Category Archives: Research

Research work about Java Card and open smart cards.

The Off-Card Bytecode Verifier is fine, thank you!

REWRITTEN on 23 Nov. 2013. A few weeks ago, a friend sent me a link to the Cardis program, with the message “A bug in the verifier?”. Looking at the program, I saw a paper entitled Manipulating frame information with an Underflow attack undetected by the Off-Card Verifier, by Thales Communications and Security. This sounded […]

Chip to Cloud, day 2: Automated analysis of Java Card applets

This is a presentation by Jean-Baptiste Machemie, from the University of Limoges and a new project called Arya Security. The topic is automated analysis of Java Card applets, which is one of my favorite topics, and I am very happy to see interest from academia, as well as the emergence of companies who distribute such […]

Protecting your contactless card

As I mentioned in NFC Payments 101, current contactless cards aren’t protected against the simple attack that consists in performing a transaction while your card is in your pocket. Since some models don’t require anything else than tapping the card, the attack is workable. Well, that may change. researchers for the University of Pittsburgh’s RFID […]

E-smart becomes Chip-to-Cloud

After over 10 years, e-Smart is changing its name to become the Chip-to-Cloud Security Forum (which will also replace the other conferences from the Smart Event). This looks like a welcome move from card-centered business to application-centered business, reflecting what is happening in the industry. The technology is now ready, and it has not evolved […]

Java Card is 15 years old

I just realized that I missed Java Card’s 15th birthday. This birthday was sometime in the end of October, 1996. I don’t have the exact date, because the only document I have is the Java Card API: Specification of the Java Virtual Machine and Application Programmer’s Interface, version 0.13, dated October 10, 1996. Although this […]

About e-Smart: Java Card attacks

I was not at e-Smart this year, but here are some early reports from colleagues who attended the sessions. Over the coming days, I will comment on a few selected presentations. First, one of my favorite topics, which was covered Friday morning: attacks on the Java Card platform. There were two presentations this morning on […]

Live from Cardis2010: Combined attacks on Java Card

I just made my second presentation at Cardis2010, about combined attacks on Java Card (joint work with Anthony Ferrari, now in charge of these things at Trusetd Labs). Sorry, no “public” slides this time, this is related to security evaluation. Interestingly, the current presenter is Guillaume Barbu, from Oberthur, who is presenting an interesting attack […]

Live from Cardis 2010: Where is our smart card AppStore?

UPDATED: Added slideshare link. Here is a transcript of my invited presentation at Cardis2010, or at least the things that I thought about before getting there. The slides are available on SlideShare.

Proving code correct

Most of us spent some time in school studying program proofs in a way or another. Many techniques exist, but in most cases, their most important use it to make students understand that, sometimes, a computation does not end. Proving programs is hard, but the hardness of the proof greatly depends on what you want […]

DPA is annoying (again?)

I am currently in Limoges, visiting the University to work on a collaborative research project. The buzz in the computer science department is that Christophe Clavier, one of their researchers, has just won the DPA contest, organized at CHES. And of course, I took the opportunity to discuss that with him. I won’t even start […]