In addition to payment applications a variety of other applications can be installed simultaneously on a multi-application Java Card TM. The firewall of the Java Card has the task to securely separate applications from each other and to protect data from unauthorised access, spying or manipulation.
Firewall attacks are often detected only after e.g. a credit card has been misused. Apart from a high loss of reputation and trust, unexpected consequential damage may arise, especially when payment applications have been accessed.
Java Card technology is increasingly being built into devices as an embedded solution, e.g. (e)UICC. As a central communication unit, it is therefore becoming a target for hackers. Cairon and achelos experts have developed test suites that are suited for various target groups:
With JC Inspector you can reliably test the security and quality of your Java Card solution, even in the embedded area.
JC Inspector is the ideal extension for the official Java Card TCK test suite*. With more than 20,000 test cases, JC Inspector is one of the most comprehensive Java Card test suites on the market. In this test depth it highlights a large variety of test aspects and offers ideal protection for your Java Card.
*Java Card Technology Compatibility Kit (Java Card TCK) and the test bench.
This software was developed by Oracle.
Based on the high-performance Qumate.Testcenter from Cairon and achelos, the JC Inspector was developed for the Qumate.Security.World. With this powerful combination you can conveniently apply automated security, functionality and conformity checks to your Java Card solution before and after development, as well as in the field. JC Inspector reveals weak points in the implementation of a Java Card. Risks become apparent and, if necessary, protective measures can be applied immediately.
Cairon and achelos particularly focus on the security and function of the firewall, the virtual machine (VM) and the cryptography of a Java Card. To test a large range of cards, the tests cover all cards back to JC version 2.2.1.
Qumate.Testcenter contains comprehensive reporting and debugging options for professional and verifiable test management. It helps analyse the detected errors. JC Inspector and Qumate.Testcenter are entirely implemented in Java, which makes them quick and efficient to adapt and extend, even without special knowledge.
A variety of Java cards have no way to check the integrity of the loaded applets during installation on the card Correct behaviour according to Java Card specifications is indispensable, especially for the functioning of security-critical components of the Java Card operating system, such as the firewall of the runtime environment, the virtual machine or the crypto API.
JC Inspector from Cairon and achelos supports a large number of Java Card versions (back to version 2.2.1) and types, such as (e)UICC, EMV or M2M. The test suite exclusively uses official Java Card and GlobalPlatform interfaces and protocols.
Moreover, JC Inspector also includes the complete test specification of the tests so that detailed analysis of the detected errors and risks can be carried out by the user.
The Smart-Cap File-Loader, developed by Cairon and achelos for JC Inspector, is a tool for intelligent loading and deletion of test applets. By analysing the test plan to be executed, the Smart-Cap File-Loader prevents unnecessary loading or deletion processes of packages on the Java Card during test execution. This increases the performance of the test run and reduces the number of write accesses on the persistent memory of the Java Card.
With JC Inspector from Cairon and achelos, you can check the functional security of Java Cards, the conformity with official specifications and the security of essential components, such as the Java Card firewall, virtual machine and cryptography.
Through high transparency and performance, JC Inspector enables test management at the highest level. Choose the best possible combination for your application from our various test suites. Tailored to meet the requirements of your project, we offer the following test suites from our JC Inspector series:
The test suite controls the secure and correct implementation of the Java Card firewall. The tests check whether applets installed on the card have unauthorised mutual access to code or data (without shareable interface mechanism). The focus here is on accessing objects in the same or in different packages (so-called contexts). Furthermore, the correct implementation of JCRE entry point objects is checked.
The JC Inspector.Firewall.TS from Cairon and achelos analyses, tests and logs all specified firewall rules with approx. 14,000 test cases. All applicable combinations of bytecodes, from bytecodes to objects/arrays and firewall contexts, are checked systematically.
The test suite checks different aspects of a Java Card with respect to: Security of APIs, firewall and functionality.
The test suite loads tests with instructions for the virtual machine of the Java Card as applets onto the test object. The virtual machine interprets the bytecodes in the loaded applets at runtime and translates these into the machine commands of the target platform. The tests check the correct behaviour of the Java Card with respect to the bytecodes to be executed, including variants against the official Java Card specification.
JC Inspector.Virtual Machine.TS contains approx. 1,600 test cases, from good case tests for numerous bytecodes to a large number of negative tests for each of these bytecodes. Particularly security-relevant bytecodes, e.g. check cast (checks object types and bytecodes, which are responsible for the access to defined fields and have to adhere to field boundaries) are explicitly checked by a large number of tests.
There is a wide range of different Java Cards on the market, which can be found in parameters, e.g. Java Card version, GlobalPlatform version, protocols, memory size, or additional preinstalled packages. The JC.Inspector.Feature Analysis.Testsuite checks these and other key figures of a Java Card and logs them for further analysis purposes. Further, parts of this test suite serve as preliminary test for all aforementioned tests in order to ensure that only appropriate tests are executed on the test object.
With Feature Analysis.Test Suite, JC Inspector provides you with a tool that initially checks, analyses and documents the different features of a card. It generates a crypto profile of your Java Card that is used dynamically by the test suite. The test results clearly display the available and the non-available features of the Java Card. The analysis results are temporarily stored internally and support the efficient execution of the entire test.
These Features include, among others:
The Cairon and achelos JC Inspector solution is complemented by a number of services and support services. Our experts will help you analyse and fix possible implementation errors, offer support with testing and the execution of test cases, writing automated tests and the certification process according to e.g. Common Criteria.
Our service and support services include:
JC Inspector was developed by Cairon and achelos and is based on Qumate.Testcenter. Managing requirements and test specifications, as well as the actual tests, form an integral part of Qumate.Testcenter. Qumate is continuously being extended with additional test modules and offers wide scope customer-specific solutions and implementations.