CN106096408A - The detection method of a kind of Java card out-of-bounds access static variable leak and device - Google Patents

The detection method of a kind of Java card out-of-bounds access static variable leak and device Download PDF

Info

Publication number
CN106096408A
CN106096408A CN201610386159.0A CN201610386159A CN106096408A CN 106096408 A CN106096408 A CN 106096408A CN 201610386159 A CN201610386159 A CN 201610386159A CN 106096408 A CN106096408 A CN 106096408A
Authority
CN
China
Prior art keywords
static variable
java card
card
leak
bounds access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610386159.0A
Other languages
Chinese (zh)
Inventor
熊熙
吴震
王敏
饶金涛
杜之波
兰天
姚艳丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Xinan Youlika Information Technology Co Ltd
Chengdu University of Information Technology
Beijing CEC Huada Electronic Design Co Ltd
Original Assignee
Chengdu Xinan Youlika Information Technology Co Ltd
Chengdu University of Information Technology
Beijing CEC Huada Electronic Design Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Xinan Youlika Information Technology Co Ltd, Chengdu University of Information Technology, Beijing CEC Huada Electronic Design Co Ltd filed Critical Chengdu Xinan Youlika Information Technology Co Ltd
Priority to CN201610386159.0A priority Critical patent/CN106096408A/en
Publication of CN106096408A publication Critical patent/CN106096408A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides detection method and the device of the leak of a kind of Java card out-of-bounds access static variable.Solution includes: structure Java card byte code files, the static variable of any index position made on card in constant pool can be attempted being read.When finding illegally to read static variable, then judge that current Java card exists the leak of out-of-bounds access static variable.

