smart card attacks enter the matrix
play

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo - PowerPoint PPT Presentation

Apr 06, 2023 •354 likes •902 views

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

  1. Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team – Xlim Labs – Universit´ e de Limoges aina.razafindralambo @etu.unilim.fr guillaume.bouffard @xlim.fr http://secinfo.msi.unilim.fr GDR SoC-SiP 2012 May 30 th , 2012 i nsti tut de recherche T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 1 / 37

  2. Introduction Logical attacks Combined attacks Conclusion Outline Introduction 1 Logical attacks 2 Combined attacks 3 Conclusion 4 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 2 / 37

  3. Introduction Logical attacks Combined attacks Conclusion Introduction 1 Smart Card Our Motivations Java Card Tools Logical attacks 2 Combined attacks 3 Conclusion 4 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 3 / 37

  4. Introduction Logical attacks Combined attacks Conclusion Smart Card Smart Card A Smart Card is. . . Tamper-Resistant Computer Securely store and process information very used: (U)SIM; Credit Card; Health Insurance Card; Pay TV; etc. It contains critical information ! T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 3 / 37

  5. Introduction Logical attacks Combined attacks Conclusion Our Motivations Our Motivations Our motivations Understand the implemented Java Card security mechanisms; Improve these implementations; Design the associated counter-measures; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 4 / 37

  6. Introduction Logical attacks Combined attacks Conclusion Java Card Java Card Architecture Invented in 1996 by Schlumberger; Provides an open and secure platform; JavaCard Applet1 JavaCard Applet2 (V)OP APIs & Applet Manager Framework APIs Java Card Virtual Machine Native API Natives Layers Hardware: CPU + Memories + IO T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 5 / 37

  7. Introduction Logical attacks Combined attacks Conclusion Java Card Java Card Security Model off-card Security Java Class Files Java Card Files Byte Code Verifier Byte Code Converter Byte Code Signer (BCV) on-card Security Installed applet Java Card Files BCV Linker Firewall T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 6 / 37

  8. Introduction Logical attacks Combined attacks Conclusion Java Card Converted APplet (CAP) File T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 7 / 37

  9. Introduction Logical attacks Combined attacks Conclusion Tools Tools Used CapMap Java-framework; Provides reading and modification of CAP files; Modification of any component of a CAP file; Available with a plug-in Eclipse and standalone GUI; OPAL Java-(Library & GUI); Supports Global Platform 2.x Specification; Open-Source Project; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 8 / 37

  10. Introduction Logical attacks Combined attacks Conclusion Introduction 1 Logical attacks 2 EMAN 1: A trojan into a smart card EMAN 2: A Ghost in the Stack When the Java Card Linker helps us! Summary Combined attacks 3 Conclusion 4 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 9 / 37

  11. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card EMAN 1 Motivation Insert a Trojan that can write and read everywhere Hypotheses Loading keys are known; No on-card BCV; The firewall doesn’t check the parameter of these instructions : putstatic , getstatic , invokestatic T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 9 / 37

  12. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card How to EMAN 1 Write a shellcode in a given array; Retrieve it; Call your shellcode; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 10 / 37

  13. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Jump jump jump... Object Methods Table Header @m1 @Class @m2 Owner Context @m3 Instance Data @m4 Class Method Header Header Byte Code Sec. Context ... Static Variable invokestatic xxxx ... @Method T able T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 11 / 37

  14. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Java Stack T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 12 / 37

  15. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Step 1 : get the array address T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 13 / 37

  16. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card (1) Load the address of the array (pushed on top of the stack) (2)(3) Push the value FF on the stack (4) store it into locals T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 14 / 37

  17. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Gotcha ! T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 15 / 37

  18. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Do it again, but differently T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 16 / 37

