Applet Firewall and Object Sharing

T-110.497 Smart Card Application Development

Markku Sievänen

2

Java Card – Multiapplication Card

� To protect sensitive data of single applets:� Applet firewall mechanism� protection againts developer mistakes and design oversights

� To support cooperative applications� Well defined and secure object sharing mechanism

3

Applet Firewall mechanism

� separate, protected object spaces called contexts� the boundary between one context and another� all applet instances of a single Java package share

the same group context� public object access between same group context is

allowed� object access between different group contexts are

denied

4

Contexts

JCRE context

package A

group context

applet context

applet context

package B

group context

applet context

applet firewall

system space

applet space

5

Object Ownership

� At any time, there is only one active context withinthe virtual machine

� When a new object is created, it is assigned anowning context – the currently active context

� the object is owned by the active applet in thecurrent context

� primitive static arrays� created and initialized by converter (before any applet

instance is instantiated on the card)� the owning context is the group context of the package

6

Static Fields and Methods

� Only instances of classes – objects – are owned by contexts

� No runtime context check for:� static fields� static methods

� Java access rules still apply� private static fields and methods visible only to

their defining classes

7

Object Sharing across Contexts

� Mechanisms:� JCRE privileges� JCRE entry point objects� Global arrays� Shareable interfaces

� Context switch occur during invocation of and return from instance methods of an object owned by adifferent context� the invoked method is now executed in a new context with

the access rights of that context� nested context switches� on return the caller’s context is restored

� Only JCRE can access instance fields of an object in adifferent context (no context switch)

8

JCRE Privileges

� JCRE context has special privileges:� JCRE can invoke a method on an any object or

access an instance field of any object on the card� Enable the JCRE to control system resources

and manage applets� Receive APDU command

� invoke the select, deselect or process method ofcurrently selected applet

� JCRE context -> applet context� on return the JCRE context is restored

9

JCRE Entry Points Objects (1)

� A way for normal applets to request ”system services”

� owned by the JCRE context� only public methods of such objects can be

invoked from any context� context switch to JCRE context

� fields of such objects are protected by thefirewall

� The APDU object: the most famous one

10

JCRE Entry Points Objects (2)

� Two categories:� Temporary JCRE entry point objects

� references to these objects cannot be stored in class variables, instance variables or array fields

� Example: the APDU object

� Permanent JCRE entry point objects� can be freely stored and reused� Example: the JCRE owned AID instances

11

Global Arrays

� JCRE owned primitive arrays� Provide a shared memory buffer whose data can be

accessed by any applets� Temporary JCRE entry points objects� The global arrays required by JC API:

� the APDU buffer� the byte array parameter in an applet’s install method

(normally the APDU buffer)� JCRE clears the APDU buffer:

� when applet is selected, or� before the JCRE accepts a new APDU command

12

Object Shareable Interface Mechanism

� sharing mechanism between the JCRE andapplets� The JCRE can access any objects due to its

privileged nature� An applet gain access to system services via JCRE

entry point objects� The JCRE and applets share promitive data by

using designated global arrays� sharing mechanism between the applets

� shareable interface mechanism

13

SIO - Shareable Interface Object

� An object of a class that implements a shareable interface� extends javacard.framework.Shareable

� To the owning context:� a normal object whose fields and methods can be accessed

� To any other context:� only methods defined in shareable interface are accessible � all fields and other methods are protected by the firewall

14

SIO mechanism

server

SIO

SIO

applet B

applet C

applet A

clients

15

An example of Object Sharing between Applets

� The air-miles applet creates a shareable interface object (SIO)

� The wallet applet requests the SIO from the air-miles applet

� The wallet applet request miles to be credited by invoking a service method of the SIO

wallet applet air-miles applet

request miles

client applet server applet

16

1. Create a Shareable Interface Object

� The server applet� define a shareable interface

� package com.fasttravel.airmiles;import javacard.framework.Shareable;

public interface AirMilesInterface extends Shareable {public void grantMiles (short amount);

}

17

1. Create a Shareable Interface Object ...

� create a service provider class� package com.fasttravel.airmiles;

import javacard.framework.*;

public class AirMilesApplet extends Applet implementsAirMilesInterface {

private short miles;

public void grantMiles(short amount) {miles = (short) (miles + amount);

}}

18

2. Request a Shareable Interface Object

� The client applet� Get the AID object associated with the server apple

� public static AID JCSystem.lookupAID (byte[] buffer, shortoffset, byte length);

� the returned AID object is a permanent JCRE entry point object

� Request the SIO� public static Shareable

JCSystem.getAppletShareableInterfaceObject(AID server_aid,byte parameter);

� byte parameter� select a SIO (if many)� security token

19

2. Request a Shareable Interface Object ..

� The JCRE� If the the server_aid not found, return null� Else invoke the server’s applet getShareableInterfaceObject

� public Shareable getShareableInterfaceObject(AID client_aid,byte parameter);

� public class AirMilesApplet extends Applet implementsAirMilesInterface {

private short miles;

public Shareable getShareableInterfaceObject(AID client_aid,byte parameter) {

// authenticate the client...