Description

The detection method of a kind of Java card out-of-bounds access static variable leak and device
Technical field
The present invention relates to field of intelligent cards, particularly relate to a kind of Java card out-of-bounds access static variable in field of intelligent cards The detection method of leak and device.
Background technology
Java smart card is a kind of novel smart card.It is based on Java Virtual Machine principle, and application program is unrelated with hardware. It uses high-level language exploitation, and application program is scalable, has a wide range of applications.Java smart card techniques is Java technology In the extension of field of intelligent cards, existing motility possesses again safety, brings to traditional smart card techniques and application Changing, improve card issuer or service provider selects the autonomy of smart card, dynamic ground adjusts the application program of card, has Relatively low development cost and shorter issue cycle.The Manufacturer's Representative obtaining Java smart card mandate world's intelligence more than 90% Can card production capacity.
Safety is an important step of Java card application, and the real extensively application that it is Java card provides premise. Only on the basis of platform security, taking into full account the safety of links, guarantee application system security thereon is high Effect ground runs.The safety of this open platform is ensured by many-side, and its security strategy is by virtual machine and operation Time environment jointly realize, and provide the maltilevel security such as application firewall and transaction management mechanism.
Some special attack technologies for Java card are evolving, and Java card presents security breaches the most therewith, Thus cause whole Java card system safety to reduce.Therefore, the safety to Java card detects also the most very urgent.And cross the border The leak accessing static variable is exactly the common leak of one of Java card.Assailant utilizes this leak illegally to read the number on card According to, cause the leakage of private data on card.At present, mainly Java card out-of-bounds access static state is avoided to become by a series of specifications The leak of amount, but the leak of the out-of-bounds access static variable for being likely to occur on Java card, also lack effective inspection Survey means.
Therefore, how improving present stage lacks the showing of means of the effectively leak of detection Java card out-of-bounds access static variable Shape, utilizes the leak of out-of-bounds access static variable illegally to read the safety that data are brought taking precautions against the application program on Java card Hidden danger, it has also become people problem demanding prompt solutions.
Summary of the invention
It is an object of the invention to solve above-mentioned technical problem, it is provided that a kind of effectively detection Java card out-of-bounds access static state becomes The method and apparatus of the leak of amount.
To achieve these goals, the invention provides the side of a kind of leak detecting Java card out-of-bounds access static variable Method, it is characterised in that comprise the following steps:
Structure Java card byte code files, makes on card the static variable of any index position in constant pool can attempt being read Take;
When finding illegally to read static variable, then judge that current Java card exists the leak of out-of-bounds access static variable.
Present invention also offers the device of a kind of leak detecting Java card out-of-bounds access static variable, described device bag Include:
Card upper module, for attempting accessing the static variable of any index position in the upper constant pool of card;
Card reader module, is used for sending strike order, and i.e. with the request of index value, and the response returned according to card upper module is sentenced The disconnected leak that whether there is out-of-bounds access static variable.
The detection method of the leak of the Java card out-of-bounds access static variable according to the present invention and device, it is possible to solving cannot The problem that effectively whether there is the leak of out-of-bounds access static variable on detection Java card, it is to avoid on Java card, application program utilizes The leak of out-of-bounds access static variable reads the potential safety hazard that the data beyond legal address are brought.
After reading in conjunction with the accompanying the detailed description of embodiment of the present invention, the other features and advantages of the invention will become more Add clear.
Accompanying drawing explanation
The card end of the preferred embodiment of the detection method of the leak of the out-of-bounds access static variable that Fig. 1 provides for the present invention is held Row schematic flow sheet.
The card reader of the preferred embodiment of the detection method of the leak of the out-of-bounds access static variable that Fig. 2 provides for the present invention End performs schematic flow sheet.
The structural representation of the detection device of the leak of the out-of-bounds access static variable that Fig. 3 provides for the present invention.
Detailed description of the invention
Describe the detailed description of the invention of the present invention below in conjunction with the accompanying drawings in detail.
Fig. 1 is that the card end of the preferred embodiment of the leak detection method of the out-of-bounds access static variable that the present invention provides performs Schematic flow sheet.As it is shown in figure 1, in step S101, the static variable of 1 short type of definition.
In step s 102, the local variable of 1 short type is defined.
In step s 103, the value of the static variable defined in read step S101.
In step S104, the value of the static variable read in step S103 is assigned to local variable.
In step S105, return success response, wherein with the value of local variable.
In step s 106, the instruction of static variable value is read in amendment so that it is read other index positions in constant pool Static variable value.
In step s 107, it may be judged whether read data, if reading, then perform step S104;If not reading, then perform Step S108.
In step S108, return and read the response that invalid data is failed.
Fig. 2 is the card reader end of the preferred embodiment of the leak detection method of the out-of-bounds access static variable that the present invention provides Perform schematic flow sheet.As in figure 2 it is shown, in step s 201, current strike order (is comprised the rope of static variable by card reader Draw value) it is placed in the data field of request, and send this request to Java card.
In step S202, card reader receives the response returned from Java card, and judges whether to read number from Java card According to.If the data of reading, represent that this Java card exists the leak of out-of-bounds access static variable, then carry out step S203;Otherwise carry out Step S204.
In step S203, the index value in constant pool of static variable during record success attack.
In step S204, it is judged that whether query-attack distributes, if not distributing, then perform step S205.Otherwise perform step Rapid S206.
In step S205, card reader switches to next strike order, attempts reading the static change of different index position Value.
In step S206, attacking unsuccessfully, there is not the leak of out-of-bounds access static variable in Java card, detection terminates.
Fig. 3 is the structural representation of the Hole Detection device of the out-of-bounds access static variable that the present invention provides.Such as Fig. 3 institute Showing, S301 represents card reader module, and S302 represents card upper module, and S303 represents card reader, and S304 represents Java card.Card reader mould Block is positioned in card reader, and card upper module is positioned in Java card.
Card reader module sends query-attack to card upper module, attempts accessing in the upper constant pool of card the quiet of any index position State variable, and the leak of out-of-bounds access static variable is judged whether according to the response of card upper module return.
Card upper module, after amendment internal structure or operational process, can attempt arbitrarily indexing in the upper constant pool of access card The static variable of position.
Although being described in conjunction with the accompanying embodiments of the present invention above, but in this area, those skilled in the art being permissible Make various deformation or amendment within the scope of the appended claims.

