Java Card TechnologyCh09: Applet Firewall andObject Sharing
Instructors:Instructors:
Fu-Chiung ChengFu-Chiung Cheng
(鄭福炯)(鄭福炯)
Associate ProfessorAssociate Professor
Computer Science & Engineering Computer Science & Engineering
Tatung UniversityTatung University
Applet Firewall and ObjectSharing
This chapter explains the behavior ofobjects, exceptions, and Applets in thepresence of their firewall and discusseshow applets can safely share data byusing the Java Card APIs.This chapter explains the behavior ofobjects, exceptions, and Applets in thepresence of their firewall and discusseshow applets can safely share data byusing the Java Card APIs.
Context
The applet firewall partitions the JavaCard object system into separateprotected object spaces called context.The applet firewall partitions the JavaCard object system into separateprotected object spaces called context.
When an applet instance is created, theJCRE assigns it a context which isessentially a group context.When an applet instance is created, theJCRE assigns it a context which isessentially a group context.
All applet instances of a single Javapackage share the same group context.All applet instances of a single Javapackage share the same group context.
Context
There is no firewall between two appletinstances in a group context.There is no firewall between two appletinstances in a group context.
The JCRE maintain its own JCERcontextThe JCRE maintain its own JCERcontext
JCRE context has special privileges:JCRE context has special privileges:
Access from the JCRE context to anyapplet’s contextAccess from the JCRE context to anyapplet’s context
Context
JCRE context
Group context
Group context
Firewall
Applet context
Applet context
Applet contextApplet context
Object ownership
At any time, there is only one activecontext within the virtual machine: eitherthe JCRE context or an applet’s groupcontext.At any time, there is only one activecontext within the virtual machine: eitherthe JCRE context or an applet’s groupcontext.
When a new object is created, it isassigned an owning context-----thecurrently active context.When a new object is created, it isassigned an owning context-----thecurrently active context.
Object Access Exception
If the contexts do not match, the accessis denied, and the comparison results ina SecurityException.If the contexts do not match, the accessis denied, and the comparison results ina SecurityException.
Static Fields and Methods
Only instances of classes---objects---are owned by context; classesthemselves are not.Only instances of classes---objects---are owned by context; classesthemselves are not.
Static fields and methods are accessiblefrom any applet context in the definingpackage (i.e. group context).Static fields and methods are accessiblefrom any applet context in the definingpackage (i.e. group context).
Object Access across Context
Sharing mechanisms are accomplishedby the following means:Sharing mechanisms are accomplishedby the following means:
•JCRE privileges•JCRE privileges
•JCRE entry point objects•JCRE entry point objects
•Global arrays•Global arrays
•Shareable interfaces•Shareable interfaces
Context Switch
When a sharing mechanism is applied, theJava Card virtual machine enables access byperforming a context switch.When a sharing mechanism is applied, theJava Card virtual machine enables access byperforming a context switch.
Context switches occurContext switches occur
only during invocation of and return frominstance methods of an object owned by adifferent context,only during invocation of and return frominstance methods of an object owned by adifferent context,
during exception exits form those methods.during exception exits form those methods.
Context Switch
During a context-switching methodinvocation, the current context is saved,and the new context become thecurrently active context.During a context-switching methodinvocation, the current context is saved,and the new context become thecurrently active context.
When the virtual machine beginsrunning after card reset, the JCREcontext is always the currently activecontext.When the virtual machine beginsrunning after card reset, the JCREcontext is always the currently activecontext.
JCRE Privileges
JCRE Privileges: JCRE canJCRE Privileges: JCRE can
invoke a method on any object orinvoke a method on any object or
access an instance field of any on the card.access an instance field of any on the card.
Such system privileges enable the JCRE tocontrol system resources and manageappletsSuch system privileges enable the JCRE tocontrol system resources and manageapplets
For example, when the JCRE receives an APDUcommand, it invokes the currently selectedapplet’s select, deselect or process methodFor example, when the JCRE receives an APDUcommand, it invokes the currently selectedapplet’s select, deselect or process method
JCRE Privileges
When JCRE invokes an applet’smethod, the JCRE context is switchedto the applet’s context.When JCRE invokes an applet’smethod, the JCRE context is switchedto the applet’s context.
The applet now takes control and losesthe JCRE privileges.The applet now takes control and losesthe JCRE privileges.
Any objects created after the contextswitch are owned by the applet.Any objects created after the contextswitch are owned by the applet.
JCRE entry point objects
By using JCRE entry point object, non-privileged users can request systemservices that are performed byprivileged system routines.By using JCRE entry point object, non-privileged users can request systemservices that are performed byprivileged system routines.
JCRE entry point objects are normalobjects owned by the JCRE context, butthey have been flagged as containingentry point methods.JCRE entry point objects are normalobjects owned by the JCRE context, butthey have been flagged as containingentry point methods.
