FR2836569A1 - Memory space for chip card downloaded applications has a data structure and two separate memory parts that improve card security in the face of attacks against applet type applications - Google Patents

Abstract

Memory space is allocated to a stack of data frames for a downloaded application such as an applet in a chip card. Each data frame comprise machine data (DMn) and an operating part (OPn) having a variable length during the execution of code associated with the frame. The memory space is composed of a first part (EM1) and a second part (EM2) allocated to the stacking of operand parts (OPn). The two memory parts are separate and have different pointers (PP1, PP2).

Description

<Desc / Clms Page number 1>

Memory space for application data downloaded to a smart card
The present invention relates to the management of a memory space intended for storing data frames of a downloaded application which has been written in a high level object oriented language and which is executed in a portable electronic object of the smart card type.

 As shown in FIG. 1, the chip card CP, also known as a microcontroller card, contains a microprocessor PR, a memory MO of the ROM type, a non-volatile memory of machine data MDM of the EEPROM type and a random access memory MDE of data exchanged with the external RAM type. All PR, MO, MDM and MDE components are connected by an internal BU bus.

 The MO memory contains instructions in native code of an OS (Operating System) and pseudocodes of a VM virtual machine which is based on the operating system, and at least internal authentication applications and communication.

 The non-volatile memory MDM essentially contains data linked to the operating system and accessible by native codes and data linked to the virtual machine VM and accessible by pseudocodes as well as the pseudocodes and application data. The MDM memory also contains personal data linked to the owner of the smart card.

 The RAM type MDE memory essentially contains data exchanged with the outside world of the CA smart card, in particular with a

<Desc / Clms Page number 2>

 reception platform, such as a TE terminal equipped with a LE smart card reader, via a contact or contactless LI link. In particular, the memory MDE contains data from at least one downloaded application, such as an AP applet.

The applet was initially written in high-level language, such as Java language, or more particularly Java Card language, then compiled in intermediate language. The applet is made up of instructions called pseudocodes (bytecodes) which are ready to be executed by the virtual machine VM which constitutes an interpreter in the smart card.

 For example, when the chip card is a payment card, the terminal is a bank terminal or a point of sale terminal, or when the chip card is a removable telephone subscriber identity module SIM (Subscriber Identity Module) , the terminal is a mobile cellular radiotelephone. According to other variants, the portable electronic object instead of being a smart card can be a PDA personal digital assistant or an electronic purse.

 The invention is directed more particularly to the management of a memorized space EM of size TEM allocated to memory application data frames MDE of the RAM type of the portable electronic object, such as the smart card CP to which one will be referred to below. The AP applet is downloaded from a server through the TE reception terminal and the LI link to be executed mainly in the card.

 According to the prior art, the memory space EM reserved for data frames of an applet

<Desc / Clms Page number 3>

 compiled AP is organized in a PI stack having a predetermined size TP <TEM and a width L fixed at two bytes, as illustrated diagrammatically in FIGS. 2 and 3. The sizes are here expressed in pairs of bytes. In Figures 2 and 3 are drawn only two frames Cn and Cn + l on the top of the stack, assuming by convention that the stack grows upwards, although it could grow downwards instead of growing upwards high ; therefore the last Cn + l stacked frame is the active frame. The data in the stack PI is read by means of a stack pointer PP managed by the processor PR for the application AP.

 Each frame Cn introduced on the stack includes a respective invoked method Mn of the application AP.

Thus the invocation of a method Mn + l in the application AP under the control of the processor PR causes the stacking of a respective frame Cn + l on the top of the stack PI in which the other frames Ml are kept stacked. at Mn. The methods invoke each other, the Mn method invoking the Mn + l method and the Mn + l method can only return to the previous Mn method, by unstacking and discarding the Mn + l method from above the PI stack , or which can invoke a new Mn + 2 method. Only the method Mn + l in the upper frame Cn + l of the stack is active.

 Each frame Cn is successively composed of a first part of local variable VLn having a respective predetermined fixed size, of a second part of virtual machine data DMn having a respective fixed predetermined size, and of a third operand part OPn having a variable size.

