manipulating the frame information with an underflow
play

Manipulating the Frame Information With an Underflow Attack Emilie - PowerPoint PPT Presentation

Sep 26, 2023 •24 likes •474 views

Manipulating the Frame Information With an Underflow Attack Emilie FAUGERON - CARDIS 2013 emilie.faugeron@thalesgroup.com Thales Communications & Security Table of Contents 2 / 2 Overview Byte code verification of the Underflow

  1. Manipulating the Frame Information With an Underflow Attack Emilie FAUGERON - CARDIS 2013 emilie.faugeron@thalesgroup.com Thales Communications & Security

  2. Table of Contents 2 / 2  Overview  Byte code verification of the Underflow attack  Characterization of the Platform  Exploitation of the Underflow attack  Conclusion Thales Communications & Security CARDIS 2013

  3. Context 3 / 3  The firewall protects applications from unauthorized access  Malicious applications allow to perturb Java Card platform  Dump of the memory located outside the attacker context  Modify the memory located outside the attacker context  The Off-Card Verifier can be used to detect such attack Thales Communications & Security CARDIS 2013

  4. Context 4 / 4  Type confusion attacks can be used to read an object of type A as an object of type B  Mostly used attack  The current context of execution cannot be manipulated  Platforms become more and more resistant to type confusion attack  Can be developed to bypass Off-Card Verification  EMAN attack can be use to abuse firewall checks on static objects  Detected by the Off-Card Verification  Underflow can be used to manipulate the frame: EMAN2  Used undefined local variable  Used to manipulate the program pointer  Nowadays, the hypothesis is « There is no Off-Card Verifier » Thales Communications & Security CARDIS 2013

  5. Our attack 5 / 5  The aim of our attack is to obtain the JCRE context in order to bypass firewall verification  Step1: Develop the underflow attack to bypass BCV  Step2: Read/Characterize frame information thanks to underflow  Step3: Modify the current context by the JCRE context  Step4: Forge address in order to access to out of context information  The method of the attacker will be executed with the JCRE context  Our hypothesis  There is no hypothesis regarding Byte Code Verification: Our underflow attack is developed to bypass Byte Code Verification.  There is no hypothesis regarding privileges: Our application is considered as « well-formed » and can so be loaded onto the card Thales Communications & Security CARDIS 2013

  6. Underflow concept in Java Card 6 / 6  The part of the RAM memory that contains the operand stack and the frame is represented as follows: Operand Used during method execution Stack Contains system information of the Frame current method or caller method. Local Contains local variables and Variables parameters Thales Communications & Security CARDIS 2013

  7. Underflow concept in Java Card 7 / 7  The underflow also to dump/modify data located under the stack by popped elements on empty stack: Operand Used during method execution Stack Contains system information of the Frame current method or caller method. Underflow data Local Contains local variables and Variables parameters Thales Communications & Security CARDIS 2013

  8. Underflow concept in Java Card 8 / 8  All byte codes that manipulate the stack can be used to perform a stack underflow:  Those that lead to a modification of the stack pointer.  Example: putstatic: The putstatic_s instruction store the short located on the top of the stack onto the targeted static field TOS Stack pointer BOS Frame Frame Stack pointer  The static field contains a part of the frame Thales Communications & Security CARDIS 2013

  9. Underflow concept in Java Card 9 / 9  All byte codes that manipulate the stack can be used to perform a stack underflow:  Those that pop elements from the stack without decreasing the stack pointer at the end of their processing.  Example: dup_x: The instruction dup_x takes two parameters coded on 1 byte m and n. The top m word of the stack is duplicated TOS Stack pointer Frame Stack pointer BOS Frame Frame  The top of the stack contains a part of the frame Thales Communications & Security CARDIS 2013

  10. Step1: BCV on the underflow applet 10 / 10  The Underflow will be performed thanks to the byte code dup_x  The Underflow application needs to be developed in order to bypass the BCV  Abuse the Shareable interface mechanism  Nowadays the Shareable Interface are only used to create type confusion  We will use the same concept for underflow Thales Communications & Security CARDIS 2013

  11. Step1: Abuse Shareable interfaces applied to Underflow 11 / 11 Shareable interface definition  Shareable interfaces are a feature in the Java Card API to enable applet interaction. A shareable interface defines a set of shared interface methods. These interface methods can be invoked from one context even if the object implementing them is owned by an applet in another context. It is used as follows:   An interface defines the shareable service  A server implements the shareable service  A client uses the shareable service The shareable interface can be used to abuse the Byte  Code Verifier:  Create a type confusion  Create an underflow Thales Communications & Security CARDIS 2013

  12. Step1: Abuse Shareable interfaces applied to Underflow 12 / 12 SERVER Shareable interface 1 CLIENT Thales Communications & Security CARDIS 2013

  13. Step1: Abuse Shareable interfaces applied to Underflow 13 / 13 SERVER Shareable interface 1 Shareable interface 2 CLIENT Thales Communications & Security CARDIS 2013

