Virus in a smart card: Myth or reality?

Smart cards are often the target of software or hardware attacks. The most recent attacks are based on fault injection which modifies the behavior of the application. We demonstrate that it is possible to design applications in such a way that they become intentionally hostile while being hit by a laser. Later, a third party can deliver such an application to be deployed on SIM cards without being detected by a code review or a static analysis. We propose an evaluation of the propagation effect and the generation of hostile applications inside the card. To detect such a hostile application we introduce a mutation analysis that checks the ability of an application to be malicious. We implement this analysis in a SmartCM tool; thereafter evaluate its capacity to detect such a fault based mutant.