class file generated in decompiling step S401, generates corresponding jca assembling file.
In step S403, the jca file generated in modify steps S402.Amending method is: between step S102 and step S103, inserting step S108.Step S108, is assigned to array object by the object ID obtained in step S101.
In step s 404, recompilate amended jca file in step S403, generate corresponding cap file.
In step S405, install in card end module and select the cap file that generates in step S404.
In step S406, start to detect.
Although describe embodiments of the present invention by reference to the accompanying drawings above, in this area, those skilled in the art can make various distortion or amendment within the scope of the appended claims.
Claims (10)
1. a detection method for Java card fire compartment wall leak, is characterized in that, comprises the following steps:
By the mode of dis-assembling, the structure of amendment Java card or operational process, make any internal memory on card can attempt accessed;
When the invalid data finding can access in Java card, then judge that current card exists fire compartment wall leak;
For certain object ID on card, if find to there is fire compartment wall leak, then continuing to search on card can the scope of unauthorized access data, to determine leak size.
2. the detection method of Java card fire compartment wall leak according to claim 1, it is characterized in that revising jca file by the mode of dis-assembling, by the object ID assignment of card reader request to array object, to reach the amendment structure of Java card or the object of operational process.
3. the detection method of Java card fire compartment wall leak according to claim 2, is characterized in that described method is further comprising the steps of after the structure or operational process of amendment Java card:
Current object ID is set to initial object ID;
Current object ID and data length L are placed in the data field of request by card reader, and send this request to Java card;
Card reader receives the response returned from Java card, and judges whether to read invalid data from Java card, if read invalid data, then judge success attack, this Java card exists fire compartment wall leak; Otherwise continue to judge whether object ID has read, if do not read, then object ID has increased by 1, and the request that resends is to Java card; If object ID has read, showing to attack unsuccessfully, there is not fire compartment wall leak in this Java card.
4. the detection method of Java card fire compartment wall leak according to claim 3, it is characterized in that if this Java card exists fire compartment wall leak under certain object ID, then increase data length, continue to judge whether energy success attack, and the maximum data length value of record energy success attack, to represent the leak size under this object ID.
5. the detection method of Java card fire compartment wall leak according to claim 4, is characterized in that described method is further comprising the steps of before the structure or operational process of amendment Java card:
Java card receives the request that card reader is sent, the object ID (short type) in read requests data and data length L;
The array of an initialization byte type;
Judge whether this array object has legal object ID, if having legal object ID, then return the response of reading invalid data failure to card reader; Otherwise attempting reading length in array object is the data of L;
If read successfully, then returning to card reader the length read is the data of L; Otherwise return the response of reading invalid data failure to card reader, and under card reader is recorded in this object ID, the size of leak is L-1byte.
6. a checkout gear for Java card fire compartment wall leak, is characterized in that comprising:
Card upper module, after revising its structure or operational process by the mode of dis-assembling, for attempting reading any region of memory on Java card;
Card reader module, for sending the request of reading the upper any region of memory of card, and judges whether to there is fire compartment wall leak according to the response that card upper module returns.
7. the checkout gear of Java card fire compartment wall leak according to claim 6, it is characterized in that described card upper module, also for revising jca file by the mode of dis-assembling, by the object ID assignment of card reader module request to array object, with the object of the structure or operational process that reach amendment card upper module.
8. the checkout gear of Java card fire compartment wall leak according to claim 7, is characterized in that:
Described card upper module, also for receiving the request that card reader module is sent, comprises object ID (short type) and data length L in request msg territory;
If array object has legal object ID, then return the response of reading invalid data failure to card reader module; Otherwise attempting reading length in array object is the data of L;
If card upper module reads the data success that length is L, then return the data read to card reader module; Otherwise the response of reading invalid data failure is returned to card reader module.
9. the checkout gear of Java card fire compartment wall leak according to claim 6, is characterized in that:
Described card reader module, also for attempting the request sent successively with different object ID and different data lengths, and these object IDs value successively from origin object ID, until find Java card fire compartment wall leak;
Described card reader module, also for receiving the response returned from card upper module, and judge whether to read invalid data from Java card, if read invalid data, then judging success attack, there is fire compartment wall leak in this Java card; Otherwise continue to judge whether object ID has read, if do not read, then object ID has increased by 1, and the request that resends is to card upper module; If object ID has read, then showing to attack unsuccessfully, there is not fire compartment wall leak in this Java card.