<Desc / Clms Page number 4>

 The VLn part contains none, one or more local variables which are declared during the implementation of the method Mn in the memory space EM and before the execution of the method Mn. The local variables are used for the execution of the method Mn, their number not being modified but their values being modified during the execution of the method. The size of the first part VLn is therefore fixed and predetermined before the execution of the method Mn. Local variables can be the designation of the object whose method is called, method parameters, and other local variables.

 Java Card machine data in the DMn part, also called system data, allows the virtual machine to revert to the previous Min-1 method and in particular to correctly position the PP stack pointer in space EM memory at the level of the Min-1 method where the current method Mn had been called.

 The operands in the third part OPn of the framework Cn are values used by the virtual machine to execute the next operations and in particular used as argument of the call to the method Mn + l. As indicated in FIG. 2 by an overlap CHn + l of the operand part OPn of the method Mn and of the local variable part VLn + l of the following method Mn + l, operands of the method Mn can become local values of the immediately overlying method Mn + l when implementing the method Mn + i, and conversely the result of the method Mn + l can become an operand of the immediately underlying method Mn when returning to it.

<Desc / Clms Page number 5>

Cn+l puisse être construit, l'information de taille maximale Tn+l qu'est susceptible d'atteindre la méthode appelée Mn+l au cours de son exécution est précalculée lors de la création du pseudo-code de l'application à l'extérieur de la carte, puis chargée avec l'applet dans la carte. De plus, un vérificateur VER dans le terminal d'accueil TE recalcule la taille maximale Tn+l qu'est susceptible d'atteindre la méthode appelée Mn+l au cours de son exécution, puis vérifie qu'elle correspond à celle précalculée dans le pseudocode de l'application. Avant d'implémenter la méthode Mn+l dans l'espace mémoire EM alloué à l'applet AP, la machine virtuelle ajoute la taille Tn+l-CHn+l à la somme courante des tailles Tel-0 à Tn-CHn des cadres de méthode déjà empilés en la

pile PI, c'est-à-dire à la taille TPI de la pile afin de la comparer à la taille TEM. Si T+l-CH+i + TPI > TEM est vérifiée, un débordement de pile DB (overflow en anglais) est détecté comme montré à la figure 2, et la machine virtuelle signale une erreur. For a method, such as the method Mn + 1, is called and therefore for the data frame

Cn + l can be constructed, the information of maximum size Tn + l that is likely to reach the method called Mn + l during its execution is precalculated during the creation of the pseudo-code of the application at l outside the map, then loaded with the applet into the map. In addition, a verifier VER in the reception terminal TE recalculates the maximum size Tn + l that is likely to reach the method called Mn + l during its execution, then verifies that it corresponds to that precalculated in the application pseudocode. Before implementing the method Mn + l in the memory space EM allocated to the applet AP, the virtual machine adds the size Tn + l-CHn + l to the current sum of the sizes Tel-0 to Tn-CHn of the frames of method already stacked in the

PI stack, i.e. the TPI size of the stack in order to compare it to the TEM size. If T + l-CH + i + TPI> TEM is verified, a DB stack overflow is detected as shown in Figure 2, and the virtual machine reports an error.

On the other hand, if the size Tn + i-CHn + l of the method called Mn + l is compatible with the upper empty portion remaining in the memory space EM, the frame Cn + l of the method Mn + l is written to execute it.

 Conversely, when a method, such as the method Mn + l, is executed, the pointer PP of the stack PI must remain in the operand part OPn + l and must never leave it to point to virtual machine data in the intermediate part DM + i.

Otherwise, an "underflow" DI (underflow in English) of the OPn + i part occurs as shown in Figure 3. To overcome this defect,

<Desc / Clms Page number 6>

 some verifiers initially check, before the implementation of a method Mn + l on the PI stack that a lower overflow will never occur by testing all the possible paths in the method before its execution so that any stacking in the upper part OPn + l is not followed by a larger unstacking until reaching the machine data part DM + l. If the test of one of the paths indicates a lower overshoot, the verifier VER refuses the method Mn + l and reports an error.