  19. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Read and write everywhere and... p u b l i c void getMyAddress ( ) { p u b l i c void getMyAddress ( ) { // f l a g s : 0 max stack : 1 // f l a g s : 0 max stack : 1 // nargs : 0 m a x l o c a l s : 0 // nargs : 0 m a x l o c a l s : 0 7C 00 02 g e t s t a t i c b 2 7C 93 76 g e t s t a t i c b 93 76 78 s r e t u r n 78 s r e t u r n } } p u b l i c byte setMyAddress p u b l i c byte setMyAddress ( byte v a l ) { ( byte v a l ) { // f l a g s : 0 max stack : 1 // f l a g s : 0 max stack : 1 // nargs : 1 m a x l o c a l s : 0 // nargs : 1 m a x l o c a l s : 0 1D s l o a d 1 1D s l o a d 1 31 s s t o r e 2 00 nop 7C 00 02 g e t s t a t i c b 2 80 93 76 p u t s t a t i c b 93 76 78 s r e t u r n 78 s r e t u r n } } Original Modified T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 17 / 37

  20. Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card ... troll dance T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 18 / 37

  21. Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack EMAN 2 Our Goal Change the Java Card Program Counter; To redirect the Java Card Control Flow Graph; Attack idea Locate the return address of the current function Modify this address . . . . . . to execute our malicious byte code T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 19 / 37

  22. Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Start! Hypotheses There is no on-card BCV The loading keys are known Requirements list 1 Find the array address (as into EMAN 1); 2 Discover where is located the return address in the stack; 3 Change this value in the stack; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 20 / 37

  23. Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... Operand Stack Local variables T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37

  24. Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... Operand Stack Frame header Local variables T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37

  25. Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... Operand Stack Return Address Undefined use value Local variables T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37

  26. Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... p u b l i c void Pushed ModifyStack ( byte [ ] apduBuffer , values APDU apdu , s h o r t a ) L 8 { s h o r t i =( s h o r t ) 0xCAFE ; Return s h o r t j =( s h o r t ) Address L 7 ( getMyAddressTabByte Undefined (MALICIOUS ARRAY) +ARRAY HEADER SIZE) ; L 6 use value i = j ; } 6 Locals L 0 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N

Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N

A Dynamic Syntax Interpretation for Java based Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N Thampi , and Jean-Louis Lanet Smart Secure Devices (SSD) Team, XLIM/ Universit de Limoges, France

466 views • 17 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
Browser based approach for Smart Card Connectivity My Smart Card My Smart Card Kapil Sachdeva

Browser based approach for Smart Card Connectivity My Smart Card My Smart Card Kapil Sachdeva

Browser based approach for Smart Card Connectivity My Smart Card My Smart Card Kapil Sachdeva expiration: 09/10 Karen Lu Ksheerabdhi Krishna Challenges Installing crypto providers Breaks mobility Breaks ubiquity of web

425 views • 8 slides
A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

[ICCSA 2004] 2004] [ICCSA A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation Criteria for Side Channel Attacks Side Channel Attacks Presented at the workshop ICCSA ICCSA 200 2004 4, ,

404 views • 26 slides
Smart( Java )Card ... What & Why What - smart card Tiny PC without Human Interface

Smart( Java )Card ... What & Why What - smart card Tiny PC without Human Interface

Smart( Java )Card ... What & Why What - smart card Tiny PC without Human Interface capabilities CPU : 16b/32b RISC @ handful of MhZ Math co-processor: RSA/DES/AES/ECC RAM : X KB HDD : XX..XXX KB (EEPROM) NET :

568 views • 36 slides
Enhancing the Conditional Access Module Security in Light of Smart Card Sharing Attacks

Enhancing the Conditional Access Module Security in Light of Smart Card Sharing Attacks

Enhancing the Conditional Access Module Security in Light of Smart Card Sharing Attacks Konstantinos Markantonakis, Michael Tunstall, Keith Mayes Dr Konstantinos Markantonakis (BSc, MSc, MBA, PhD) K.Markantonakis@rhul.ac.uk

509 views • 15 slides
Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard Julien

Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard Julien

Introduction EMAN 2 EMAN 4 Conclusion Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Universit e de Limoges

