Upload
truonghanh
View
214
Download
1
Embed Size (px)
Citation preview
Applet Firewall and Object Sharing
T-110.497 Smart Card Application Development
Markku Sievänen
2
Java Card – Multiapplication Card
� To protect sensitive data of single applets:� Applet firewall mechanism� protection againts developer mistakes and design oversights
� To support cooperative applications� Well defined and secure object sharing mechanism
3
Applet Firewall mechanism
� separate, protected object spaces called contexts� the boundary between one context and another� all applet instances of a single Java package share
the same group context� public object access between same group context is
allowed� object access between different group contexts are
denied
4
Contexts
JCRE context
package A
group context
applet context
applet context
package B
group context
applet context
applet firewall
system space
applet space
5
Object Ownership
� At any time, there is only one active context withinthe virtual machine
� When a new object is created, it is assigned anowning context – the currently active context
� the object is owned by the active applet in thecurrent context
� primitive static arrays� created and initialized by converter (before any applet
instance is instantiated on the card)� the owning context is the group context of the package
6
Static Fields and Methods
� Only instances of classes – objects – are owned by contexts
� No runtime context check for:� static fields� static methods
� Java access rules still apply� private static fields and methods visible only to
their defining classes
7
Object Sharing across Contexts
� Mechanisms:� JCRE privileges� JCRE entry point objects� Global arrays� Shareable interfaces
� Context switch occur during invocation of and return from instance methods of an object owned by adifferent context� the invoked method is now executed in a new context with
the access rights of that context� nested context switches� on return the caller’s context is restored
� Only JCRE can access instance fields of an object in adifferent context (no context switch)
8
JCRE Privileges
� JCRE context has special privileges:� JCRE can invoke a method on an any object or
access an instance field of any object on the card� Enable the JCRE to control system resources
and manage applets� Receive APDU command
� invoke the select, deselect or process method ofcurrently selected applet
� JCRE context -> applet context� on return the JCRE context is restored
9
JCRE Entry Points Objects (1)
� A way for normal applets to request ”system services”
� owned by the JCRE context� only public methods of such objects can be
invoked from any context� context switch to JCRE context
� fields of such objects are protected by thefirewall
� The APDU object: the most famous one
10
JCRE Entry Points Objects (2)
� Two categories:� Temporary JCRE entry point objects
� references to these objects cannot be stored in class variables, instance variables or array fields
� Example: the APDU object
� Permanent JCRE entry point objects� can be freely stored and reused� Example: the JCRE owned AID instances
11
Global Arrays
� JCRE owned primitive arrays� Provide a shared memory buffer whose data can be
accessed by any applets� Temporary JCRE entry points objects� The global arrays required by JC API:
� the APDU buffer� the byte array parameter in an applet’s install method
(normally the APDU buffer)� JCRE clears the APDU buffer:
� when applet is selected, or� before the JCRE accepts a new APDU command
12
Object Shareable Interface Mechanism
� sharing mechanism between the JCRE andapplets� The JCRE can access any objects due to its
privileged nature� An applet gain access to system services via JCRE
entry point objects� The JCRE and applets share promitive data by
using designated global arrays� sharing mechanism between the applets
� shareable interface mechanism
13
SIO - Shareable Interface Object
� An object of a class that implements a shareable interface� extends javacard.framework.Shareable
� To the owning context:� a normal object whose fields and methods can be accessed
� To any other context:� only methods defined in shareable interface are accessible � all fields and other methods are protected by the firewall
14
SIO mechanism
server
SIO
SIO
applet B
applet C
applet A
clients
15
An example of Object Sharing between Applets
� The air-miles applet creates a shareable interface object (SIO)
� The wallet applet requests the SIO from the air-miles applet
� The wallet applet request miles to be credited by invoking a service method of the SIO
wallet applet air-miles applet
request miles
client applet server applet
16
1. Create a Shareable Interface Object
� The server applet� define a shareable interface
� package com.fasttravel.airmiles;import javacard.framework.Shareable;
public interface AirMilesInterface extends Shareable {public void grantMiles (short amount);
}
17
1. Create a Shareable Interface Object ...
� create a service provider class� package com.fasttravel.airmiles;
import javacard.framework.*;
public class AirMilesApplet extends Applet implementsAirMilesInterface {
private short miles;
public void grantMiles(short amount) {miles = (short) (miles + amount);
}}
18
2. Request a Shareable Interface Object
� The client applet� Get the AID object associated with the server apple
� public static AID JCSystem.lookupAID (byte[] buffer, shortoffset, byte length);
� the returned AID object is a permanent JCRE entry point object
� Request the SIO� public static Shareable
JCSystem.getAppletShareableInterfaceObject(AID server_aid,byte parameter);
� byte parameter� select a SIO (if many)� security token
19
2. Request a Shareable Interface Object ..
� The JCRE� If the the server_aid not found, return null� Else invoke the server’s applet getShareableInterfaceObject
� public Shareable getShareableInterfaceObject(AID client_aid,byte parameter);
� public class AirMilesApplet extends Applet implementsAirMilesInterface {
private short miles;
public Shareable getShareableInterfaceObject(AID client_aid,byte parameter) {
// authenticate the client...
