Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Vulnerability Analysis on Smart Cards using Fault Tree Guillaume Bouffard Bhagyalekshmy N Thampi Jean-Louis Lanet Smart Secure Devices (SSD) Team – XLIM/University of Limoges guillaume.bouffard @xlim.fr http://secinfo.msi.unilim.fr SAFECOMP 2013 INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 1 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Outline Introduction 1 Smart Card Java Card Technology Attacks on Java Card Fault Tree Analysis 2 Definition FTA for Smart Card Code Integrity An API to Mitigate the Undesirable Events 3 Principle The INOSSEM API Conclusion 4 Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 2 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Smart Card The Smart Card Widely used device ◮ Credit Card; ◮ (U)SIM Card; ◮ Health Card (french Vitale card); ◮ Pay TV; ◮ . . . This device contains sensitive data Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 3 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Java Card Technology Java Card based Smart Card Applet Applet Applet ◮ Created by Vendor and/or Schlumberger in Industry Spe- Java Card 1996. cific Extensions Runtime ◮ Specified by Oracle Java Card Framework and APIs Environment ◮ Provide a friendly Java Card Virtual Machine environment to Card Operating System develop secure Java-applications. Hardware Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 4 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Java Card Technology Java Card Security Model Off-card Security Java Class Files Java Card Files Byte Code Verifier Byte Code Converter Byte Code Signer On-card Security Byte Code Verifier Installed applet Java Card Files Firewall Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 5 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Java Card Attacks Logical attacks ◮ Execution of malicious Java Card byte codes Physical attacks ◮ Side Channel attacks (timing attacks, power analysis attack, . . . ); ◮ Fault attacks Combined attacks (electromagnetic injection, Mix of physical and logical laser beam injection, . . . ) attacks. Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 6 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ... Operand Stack Unknown area Local variables Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 7 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ... ToS param. 2 param. 1 @method Unknown area Local variables Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 7 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ... ToS Unknown ... ToS area param. 2 param. 2 param. 1 param. 1 @method @method Unknown area Previous Frame Local variables Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 7 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ✞ ☎ public void ModifyStack ( byte [] apduBuffer , APDU apdu , short a) { short i=( short )0xCAFE; short j=( short ) maliciousFunction (); i = j ; } ✝ ✆ Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 8 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ✞ ☎ ModifyStack public void invokevirtual @ModifyStack ( byte [] apduBuffer , APDU apdu , short a) { short i=( short )0xCAFE; short j=( short ) maliciousFunction (); ModifyStack Method i = j ; } ✝ ✆ Any unchecked byte code Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 8 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ✞ ☎ public void ModifyStack ( byte [] apduBuffer , APDU apdu , short a) { 02 // flags:0 max_stack:2 invokevirtual @ModifyStack 42 // nargs:4 max_locals:2 11 CAFE sspush 0xCAFE 29 04 sstore 4 18 aload_0 7B 00 getstatic_a 0 ModifyStack Method 8B 01 invokevirtual 1 29 05 sstore 5 16 05 sload 5 29 04 sstore 4 7A } return ✝ ✆ Any unchecked byte code Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 8 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack ✞ ☎ The Return Address of the public void ModifyStack current function is changed! ( byte [] apduBuffer , APDU apdu , short a) { 02 // flags:0 max_stack:2 invokevirtual @ModifyStack 42 // nargs:4 max_locals:2 11 CAFE sspush 0xCAFE 29 04 sstore 4 18 aload_0 7B 00 getstatic_a 0 ModifyStack Method 8B 01 invokevirtual 1 29 05 sstore 5 16 05 sload 5 29 07 sstore 7 7A } return ✝ ✆ Any unchecked byte code Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 8 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Example: Eman 2 attack – Countermeasure Security Requirements ◮ Embed a B yte C ode V erifier (BCV); ◮ Check the number of locals; ◮ Check the frame integrity; Proposed Countermeasure: the linked-frame ◮ The memory area is non-contiguous ◮ The top of stack should be copied Method Method Applet Frame Frame 1 Frame 2 Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 9 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Attacks on Java Card Problematic Inductive Approach ◮ 1 attack = 1 countermeasure ◮ bottom-up solution Our Requirements ◮ A top-down analytic solution; ◮ Definition of each undesirable events; Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 10 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Definition The Fault Tree Analysis (FTA) Effect ◮ Undesirable event; or ◮ Initial causes; ◮ Gate Connector. Cause 1 Cause 2 Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 11 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Definition The Fault Tree Analysis (FTA) Effect ◮ Undesirable event; or ◮ Initial causes; ◮ Gate Connector. Cause 1 Cause 2 Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 11 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Definition The Fault Tree Analysis (FTA) Effect ◮ Undesirable event; or ◮ Initial causes; ◮ Gate Connector. Cause 1 Cause 2 Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 11 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Definition The Fault Tree Analysis (FTA) Effect ◮ Undesirable event; or ◮ Initial causes; ◮ Gate Connector. Cause 1 Cause 2 Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 11 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Definition FTA for Eman 2 attack Access to the frame content and Ill-formed CAP file applet execution Modification is allowed and No BCV No runtime No frame locals check integrity Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 12 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion FTA for Smart Card Smart Card’s Assets Undesirable events can affect: ◮ Code integrity; ◮ Data integrity; ◮ Code confidentiality; ◮ Data confidentiality; Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 13 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion FTA for Smart Card Smart Card’s Assets Undesirable events can affect: ◮ Code integrity ; ◮ Data integrity; ◮ Code confidentiality; ◮ Data confidentiality; An attack offers the execution of a malicious byte code. Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 13 / 23
Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Code Integrity How to break the Java Card Code Integrity? Perturbation of the Code Integrity or Execution of new Existing code arbitrary code modification or or Frame Extended Byte Code desyn- Condition Exception Type corruption branch Code chronization branch mechanism Confusion Modifi- cation Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards SAFECOMP 2013 14 / 23
Recommend
More recommend