476 views • 45 slides
Electronic Treasury Enterprise Card GSA Smart Card Handbook Panel Discussion Smart Cards in

Electronic Treasury Enterprise Card GSA Smart Card Handbook Panel Discussion Smart Cards in

Electronic Treasury Enterprise Card GSA Smart Card Handbook Panel Discussion Smart Cards in Government 2004 March 10, 2004 What is the Electronic Treasury Enterprise Card (E-TREC)? E-TREC is the result of the Treasury Departments

507 views • 9 slides
Smart Card Operating Systems Overview and Trends Pierre.Paradinas@gemplus.com Gemplus Labs

Smart Card Operating Systems Overview and Trends Pierre.Paradinas@gemplus.com Gemplus Labs

Smart Card Operating Systems Overview and Trends Pierre.Paradinas@gemplus.com Gemplus Labs Smart card A piece of plastic with a chip that contains: CPU, memories and programs SC is your personal information system, your

598 views • 21 slides
As attendees enter, hand each one a card w/ pain points listed on one side and a community dialog

As attendees enter, hand each one a card w/ pain points listed on one side and a community dialog

As attendees enter, hand each one a card w/ pain points listed on one side and a community dialog starter on the other Short Link: http://bit.do/bpe2019 Documentation can be difficult. It involves people and process and arriving at a shared

503 views • 16 slides
The Challenge LGNZ 6 June 2014 100 % Cyber Attacks Data Indicative National Risk Matrix

The Challenge LGNZ 6 June 2014 100 % Cyber Attacks Data Indicative National Risk Matrix

The Challenge LGNZ 6 June 2014 100 % Cyber Attacks Data Indicative National Risk Matrix Severe Weather Hazardous Spill Failed Large Pacific rural flood Global Financial Asia 10 % State Crisis Interstate Cyber Attacks Conflict

335 views • 11 slides
Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] .

Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] .

Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] . Lorenz Breidenbach ETH Zurich, Cornell [Tech] . Florian Tramer . Stanford . Smart Contract Security - The Prongs Formal Verification (+Specification)

960 views • 28 slides
National ID Cards National Smart Card Office (NSCO)

National ID Cards National Smart Card Office (NSCO)

National ID Cards National Smart Card Office (NSCO) www.sabteahval.ir/houshmand/ National Organization for Civil Tell: 60902701-2 Fax: 66736526 Registration(NOCR) Agenda 1. Traditional ID

370 views • 23 slides
Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com

Reverse engineering smart cards Christian M. Ams uss linuxwochen@christian.amsuess.com http://christian.amsuess.com/ 2010-05-06 Overview objective understand smart card communication based on sniffable communication hardware standard card

468 views • 20 slides
The Active Card An Active Mind in an Active Body More people, More Active, More often! The

The Active Card An Active Mind in an Active Body More people, More Active, More often! The

The Active Card An Active Mind in an Active Body More people, More Active, More often! The Active vision Active The Olympic Legacy 100,000 card holders by 2012 SMART card technology Improved communications for

421 views • 21 slides
WORLDS MOST ADVANCED DECENTRALIZED MATRIX SMART CONTRACT Decentralization What does it mean?

WORLDS MOST ADVANCED DECENTRALIZED MATRIX SMART CONTRACT Decentralization What does it mean?

WORLDS MOST ADVANCED DECENTRALIZED MATRIX SMART CONTRACT Decentralization What does it mean? What does Decentralization mean? Decentralized Marketing is formed on a smart contract that provides complete security and resilience. A Smart

766 views • 14 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Ju Just st-in in-tim time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z.

1.82k views • 180 slides
15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!! Carnegie Mellon Agenda Stack review Attack lab overview Phases

882 views • 19 slides
1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few

1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few

1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few more %cs would be needed to skip format string part 1 OVER questions? 2 last time memory management problems two objects end up at same

965 views • 63 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo Instituto de Autom atica e Inform atica Industrial Universitat Polit` ecnica de Val` encia, Spain { speiro, mmu noz, mmasmano, acrespo }

379 views • 18 slides

More recommend