10. the checkout gear of Java card fire compartment wall leak according to claim 9, it is characterized in that if there is fire compartment wall leak under certain object ID, then increase data length, continue to judge whether energy success attack, and the maximum data length of record energy success attack, to represent the leak size under this object ID.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510686816.9A CN105282156A (en) | 2015-10-22 | 2015-10-22 | Method and device for detecting firewall holes of Java card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510686816.9A CN105282156A (en) | 2015-10-22 | 2015-10-22 | Method and device for detecting firewall holes of Java card |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105282156A true CN105282156A (en) | 2016-01-27 |
Family
ID=55150482
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510686816.9A Pending CN105282156A (en) | 2015-10-22 | 2015-10-22 | Method and device for detecting firewall holes of Java card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105282156A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096408A (en) * | 2016-06-03 | 2016-11-09 | 成都信息工程大学 | The detection method of a kind of Java card out-of-bounds access static variable leak and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1477877A1 (en) * | 2003-05-12 | 2004-11-17 | Infineon Technologies AG | Method of implementing a java card firewall into a smart card controller |
| CN103093142A (en) * | 2012-12-26 | 2013-05-08 | 飞天诚信科技股份有限公司 | Java card object access control method |
| CN103269348A (en) * | 2013-06-09 | 2013-08-28 | 上海有线电视实业有限公司 | Network segment-crossing data security exchange device and exchange method |
| CN103905265A (en) * | 2012-12-27 | 2014-07-02 | 中国移动通信集团公司 | Method and apparatus for detecting new device in network |
-
2015
- 2015-10-22 CN CN201510686816.9A patent/CN105282156A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1477877A1 (en) * | 2003-05-12 | 2004-11-17 | Infineon Technologies AG | Method of implementing a java card firewall into a smart card controller |
| CN103093142A (en) * | 2012-12-26 | 2013-05-08 | 飞天诚信科技股份有限公司 | Java card object access control method |
| CN103905265A (en) * | 2012-12-27 | 2014-07-02 | 中国移动通信集团公司 | Method and apparatus for detecting new device in network |
| CN103269348A (en) * | 2013-06-09 | 2013-08-28 | 上海有线电视实业有限公司 | Network segment-crossing data security exchange device and exchange method |
Non-Patent Citations (2)
| Title |
|---|
| 周捷等: "JAVA卡平台安全性设计与实现", 《计算机工程与应用》 * |
| 李阿芳: "Java智能卡的安全性研究", 《电脑知识与技术》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096408A (en) * | 2016-06-03 | 2016-11-09 | 成都信息工程大学 | The detection method of a kind of Java card out-of-bounds access static variable leak and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101122646B1 (en) | Method and device against intelligent bots by masquerading virtual machine information | |
| CN102567546B (en) | Structured query language (SQL) injection detection method and SQL injection detection device | |
| CN108763951B (en) | Data protection method and device | |
| CN103679032A (en) | Method and device for preventing malicious software | |
| CN102045319A (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
| JP6859518B2 (en) | How to prevent attacks on servers and devices | |
| CN105303115A (en) | Detection method and apparatus for out-of-bounds access bug of Java card | |
| CN102208002A (en) | Novel computer virus scanning and killing device | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| EP3336734B1 (en) | Fingerprint information secure call method, apparatus, and mobile terminal | |
| CN111241604A (en) | Apparatus and method relating to memory deactivation for memory security | |
| CN102082810A (en) | Method, system and device for user terminal to access internet | |
| CN105282156A (en) | Method and device for detecting firewall holes of Java card | |
| CN104426836A (en) | Invasion detection method and device | |
| CN111314370B (en) | Method and device for detecting service vulnerability attack behavior | |
| CN116361755A (en) | Application program login verification method, device, equipment and storage medium | |
| CN116127472A (en) | Application security assessment method and device | |
| CN105791221B (en) | Rule issuing method and device | |
| CN100374969C (en) | Method for searching and killing virus and computer therefor | |
| CN116049822A (en) | Application program supervision method, system, electronic device and storage medium | |
| CN111177726B (en) | System vulnerability detection method, device, equipment and medium | |
| CN103366115A (en) | Safety detecting method and device | |
| CN114036529A (en) | Vulnerability scanning method and device and computer equipment | |
| CN106096408A (en) | The detection method of a kind of Java card out-of-bounds access static variable leak and device | |
| CN110837397A (en) | Method, device and equipment for configuring browser plug-in |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160127 |
|
| WD01 | Invention patent application deemed withdrawn after publication |