Çò¹ Blockin Blockinöö Ýøø Blockinó Îöö¬ Blockin Blockinøøóò Óö Ââú Öö Úúúö Ääöóý Ìöù×øøø Äóóó¸öùù Ù Ððððð𸼼¼ Îö×××ððð׸ööò

The Java Card ar hite ture for smart ards [4℄ bring two major innovations to the smart ard world: rst, Java ards an run multiple appli ations, whi h an ommuni ate through shared obje ts; se ond, new appli ations, alled applets, an be downloaded on the ard post issuan e. These two features bring onsiderable exibility to the ard, but also raise major se urity issues. A maliious applet, on e downloaded on the ard, an mount a variety of atta ks, su h as leaking on dential information outside (e.g. PINs and se ret ryptographi keys), modifying sensitive information (e.g. the balan e of an ele troni purse), or interfering with other honest appli ations already on the ard, ausing them to malfun tion. The se urity issues raised by applet downloading are well known in the area of Web applets, and more generally mobile ode for distributed systems [23, 11℄. The solution put forward by the Java programming environment is to exe ute the applets in a soalled \sandbox", whi h is an insulation layer preventing dire t a ess to the hardware resour es and implementing a suitable a ess ontrol poli y [7℄. The se urity of the sandbox model relies on the following three omponents: