Java Card TechnologyCh09: Applet Firewall and

Object Sharing

Instructors: Instructors:

Fu-Chiung Cheng Fu-Chiung Cheng

((鄭福炯鄭福炯 ))

Associate Professor Associate Professor

Computer Science & EngineeringComputer Science & Engineering

Tatung UniversityTatung University

Applet Firewall and Object Sharing

This chapter explains the behavior of This chapter explains the behavior of objects, exceptions, and Applets in the objects, exceptions, and Applets in the presence of their firewall and discusses presence of their firewall and discusses how applets can safely share data by how applets can safely share data by using the Java Card APIs. using the Java Card APIs.

Context

The applet firewall partitions the Java The applet firewall partitions the Java Card object system into separate Card object system into separate protected object spaces called context.protected object spaces called context.

When an applet instance is created, the When an applet instance is created, the JCRE assigns it a context which is JCRE assigns it a context which is essentially a group context.essentially a group context.

All applet instances of a single Java All applet instances of a single Java package share the same group context.package share the same group context.

Context

There is no firewall between two applet There is no firewall between two applet instances in a group context.instances in a group context.

The JCRE maintain its own JCER The JCRE maintain its own JCER context context

JCRE context has special privileges:JCRE context has special privileges: Access from the JCRE context to any Access from the JCRE context to any

applet’s contextapplet’s context

Context

JCRE context

Group contextGroup context

Firewall

Applet context Applet context

Applet contextApplet context

Object ownership

At any time, there is only one active At any time, there is only one active context within the virtual machine: either context within the virtual machine: either the JCRE context or an applet’s group the JCRE context or an applet’s group context.context.

When a new object is created, it is When a new object is created, it is assigned an owning context-----the assigned an owning context-----the currently active context.currently active context.

Object Access Exception

If the contexts do not match, the access If the contexts do not match, the access is denied, and the comparison results in is denied, and the comparison results in a SecurityException.a SecurityException.

Static Fields and Methods

Only instances of classes---objects---Only instances of classes---objects---are owned by context; classes are owned by context; classes themselves are not.themselves are not.

Static fields and methods are accessible Static fields and methods are accessible from any applet context in the defining from any applet context in the defining package (i.e. group context).package (i.e. group context).

Object Access across Context

Sharing mechanisms are accomplished Sharing mechanisms are accomplished by the following means:by the following means:

• JCRE privilegesJCRE privileges• JCRE entry point objectsJCRE entry point objects• Global arraysGlobal arrays• Shareable interfacesShareable interfaces

Context Switch

When a sharing mechanism is applied, the When a sharing mechanism is applied, the Java Card virtual machine enables access by Java Card virtual machine enables access by performing a context switch.performing a context switch.

Context switches occur Context switches occur only during invocation of and return from only during invocation of and return from

instance methods of an object owned by a instance methods of an object owned by a different context, different context,

during exception exits form those methods.during exception exits form those methods.

Context Switch

During a context-switching method During a context-switching method invocation, the current context is saved, invocation, the current context is saved, and the new context become the and the new context become the currently active context.currently active context.

When the virtual machine begins When the virtual machine begins running after card reset, the JCRE running after card reset, the JCRE context is always the currently active context is always the currently active context.context.

JCRE Privileges

JCRE PrivilegesJCRE Privileges: JCRE can: JCRE can invoke a method on any object orinvoke a method on any object or access an instance field of any on the card.access an instance field of any on the card.

Such system privileges enable the JCRE to Such system privileges enable the JCRE to control system resources and manage control system resources and manage appletsapplets For example, when the JCRE receives an APDU For example, when the JCRE receives an APDU

command, it invokes the currently selected command, it invokes the currently selected applet’s select, deselect or process methodapplet’s select, deselect or process method

JCRE Privileges

When JCRE invokes an applet’s When JCRE invokes an applet’s method, the JCRE context is switched method, the JCRE context is switched to the applet’s context.to the applet’s context.

The applet now takes control and loses The applet now takes control and loses the JCRE privileges.the JCRE privileges.

Any objects created after the context Any objects created after the context switch are owned by the applet.switch are owned by the applet.

JCRE entry point objects

By using JCRE entry point object, non-By using JCRE entry point object, non-privileged users can request system privileged users can request system services that are performed by services that are performed by privileged system routines.privileged system routines.

JCRE entry point objects are normal JCRE entry point objects are normal objects owned by the JCRE context, but objects owned by the JCRE context, but they have been flagged as containing they have been flagged as containing entry point methods.entry point methods.

JCRE entry point objects The entry point designation allows the public The entry point designation allows the public

methods of such objects to be invoked from methods of such objects to be invoked from any context. any context.