Claims (7)

1. the detection method of the leak of a Java card out-of-bounds access static variable, it is characterised in that comprise the following steps:
Structure Java card byte code files, the static variable of any index position made on card in constant pool can be attempted being read Take;
When finding illegally to read static variable, then judge that current Java card exists the leak of out-of-bounds access static variable.
The detection method of the leak of Java card out-of-bounds access static variable the most according to claim 1, it is characterised in that structure When making Java card byte code files, according to the following steps:
The static variable of 1 short type of definition and the local variable of 1 short type;
Static variable is revised as the static variable of assigned indexes position in constant pool;
Attempt reading the value of the static variable of assigned indexes position.
The detection method of the leak of Java card out-of-bounds access static variable the most according to claim 2, it is characterised in that structure After making Java card byte code files, described method is further comprising the steps of:
Strike order (index value comprising static variable) is placed in the data field of request by card reader, and sends this request extremely Java card;
Card reader receives the response returned from Java card, and judges whether to read the static variable of illegal index position, if Can access, then judge that success attack, current Java card exist the leak of out-of-bounds access static variable;Otherwise judge strike order Whether taking, if not taking, resending new attack order (index values containing different) to Java card;If strike order Take, show to attack unsuccessfully, this Java card does not exist the leak of out-of-bounds access static variable.
4. the detection device of the leak of a Java card out-of-bounds access static variable, it is characterised in that including:
Card upper module, for attempting accessing the static variable of any index position in the upper constant pool of card;
Card reader module, is used for sending strike order, and i.e. with the request of index value, and the response returned according to card upper module is sentenced The disconnected leak that whether there is out-of-bounds access static variable.
The detection device of the leak of Java card out-of-bounds access static variable the most according to claim 4, it is characterised in that:
Described card upper module, is additionally operable to be revised as the static variable of definition the static variable of assigned indexes position in constant pool, It is then attempt to read the value of the static variable of assigned indexes position.
The detection device of the leak of Java card out-of-bounds access static variable the most according to claim 5, it is characterised in that:
Described card reader arrangement, is additionally operable to attempt sending different strike orders successively, sends the most successively with different index value Request, until find Java card out-of-bounds access static variable leak.
The detection device of the leak of Java card out-of-bounds access static variable the most according to claim 6, it is characterised in that:
Described card reader arrangement, is additionally operable to receive the response returned from Java card, and judges whether to read from Java card non- The static variable of method index position, if reading invalid data, then judges success attack, and this Java card exists out-of-bounds access static state and becomes The leak of amount;Otherwise continuing to judge whether strike order takes, if not taking, resending new attack order (containing not Same index value) to Java card;If strike order takes, show to attack unsuccessfully, this Java card does not exist out-of-bounds access static The leak of variable.
CN201610386159.0A 2016-06-03 2016-06-03 The detection method of a kind of Java card out-of-bounds access static variable leak and device Pending CN106096408A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610386159.0A CN106096408A (en) 2016-06-03 2016-06-03 The detection method of a kind of Java card out-of-bounds access static variable leak and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610386159.0A CN106096408A (en) 2016-06-03 2016-06-03 The detection method of a kind of Java card out-of-bounds access static variable leak and device

Publications (1)

Publication Number Publication Date
CN106096408A true CN106096408A (en) 2016-11-09

Family

ID=57447165

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610386159.0A Pending CN106096408A (en) 2016-06-03 2016-06-03 The detection method of a kind of Java card out-of-bounds access static variable leak and device

Country Status (1)

Country Link
CN (1) CN106096408A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106649009A (en) * 2016-11-30 2017-05-10 北京中电华大电子设计有限责任公司 JAVA card bytecode reference access test method
CN106778238A (en) * 2016-12-27 2017-05-31 广州智慧城市发展研究院 The detection method that a kind of JAVA smart card access is crossed the border