 However, it sometimes happens that the functions of the verifier are bypassed by a malicious introduction of pseudocodes into the AP applet.

méthode Mn+l cause un dépassement inférieur DI après dépilage de la partie d'opérande OP+i, des données de machine dans la partie DMn+l sont atteintes, ce qui modifie le contexte de la méthode invoquante Mn. The unverified applet is then downloaded to the smart card. In this case, any excess method stacking on top of the stack PI in the memory space EM causes an overflow DB. If the execution of a

method Mn + l causes a lower overrun DI after unstacking of the operand part OP + i, machine data in the part DMn + l are reached, which modifies the context of the invoking method Mn.

 The virtual machine data in the DMn part of the Cn frame of each method should not be modified and be subject to attack by the implementation of apples by unscrupulous developers. Particularly by means of a lower overflow, the virtual machine data can be modified to return to the method executed with chosen parameters, for example to execute chosen codes with a determined context.

<Desc / Clms Page number 7>

 The invention aims to remedy the consequences of these attacks, particularly when the applet methods are not previously checked before their implementation in the memory of data exchanged in a portable electronic object.

 To this end, a memory space allocated to a stack of application data frames downloaded into a portable electronic object, each frame successively comprising at least one part of machine data and one part of operand having a variable length during the execution of the code associated with the frame, is characterized in that it is composed of a first memory space allocated to the stacking of parts of machine data, and of a second memory space allocated to the stacking of parts d operands, the first and second memory spaces being disjoint and having independent pointers.

 Even when the applet constituting the downloaded application and comprising the methods the parts of which are distributed in the first and second memory spaces, is not verified, any "malicious" code introduced into one of the operand parts of the The applet included in the second memory space will have no consequence on the sensitive virtual machine data parts in the first memory space.

 In general, each frame of a method can contain a part of local variable. In this embodiment, the second memory space contains the parts of local variable stacked alternately with the parts of operand.

 Other characteristics and advantages of the present invention will appear more clearly on

<Desc / Clms Page number 8>

 Reading the following description of several preferred embodiments of the invention with reference to the corresponding accompanying drawings in which: - Figure 1 is a schematic block diagram already commented on a smart card linked to a reception terminal; - Figures 2 and 3 schematically show stacks in a memory space allocated to applet methods respectively during an overflow and a lower overflow, according to the prior art already commented; and - Figure 4 schematically shows two memory spaces allocated to applet methods according to the invention.

 According to a preferred embodiment of the invention, the portable electronic object is a smart card CP as described above with reference to FIG. 1, with the exception of the organization of the memory space allocated to frames (frames ) of data Cn containing methods Mn of a compiled applet downloaded AP into the memory MDE of RAM type of the card.

 As shown in FIG. 4, the memory space according to the invention is split into two disjoint memory spaces EM1 and EM2. The pointers PP1 and PP2 of the memory spaces EM1 and EM2 are completely independent: the pointer PP1 cannot reach the space EM2 and the pointer PP2 cannot reach the space EM1. Any overflow or underflow in one of the EM1 and EM2 memory spaces cannot influence the content of the other memory space. In Figure 4 are shown only three frames Con-1, Cn and Cn + l of methods Mon-1, Mn and Mn + l at the top of a stack

<Desc / Clms Page number 9>

de l'applet AP, chaque cadre comportant une partie de variable locale VL-i, VLn, VL+l, une partie de données de machine virtuelle Din-1, DM, DM+i et une partie d'opérande Pn-lt OPn, OPn+1.

of the AP applet, each frame comprising a part of local variable VL-i, VLn, VL + l, a part of virtual machine data Din-1, DM, DM + i and a part of operand Pn-lt OPn , OPn + 1.

 The first memory space EM1 is suitable for receiving the sensitive data to be protected constituted by the virtual machine data parts DMn of the frames Cn of the methods Mn of applets.

 The second memory space EM2 is available for the first parts VLn containing local variables of the methods Mn and having respective fixed sizes and for the third parts OPn containing operands of the methods Mn and having respective variable sizes, in the applet frames Cn. The size T2 of the second memory space EM2 is very often larger than the size T1 of the first memory space EM1.