When that occurs, a context switch to the When that occurs, a context switch to the JCRE context is performed.JCRE context is performed.

Notice that only the public methods of JCRE Notice that only the public methods of JCRE entry point objects are accessible through the entry point objects are accessible through the firewall. firewall.

The fields of these objects are still protected The fields of these objects are still protected by the firewall.by the firewall.

JCRE entry point objects

Two categories of JCRE EPOs:Two categories of JCRE EPOs: Temporary JCRE entry point objects:Temporary JCRE entry point objects:

Examples : The APDU object and all JCRE-owned Examples : The APDU object and all JCRE-owned exception objects.exception objects.

Reference to these objects can’t be stored in class Reference to these objects can’t be stored in class varibles.varibles.

Permanent JCRE entry point objects:Permanent JCRE entry point objects: Examples :The JCRE-owned AID instances.Examples :The JCRE-owned AID instances. Reference to these objects can be stored and freelReference to these objects can be stored and freel

y used.y used.

Global Arrays

Global arrays essentially provide a shared Global arrays essentially provide a shared memory buffer whose data can be accessed memory buffer whose data can be accessed by any applets and by the JCRE.by any applets and by the JCRE.

Global arrays are a special type of JCRE Global arrays are a special type of JCRE entry point object. entry point object.

The applet firewall enables public fields of The applet firewall enables public fields of such arrays to be accessed from any context.such arrays to be accessed from any context.

Global Arrays

Only primitive arrays can be designated as Only primitive arrays can be designated as global and global and

Only JCRE can designate global arrays. Only JCRE can designate global arrays. The only global arrays required in the Java The only global arrays required in the Java

Card APIs are the APDU buffer and the byte Card APIs are the APDU buffer and the byte array parameter in an applet’s install method.array parameter in an applet’s install method.

Whenever an applet is selected or before Whenever an applet is selected or before JCRE accepts a new APDU command, JCRE JCRE accepts a new APDU command, JCRE clears the APDU buffer.clears the APDU buffer. No leaked messageNo leaked message

Sharing between JCRE and applets

JCRE can access any object due to its JCRE can access any object due to its privileged nature.privileged nature.

Applet gains access to system service Applet gains access to system service via JCRE entry point objects.via JCRE entry point objects.

JCRE and applets share primitive data JCRE and applets share primitive data by using designated global arrays.by using designated global arrays.

Shareable interface

Shareable interface enable object shariShareable interface enable object sharing between applets.ng between applets.

Simply an interface that extends, either Simply an interface that extends, either directly or indirectly, the tagging interfacdirectly or indirectly, the tagging interface javacard.framework.Shareable.e javacard.framework.Shareable.

public interface Shareable{}public interface Shareable{}

Shareable interface Object(SIO)

An object of a class that implements a An object of a class that implements a shareable interface is called a SIO.shareable interface is called a SIO.

To the owning context, an SIO is a normal To the owning context, an SIO is a normal object whose fields and methods can be object whose fields and methods can be accessed. accessed.

To any other context, the SIO is an instance To any other context, the SIO is an instance of the shareable interface type, and only the of the shareable interface type, and only the methods defined in the shareable interface methods defined in the shareable interface are accessible.are accessible.

Shareable interface example

Wallet applet Air-miles applet

Request miles

Client applet Server applet

Shareable interface example

Package com.fasttravel.airmiles;Package com.fasttravel.airmiles;

import javacard.framework.Shareable;import javacard.framework.Shareable;

Public interface AirMilesInterface extends Shareable {Public interface AirMilesInterface extends Shareable {

public void grantMiles(short amout);public void grantMiles(short amout);

}}

Shareable interface example

Package com.fasttravel.airmiles;Package com.fasttravel.airmiles;import javacard.framework.Shareable;import javacard.framework.Shareable;

public class AirMilesApp extends Applet implements AirMipublic class AirMilesApp extends Applet implements AirMilesInterface {lesInterface {

private short miles;private short miles;

public void grantMiles(short amout) {public void grantMiles(short amout) { miles = (short)( miles + amout );miles = (short)( miles + amout ); }}}}

Review about AID and Register

Protected final void register();Protected final void register();Protected final void register(byte[] Array, short bProtected final void register(byte[] Array, short b

Offset, byte bLength)Offset, byte bLength)

The JCRE encapsulates the AID bytes in an AIThe JCRE encapsulates the AID bytes in an AID object(owned by the JCRE) and associates D object(owned by the JCRE) and associates this AID object whit the applet. During the objthis AID object whit the applet. During the object sharing, this AID object is used by a client ect sharing, this AID object is used by a client applet to specify the server.applet to specify the server.