// return the SIOreturn this;
}...
20
The process summary
client
server
JCRE
1
JCSystem.getAppletShareableInterfaceObject
Applet.getAppletShareableInterfaceObject
2SIO or null
SIO or null
3
4
21
Use a Shareable Interface Object
� Type cast� AirMilesInterface sio = (AirMilesInterface)
JCSystem.getAppletShareableInterfaceObject(server_aid, parameter);
� Only methods defined in shareable interface are visible to client� // ask the server to grant miles
sio.grantMiles(amount);
22
Context Switches during Object Sharing
client applet server appletinvoke a shareable interface method
return from the method
JCRE
applet firewall
JCSystem.getAppletShareableInterfaceObject
Applet.getShareableInterfaceObject
1
23
4
5
6
return SIO or null
return SIO or null
23
Parameter Types and Return Types
� Valid ones� Primitive Values (boolean, byte, short, (optionally) int)� Public static fields� JCRE entry point objects
� public methods of these objects can be accessed from any context
� Global Arrays� SIOs – shareable interface methods of these objects
� call back� multiple context switches
24
Authenticate a Client Applet (1)
� Before grant the SIO� public class AirMilesApplet extends Applet implements AirMilesInterface {
public Shareable getShareableInterfaceObject(AID client_aid, byte parameter) {
// assume that wallet applet bytes are preknownif(client_aid.equals(wallet_applet_aid_bytes, (short) 0,
(byte)(wallet_applet_aid_bytes.length)) == false)return null;
// examine the secret to further authenticate the wallet appletif(parameter != SECRET)
return null;
// grant the SIOreturn (this);
}}
25
Authenticate a Client Applet (2)
� When a shareable interface method is invoked� public void grantMiles(short amount) {
// get the caller’s AIDAID client_aid = JCSystem.getPreviousContextAID();
// check if this method is really invoked by the wallet// appletif(client_aid.equals(wallet_applet_aid_bytes, (short) 0,
(byte)(wallet_applet_aid_bytes.length)) == false)ISOException.throwIt(SW_UNAUTHORIZED_CLIENT);
// grant milesmiles = (short) (miles + amount);
}
26
Authenticate a Client Applet (3)
� Challenge – Response method� public void grantMiles(AuthenticationInterface authObject, byte[] buffer,
short amount)
// generate a random challenge phrase in the buffergenerateChallenge(buffer);
// challenge the client appletauthObject.response(buffer);
// check the responseif(checkResponse(buffer) == false)
ISOException.throwIt(SW_UNAUTHORIZED_CLIENT);
// grant the milesmiles = (short)(miles + amount);
}
27
Authenticate a Client Applet (3) ...
� The client applet� public interface AuthenticationInterface extends Shareable {
public void response(byte[] buffer);}
� public class WalletApplet extends Applet implements AuthenticationInterface {
public void response(byte[] buffer) {
// get response// both challenge and response data are carried in the buffergetResponse(buffer);
}
...
...requestMiles(apdu.getBuffer(), amount);
28
Authenticate a Client Applet (3) ...
� The client applet� private void requestMiles(byte[] buffer, short amount) {
// obtain the AID objectAID air_miles_aid = JCSystem.lookupAID(air_miles_aid_bytes, (short) 0,
(byte)air_miles_aid_bytes.length);
// request the SIO from the air-miles appletAirMilesInterface sio = (AirMilesInterface)
(JCSystem.getAppletShareableInterfaceObject(air_miles_aid, SECRET));
// ask the air-miles applet to grant milessio.grantMiles(this, buffer, amount);
}
29
� The server applet� Define a Shareable Interface, SI� Define the Service Provider Class (C) that implements the SI
(can be the applet itself)� Create a instance of C, SIO
� The client applet� Request the SIO from server
(JCSystem.getAppletShareableInterfaceObject())� type cast to SI
� Call the method(s) in the SI� possible strong authentication
Summary