// return the SIOreturn this;

}...

20

The process summary

client

server

JCRE

1

JCSystem.getAppletShareableInterfaceObject

Applet.getAppletShareableInterfaceObject

2SIO or null

SIO or null

3

4

21

Use a Shareable Interface Object

� Type cast� AirMilesInterface sio = (AirMilesInterface)

JCSystem.getAppletShareableInterfaceObject(server_aid, parameter);

� Only methods defined in shareable interface are visible to client� // ask the server to grant miles

sio.grantMiles(amount);

22

Context Switches during Object Sharing

client applet server appletinvoke a shareable interface method

return from the method

JCRE

applet firewall

JCSystem.getAppletShareableInterfaceObject

Applet.getShareableInterfaceObject

1

23

4

5

6

return SIO or null

return SIO or null

23

Parameter Types and Return Types

� Valid ones� Primitive Values (boolean, byte, short, (optionally) int)� Public static fields� JCRE entry point objects

� public methods of these objects can be accessed from any context

� Global Arrays� SIOs – shareable interface methods of these objects

� call back� multiple context switches

24

Authenticate a Client Applet (1)

� Before grant the SIO� public class AirMilesApplet extends Applet implements AirMilesInterface {

public Shareable getShareableInterfaceObject(AID client_aid, byte parameter) {

// assume that wallet applet bytes are preknownif(client_aid.equals(wallet_applet_aid_bytes, (short) 0,

(byte)(wallet_applet_aid_bytes.length)) == false)return null;

// examine the secret to further authenticate the wallet appletif(parameter != SECRET)

return null;

// grant the SIOreturn (this);

}}

25

Authenticate a Client Applet (2)

� When a shareable interface method is invoked� public void grantMiles(short amount) {

// get the caller’s AIDAID client_aid = JCSystem.getPreviousContextAID();

// check if this method is really invoked by the wallet// appletif(client_aid.equals(wallet_applet_aid_bytes, (short) 0,

(byte)(wallet_applet_aid_bytes.length)) == false)ISOException.throwIt(SW_UNAUTHORIZED_CLIENT);

// grant milesmiles = (short) (miles + amount);

}

26

Authenticate a Client Applet (3)

� Challenge – Response method� public void grantMiles(AuthenticationInterface authObject, byte[] buffer,

short amount)

// generate a random challenge phrase in the buffergenerateChallenge(buffer);

// challenge the client appletauthObject.response(buffer);

// check the responseif(checkResponse(buffer) == false)

ISOException.throwIt(SW_UNAUTHORIZED_CLIENT);

// grant the milesmiles = (short)(miles + amount);

}

27

Authenticate a Client Applet (3) ...

� The client applet� public interface AuthenticationInterface extends Shareable {

public void response(byte[] buffer);}

� public class WalletApplet extends Applet implements AuthenticationInterface {

public void response(byte[] buffer) {

// get response// both challenge and response data are carried in the buffergetResponse(buffer);

}

...

...requestMiles(apdu.getBuffer(), amount);

28

Authenticate a Client Applet (3) ...

� The client applet� private void requestMiles(byte[] buffer, short amount) {

// obtain the AID objectAID air_miles_aid = JCSystem.lookupAID(air_miles_aid_bytes, (short) 0,

(byte)air_miles_aid_bytes.length);

// request the SIO from the air-miles appletAirMilesInterface sio = (AirMilesInterface)

(JCSystem.getAppletShareableInterfaceObject(air_miles_aid, SECRET));

// ask the air-miles applet to grant milessio.grantMiles(this, buffer, amount);

}

29

� The server applet� Define a Shareable Interface, SI� Define the Service Provider Class (C) that implements the SI

(can be the applet itself)� Create a instance of C, SIO

� The client applet� Request the SIO from server

(JCSystem.getAppletShareableInterfaceObject())� type cast to SI

� Call the method(s) in the SI� possible strong authentication

Summary