Application-Replay Attack on Java Cards: When the Garbage Collector Gets Confused
Java Card 3.0 specifications have brought many new features in the Java Card world, amongst which a true garbage collection mechanism. In this paper, the authors show how one could use this specific feature to predict the references that will be assigned to object instances to be created. They also exploit this reference prediction process in a combined attack. This attack stands as a kind of "Application replay" attack, taking advantage of an unspecified behavior of the Java Card Runtime Environment (JCRE) on application instance deletion. It reveals quite powerful, since it potentially permits the attacker to circumvent the application firewall: a fundamental and historical Java Card security mechanism.