JCRE entry point objects
The entry point designation allows the publicmethods of such objects to be invoked fromany context.The entry point designation allows the publicmethods of such objects to be invoked fromany context.
When that occurs, a context switch to theJCRE context is performed.When that occurs, a context switch to theJCRE context is performed.
Notice that only the public methods of JCREentry point objects are accessible through thefirewall.Notice that only the public methods of JCREentry point objects are accessible through thefirewall.
The fields of these objects are still protectedby the firewall.The fields of these objects are still protectedby the firewall.
JCRE entry point objects
Two categories of JCRE EPOs:Two categories of JCRE EPOs:
Temporary JCRE entry point objects:Temporary JCRE entry point objects:
Examples : The APDU object and all JCRE-ownedexception objects.Examples : The APDU object and all JCRE-ownedexception objects.
Reference to these objects can’t be stored in classvaribles.Reference to these objects can’t be stored in classvaribles.
Permanent JCRE entry point objects:Permanent JCRE entry point objects:
Examples :The JCRE-owned AID instances.Examples :The JCRE-owned AID instances.
Reference to these objects can be stored andfreely used.Reference to these objects can be stored andfreely used.
Global Arrays
Global arrays essentially provide a sharedmemory buffer whose data can be accessedby any applets and by the JCRE.Global arrays essentially provide a sharedmemory buffer whose data can be accessedby any applets and by the JCRE.
Global arrays are a special type of JCREentry point object.Global arrays are a special type of JCREentry point object.
The applet firewall enables public fields ofsuch arrays to be accessed from any context.The applet firewall enables public fields ofsuch arrays to be accessed from any context.
Global Arrays
Only primitive arrays can be designated asglobal andOnly primitive arrays can be designated asglobal and
Only JCRE can designate global arrays.Only JCRE can designate global arrays.
The only global arrays required in the JavaCard APIs are the APDU buffer and the bytearray parameter in an applet’s install method.The only global arrays required in the JavaCard APIs are the APDU buffer and the bytearray parameter in an applet’s install method.
Whenever an applet is selected or beforeJCRE accepts a new APDU command, JCREclears the APDU buffer.Whenever an applet is selected or beforeJCRE accepts a new APDU command, JCREclears the APDU buffer.
No leaked messageNo leaked message
Sharing between JCRE andapplets
JCRE can access any object due to itsprivileged nature.JCRE can access any object due to itsprivileged nature.
Applet gains access to system servicevia JCRE entry point objects.Applet gains access to system servicevia JCRE entry point objects.
JCRE and applets share primitive databy using designated global arrays.JCRE and applets share primitive databy using designated global arrays.
Shareable interface
Shareable interface enable objectsharing between applets.Shareable interface enable objectsharing between applets.
Simply an interface that extends, eitherdirectly or indirectly, the tagginginterface javacard.framework.Shareable.Simply an interface that extends, eitherdirectly or indirectly, the tagginginterface javacard.framework.Shareable.
public interface Shareable{} public interface Shareable{}
Shareable interfaceObject(SIO)
An object of a class that implements ashareable interface is called a SIO.An object of a class that implements ashareable interface is called a SIO.
To the owning context, an SIO is a normalobject whose fields and methods can beaccessed.To the owning context, an SIO is a normalobject whose fields and methods can beaccessed.
To any other context, the SIO is an instanceof the shareable interface type, and only themethods defined in the shareable interfaceare accessible.To any other context, the SIO is an instanceof the shareable interface type, and only themethods defined in the shareable interfaceare accessible.
Shareable interface example
Wallet applet
Air-miles applet
Request miles
Client applet Server applet
Shareable interface example
Package com.fasttravel.airmiles;Package com.fasttravel.airmiles;
import javacard.framework.Shareable;import javacard.framework.Shareable;
Public interface AirMilesInterface extends Shareable {Public interface AirMilesInterface extends Shareable {
public void grantMiles(short amout); public void grantMiles(short amout);
}}
Shareable interface example
Package com.fasttravel.airmiles;Package com.fasttravel.airmiles;
import javacard.framework.Shareable;import javacard.framework.Shareable;
public class AirMilesApp extends Applet implementsAirMilesInterface {public class AirMilesApp extends Applet implementsAirMilesInterface {
private short miles; private short miles;
public void grantMiles(short amout) { public void grantMiles(short amout) {
miles = (short)( miles + amout ); miles = (short)( miles + amout );
} }
}}
Review about AID andRegister
Protected final void register();Protected final void register();
Protected final void register(byte[] Array, shortbOffset, byte bLength)Protected final void register(byte[] Array, shortbOffset, byte bLength)
The JCRE encapsulates the AID bytes in anAID object(owned by the JCRE) andassociates this AID object whit the applet.During the object sharing, this AID object isused by a client applet to specify the server.The JCRE encapsulates the AID bytes in anAID object(owned by the JCRE) andassociates this AID object whit the applet.During the object sharing, this AID object isused by a client applet to specify the server.