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1687862A (en) * 2005-06-16 2005-10-26 北京航空航天大学 Smart card safety environment control method
US20120018825A1 (en) * 2010-07-20 2012-01-26 Samsung Electronics Co., Ltd. Magnetic memory devices, electronic systems and memory cards including the same, methods of manufacturing the same, and methods of forming a perpendicular magnetic film of the same
CN102591788A (en) * 2011-12-23 2012-07-18 飞天诚信科技股份有限公司 Method for recovering Java card garbage
CN103093142A (en) * 2012-12-26 2013-05-08 飞天诚信科技股份有限公司 Java card object access control method
CN105282156A (en) * 2015-10-22 2016-01-27 成都芯安尤里卡信息科技有限公司 Method and device for detecting firewall holes of Java card
CN105303115A (en) * 2015-10-29 2016-02-03 成都信息工程大学 Detection method and apparatus for out-of-bounds access bug of Java card

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1687862A (en) * 2005-06-16 2005-10-26 北京航空航天大学 Smart card safety environment control method
US20120018825A1 (en) * 2010-07-20 2012-01-26 Samsung Electronics Co., Ltd. Magnetic memory devices, electronic systems and memory cards including the same, methods of manufacturing the same, and methods of forming a perpendicular magnetic film of the same
CN102591788A (en) * 2011-12-23 2012-07-18 飞天诚信科技股份有限公司 Method for recovering Java card garbage
CN103093142A (en) * 2012-12-26 2013-05-08 飞天诚信科技股份有限公司 Java card object access control method
CN105282156A (en) * 2015-10-22 2016-01-27 成都芯安尤里卡信息科技有限公司 Method and device for detecting firewall holes of Java card
CN105303115A (en) * 2015-10-29 2016-02-03 成都信息工程大学 Detection method and apparatus for out-of-bounds access bug of Java card

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106649009A (en) * 2016-11-30 2017-05-10 北京中电华大电子设计有限责任公司 JAVA card bytecode reference access test method
CN106778238A (en) * 2016-12-27 2017-05-31 广州智慧城市发展研究院 The detection method that a kind of JAVA smart card access is crossed the border

Similar Documents

Publication Publication Date Title
CN110035075A (en) Detection method, device, computer equipment and the storage medium of fishing website
CN105868630A (en) Malicious PDF document detection method
CN108566399A (en) Fishing website recognition methods and system
CN103268438A (en) Android authority management method and system based on calling chain
CN107665306A (en) A kind of method, apparatus, client and server for detecting illegal file injection
CN105260659A (en) Kernel-level code reuse type attack detection method based on QEMU
CN105991554A (en) Vulnerability detection method and equipment
CN109583392A (en) A kind of method for detecting parking stalls, device and storage medium
CN106357668A (en) Method for preventing attack of xss
CN111539425A (en) License plate recognition method, storage medium and electronic equipment
CN111523097A (en) APP brush user identification method and device based on android system and storage medium
CN110138758A (en) Mistake based on domain name vocabulary plants domain name detection method
CN106096408A (en) The detection method of a kind of Java card out-of-bounds access static variable leak and device
CN104301314A (en) Intrusion detection method and device based on browser tag attributes
CN105303115A (en) Detection method and apparatus for out-of-bounds access bug of Java card
CN106529281A (en) Executable file processing method and device
CN105740709A (en) Authority combination-based Android malicious software detection method
CN103902906A (en) Mobile terminal malicious code detecting method and system based on application icon
CN116668202A (en) Method and system for detecting memory horses in container environment
CN108765786A (en) Quick Response Code withdrawal safe verification method and its system, computer storage media
CN117077153A (en) Static application security detection false alarm discrimination method based on large-scale language model
CN114510723B (en) Intelligent contract authority management vulnerability detection method and device
CN113657902B (en) Financial security management method, system and storage medium based on graph database
CN108073411A (en) A kind of kernel loads method and device of patch
CN104301300A (en) Method, client and system for detecting network phishing fraud risk

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20161109