Request a Shareable Interface Object

Client applet lookups the server AID by calling JCSysClient applet lookups the server AID by calling JCSystem.lookupAID methodtem.lookupAID method

public static AID lookupAID(byte[] buffer, short offset, byte length)public static AID lookupAID(byte[] buffer, short offset, byte length) Client applet gets the server SIO by calling JCSystem.Client applet gets the server SIO by calling JCSystem.

getAppletSharableInterface methodgetAppletSharableInterface methodpublic static Shareable getAppletShareableInterfaceObject(AID serpublic static Shareable getAppletShareableInterfaceObject(AID ser

ver_aid, byte parameter)ver_aid, byte parameter) JCRE invokes Server applet’ getSharableInterfaceOjJCRE invokes Server applet’ getSharableInterfaceOj

bect methodbect methodPublic Shareable getShareableInterfaceObject(AID client_aid, byte Public Shareable getShareableInterfaceObject(AID client_aid, byte

parameter)parameter)

Request a Shareable Interface Object

public class AirMilesApp extends Applet implements Airpublic class AirMilesApp extends Applet implements AirMilesInterface {MilesInterface {

short miles;short miles;

public Shareable getShareableInterfaceObject (AID clipublic Shareable getShareableInterfaceObject (AID client_aid, byte parameter) { ent_aid, byte parameter) {

//authenticate the client – explained later//authenticate the client – explained later

return this; // return shareable interface objectreturn this; // return shareable interface object

}}

}}

Request an SIO

JCRE

client

Server

1

4

3

2

SIO(or null)

SIO(or null)

Applet.getSahreableInterfaceObject

JCSystem.getAppletShareableInterfceObject

Context Switches during Object Sharing

JCRE

1 234

5

6

CLINET APPLET SERVER APPLET

SIO(or null)

SIO(or null)JCSystem.getAppletShareableInterfceObject

Applet.getSahreableInterfaceObject

RETURN FROM THE METHOD

INVODE A SHAREALBE INGERFACE METHOD

Authenticate a Client Applet

public class AirMilesApp extends Applet implements AirMpublic class AirMilesApp extends Applet implements AirMilesInterface {ilesInterface {

public Shareable getShareableInterfaceObject (AID cliepublic Shareable getShareableInterfaceObject (AID client_aid, byte parameter) { nt_aid, byte parameter) {

if (client_aid.equals(wallet_app_aid_bytes, (short)0, (bytif (client_aid.equals(wallet_app_aid_bytes, (short)0, (byte)wallet_app_aid_bytes.length)) == false)e)wallet_app_aid_bytes.length)) == false)

return null;return null; if ( parameter != SECRET)if ( parameter != SECRET) return null;return null; return (this);return (this);

}}

Verify the client applet again

public void grantMiles (short amount) {public void grantMiles (short amount) { AID client_aid = JCSystem.AID client_aid = JCSystem.getPreviousCOntextgetPreviousCOntext

AIDAID();(); if (client_aid.equals(wallet_app_aid_bytes, (shorif (client_aid.equals(wallet_app_aid_bytes, (shor

t)0, (byte)wallet_app_aid_bytes.length)) == falst)0, (byte)wallet_app_aid_bytes.length)) == false)e)

ISOException.throwIt(SW_UNAUTHORIZED-CISOException.throwIt(SW_UNAUTHORIZED-CLIENT);LIENT);

miles = (short)(miles + amount);miles = (short)(miles + amount);}}

Summary

If a server applet A want to share an object If a server applet A want to share an object with another applet, it first defines a sharable with another applet, it first defines a sharable interface SIinterface SI

Applet A then defines a service provider class Applet A then defines a service provider class C that implements the sharable interface SI. C that implements the sharable interface SI. (i.e. C class provides actual implementations (i.e. C class provides actual implementations for the methods of SI.)for the methods of SI.)

Applet A creates an object o of Class C. Applet A creates an object o of Class C.

Summary

If a client B wants to access applet A’s object If a client B wants to access applet A’s object o, it invokes JCSystem.getAppletSharableInteo, it invokes JCSystem.getAppletSharableInterfae method to request the SIO.rfae method to request the SIO.

The JCRE searches for its internal applet tablThe JCRE searches for its internal applet table for applet A. When found it invokes JCSystee for applet A. When found it invokes JCSystem.getSharableInterfaceObject.m.getSharableInterfaceObject.

Applet A receives the request and determines Applet A receives the request and determines whether it wants to share object o with applet whether it wants to share object o with applet B (return o’s reference or null).B (return o’s reference or null).

Summary

Applet B receives the object reference and caApplet B receives the object reference and casts it to type SI (an SIO object).sts it to type SI (an SIO object).

Applet B then uses the services provided in thApplet B then uses the services provided in the SIO object. e SIO object.