Request a Shareable Interface Object
Client applet lookups the server AID by callingJCSystem.lookupAID methodClient applet lookups the server AID by callingJCSystem.lookupAID method
public static AID lookupAID(byte[] buffer, short offset, byte length)public static AID lookupAID(byte[] buffer, short offset, byte length)
Client applet gets the server SIO by callingJCSystem.getAppletSharableInterface methodClient applet gets the server SIO by callingJCSystem.getAppletSharableInterface method
public static Shareable getAppletShareableInterfaceObject(AIDserver_aid, byte parameter)public static Shareable getAppletShareableInterfaceObject(AIDserver_aid, byte parameter)
JCRE invokes Server applet’getSharableInterfaceOjbect methodJCRE invokes Server applet’getSharableInterfaceOjbect method
Public Shareable getShareableInterfaceObject(AID client_aid, byteparameter)Public Shareable getShareableInterfaceObject(AID client_aid, byteparameter)
Request a Shareable Interface Object
public class AirMilesApp extends Applet implementsAirMilesInterface {public class AirMilesApp extends Applet implementsAirMilesInterface {
short miles; short miles;
public Shareable getShareableInterfaceObject (AIDclient_aid, byte parameter) { public Shareable getShareableInterfaceObject (AIDclient_aid, byte parameter) {
//authenticate the client – explained later //authenticate the client – explained later
return this; // return shareable interface object return this; // return shareable interface object
} }
}}
Request an SIO
JCRE
client
Server
1
4
3
2
SIO(or null)
SIO(or null)
Applet.getSahreableInterfaceObject
JCSystem.getAppletShareableInterfceObject
Context Switches duringObject Sharing
JCRE
1
2
3
4
5
6
CLINET APPLET
SERVER APPLET
SIO(or null)
SIO(or null)
JCSystem.getAppletShareableInterfceObject
Applet.getSahreableInterfaceObject
RETURN FROM THEMETHOD
INVODE A SHAREALBEINGERFACE METHOD
Authenticate a Client Applet
public class AirMilesApp extends Applet implementsAirMilesInterface {public class AirMilesApp extends Applet implementsAirMilesInterface {
public Shareable getShareableInterfaceObject (AIDclient_aid, byte parameter) { public Shareable getShareableInterfaceObject (AIDclient_aid, byte parameter) {
if (client_aid.equals(wallet_app_aid_bytes, (short)0,(byte)wallet_app_aid_bytes.length)) == false) if (client_aid.equals(wallet_app_aid_bytes, (short)0,(byte)wallet_app_aid_bytes.length)) == false)
return null; return null;
if ( parameter != SECRET) if ( parameter != SECRET)
return null; return null;
return (this); return (this);
}}
Verify the client applet again
public void grantMiles (short amount) {public void grantMiles (short amount) {
AID client_aid =JCSystem.getPreviousCOntextAID(); AID client_aid =JCSystem.getPreviousCOntextAID();
if (client_aid.equals(wallet_app_aid_bytes,(short)0, (byte)wallet_app_aid_bytes.length))== false) if (client_aid.equals(wallet_app_aid_bytes,(short)0, (byte)wallet_app_aid_bytes.length))== false)
ISOException.throwIt(SW_UNAUTHORIZED-CLIENT); ISOException.throwIt(SW_UNAUTHORIZED-CLIENT);
miles = (short)(miles + amount); miles = (short)(miles + amount);
}}
Summary
If a server applet A want to share an objectwith another applet, it first defines a sharableinterface SIIf a server applet A want to share an objectwith another applet, it first defines a sharableinterface SI
Applet A then defines a service provider classC that implements the sharable interface SI.(i.e. C class provides actual implementationsfor the methods of SI.)Applet A then defines a service provider classC that implements the sharable interface SI.(i.e. C class provides actual implementationsfor the methods of SI.)
Applet A creates an object o of Class C.Applet A creates an object o of Class C.
Summary
If a client B wants to access applet A’s objecto, it invokesJCSystem.getAppletSharableInterfae methodto request the SIO.If a client B wants to access applet A’s objecto, it invokesJCSystem.getAppletSharableInterfae methodto request the SIO.
The JCRE searches for its internal applettable for applet A. When found it invokesJCSystem.getSharableInterfaceObject.The JCRE searches for its internal applettable for applet A. When found it invokesJCSystem.getSharableInterfaceObject.
Applet A receives the request and determineswhether it wants to share object o with appletB (return o’s reference or null).Applet A receives the request and determineswhether it wants to share object o with appletB (return o’s reference or null).
Summary
Applet B receives the object reference andcasts it to type SI (an SIO object).Applet B receives the object reference andcasts it to type SI (an SIO object).
Applet B then uses the services provided inthe SIO object.Applet B then uses the services provided inthe SIO object.