Introduction

Currently (June '11) I joined the SSD Team as a trainee, which performs research in security of small devices that include smart cards, TPM (Trusted Platform Module), electronic labels or personal digital assistants in both aspects of logical and physical security.

In order to make javacard applications safer, my job was to make research and to develop some plug-ins for FindBugs in order to perform static analysis on Java (Javacard) bytecode.

FindBugs is a tool and framework (in Java) that applies static analysis on the Java (Java Card) bytecode in order to detect bug patterns.

It uses BCEL (Byte Code Engineering Library) to perform Java class files analysis/creation/manipulation.

However FindBugs have some limits. Static analysis are applied to individual class contexts, and it does not offer a direct support for interprocedural/interclass analysis.

Findbugs produces its own call graph but it's not sufficent enough to make interclasses analysis. So we've built our own call graph that provides us the ability to go more far than a basic interprocedurals analysis.

Resources

• FindBugs downloads
• Detector plug-in for FindBugs (tutorial)
• JBE (Java Bytecode Editor)
• Visitor design pattern
• "Static program analysis of multi-applet JavaCard applications", S-OMA SMART CARDS
• Example of FindBugs detector which performs interprocedural/interclass analysis (S-OMA SMART CARDS)