 The alternating stacking of the parts of local variable VL1 to VLn + l and of the parts of operand OP1 to OPn + l in the common memory space EM2 makes it possible to preserve the overlap CH between the part of local variable VLn of a method Mn and the operand part OPn + i of the overlying method M + when the latter is implemented.

 When for example the method Mn is invoked while the applet stack contains the methods Ml to Mn-1 with the virtual machine data parts DMi to DMn-1 stacked in the memory space EM1 and with the part pairs of local value and operand part VL-OP to VLn-1-OPn-1 stacked in the memory space EM2, the virtual machine VM first increments the pointer PP2 to write the part of local variable VLn on the stack in the memory space EM2, then increments the pointer PP1

<Desc / Clms Page number 10>

 to write the virtual machine data part DMn to the memory space EM1. Finally, the virtual machine VM again increments the pointer PP2 to write the operand part OPn as the method Mn is executed in the memory space EM2. Conversely, the unstacking of the method Mn to return to the underlying method Mn-1 is carried out by successively erasing the part OPn in the space EM2, the part DMn in the space EM1 and the part VLn in the EM2 space.

 When an overflow DE occurs, for example during the implementation of the framework Cn + l of the method Mn + i, which results from an overflow only in the space EM2 by the operand part OPn + l, all the machine data DM to DMn + l stacked in the memory space EM1 remain intact: the machine data are not affected.

 When a lower overflow DI (underflow) occurs for example during the unstacking of the operand part OP + i of the active method Mn + l on the stack, the pointer PP2 of the memory space EM2 points in the variable part local locale VLn + l, without reaching the machine data DMn + l in the other memory space EM1.

 For these two faults, the sensitive virtual machine data stacked in the memory space EM1 is not affected according to the invention and is therefore well protected.

 In normal condition in the virtual machine VM, the overflows in the two memory spaces EM1 and EM2 are monitored, by comparing the size Tl of the memory space EM1 to the sum of the predetermined size of the machine data part DMn + l of the current method Mn + l to be implemented and the stack size of the data parts DM] to DMn

<Desc / Clms Page number 11>

 of the previous methods Mi to Mn in the memory space EM1, and by comparing the size T2 of the memory space EM2 to the sum of the respective maximum size of the part of local variable OPn + i of the current method Mon + 1 la respective predetermined size of the local variable part VLn + i of the current method minus the overlap CMn + l, and the stack size of the pairs of local variable part and operand part VOL -OPE to VLn-OPn of previous methods Ml to Mn in the memory space EM2. The current method is refused when one of the sums exceeds the size of the respective memory space.

 Still in normal condition during a DI overflow by unstacking the operand part, the pointer PP2 can only leave the operand part OPn + l of the active method Mn + l only to enter the lower parts VL1 to VLn + l and O i to OPn which are not sensitive, unlike the virtual machine data parts DM to DMn + l in the other memory space EM1.

 The invention is not limited to the very pronounced separation of the memory spaces EM1 and EM2 illustrated in FIG. 4. As a variant, the memory spaces EM1 and EM2 are contiguous and their pointers PP1 and PP2 vary in opposite directions, for example l 'one grows up and the other grows down.

 According to another embodiment which can be combined with the first, the separation of the memory spaces can be improved by choosing two spaces whose access instructions by the processor PR are different.

Claims (3)

1-Memory space allocated to a stack of application data frames downloaded into a portable electronic object (CP), each frame (Cn) successively comprising at least one part of machine data (DMn) and one part of operand ( OPn) having a variable length during the execution of the code associated with the frame (Mn) r characterized in that it is composed of a first memory space (EM1) allocated to the stacking of machine data parts (DMn ), and a second memory space (EM2) allocated to the stack of operand parts (OPn), the first and second memory spaces being disjoint and having independent pointers (PP1, PP2).  2-memory space according to claim 1, wherein each frame (Cn) further comprises a local variable part (VLn), characterized in that the second memory space (EM2) contains the local variable parts (VLn) stacked

 alternately with the operand parts (OPn). 3-memory space according to claim 1 or 2, wherein the access instructions of the first and second memory spaces (EM1, EM2) are different.