  14. Step1: Abuse Shareable interfaces: applied to Underflow 14 / 14 Shareable interface applied to the underflow attack  1-The client is generated using one definition of the interface (InterfaceClient.java): public int myShareableMethod (short myRef); public byte[] myShareableMethod_shortToByteArray (); public short[] myShareableMethod_shortToShortArray (); public myClass myShareableMethod_shortToMyClass (); 2-The server is generated using another definition (InterfaceServer.java): public void myShareableMethod (short myRef); public short myShareableMethod_shortToByteArray (); public short myShareableMethod_shortToShortArray (); public short myShareableMethod_shortToMyClass (); Thales Communications & Security CARDIS 2013

  15. Step1: Abuse Shareable interfaces: applied to Underflow 15 / 15 Off-card verification of the Server   ShareObj.myShareableMethod() returned void Server.cap Off-Card PASS Verifier InterfaceServer.cap Off-card verification of the Client   ShareObj.myShareableMethod() returned int Client.cap Off-Card PASS Verifier InterfaceClient.cap Thales Communications & Security CARDIS 2013

  16. Step1: Abuse Shareable interfaces: applied to Underflow 16 / 16 Applications and Interface loading  Server.cap Client.cap InterfaceServer.cap card Thales Communications & Security CARDIS 2013

  17. Step1: Abuse Shareable interfaces: applied to Underflow 17 / 17  Execution of the APDU with INS=0x20: public void underflow_dupx (short type,short index,short ad,short frame_info){ ShareObj = (InterfaceClient) (JCSystem.getAppletShareableInterfaceObject (appletServerAID,(byte)0)); ShareObj.myShareableMethod(ad); //push 4 bytes on stack //Dupx on empty stack //Addresses forging: short[] myShortArray = ShareObj.myShareableMethod_shortToShortArray (); byte[] myByteArray = ShareObj.myShareableMethod_shortToByteArray (); ClassA myInsanceClassA = ShareObj.myShareableMethod_shortToMyClass (); //Read or modify the memory using //myShortArray, myByteArray or myInsanceClassA } public void process(APDU apdu) { … case (byte)0x20: //Retrieve data in APDU Buffer: type, index, ad, frame_info underflow_dupx (type, index, ad, frame_info); } … } Thales Communications & Security CARDIS 2013

  18. Step1: Abuse Shareable interfaces: applied to Underflow 18 / 18  Execution of the APDU with INS=0x20: public void underflow_dupx (short type,short index,short ad,short frame_info){ ShareObj = (InterfaceClient) (JCSystem.getAppletShareableInterfaceObject (appletServerAID,(byte)0)); ShareObj.myShareableMethod(ad); No int will be pushed, the dup_x //Dupx on empty stack intruction will be performed on an empty stack //Addresses forging: short[] myShortArray = ShareObj.myShareableMethod_shortToShortArray (); byte[] myByteArray = ShareObj.myShareableMethod_shortToByteArray (); ClassA myInsanceClassA = ShareObj.myShareableMethod_shortToMyClass (); //Read or modify the memory using //myShortArray, myByteArray or myInsanceClassA } public void process(APDU apdu) { … case (byte)0x20: //Retrieve data in APDU Buffer: type, index, ad, frame_info underflow_dupx (type, index, ad, frame_info); } … } Thales Communications & Security CARDIS 2013

Recommend

CS 5 4 3 : Com puter Graphics Lecture 9 ( Part I I I ) : Raster Graphics: Manipulating I m ages

CS 5 4 3 : Com puter Graphics Lecture 9 ( Part I I I ) : Raster Graphics: Manipulating I m ages

CS 5 4 3 : Com puter Graphics Lecture 9 ( Part I I I ) : Raster Graphics: Manipulating I m ages Emmanuel Agu Manipulating Pixm aps Pixmap = rectangular array of numerical values Pixmap copied to frame buffer = rendered Change frame

297 views • 12 slides
Surfin ng the f frame n et A frame is a complex condition on its

Surfin ng the f frame n et A frame is a complex condition on its

1. Frames 2. Shifting 3. Metonymy 4. Word formation 5. Conclusion 2 Whats a frame? Surfin ng the f frame n et A frame is a complex condition on its potential

162 views • 13 slides
Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings

Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings

Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings economical materials combined with conventional B deck materials To be utilized with any type lightweight non-metal roofing system

215 views • 17 slides
What is frame busting? What is frame busting? HTML allows for any site to frame any URL with an

What is frame busting? What is frame busting? HTML allows for any site to frame any URL with an

What is frame busting? What is frame busting? HTML allows for any site to frame any URL with an IFRAME (internal frame) <iframe src=http://www.google.com> Ignored by most browsers </iframe> What is frame busting?

539 views • 52 slides
Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline

Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline

Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline Introduction Information storage Integer coding Basic arithmetics Hexadecimal notation Endianness Floats IEEE FP

308 views • 19 slides
Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame

Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame

Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame Relay - Introduction and Concepts lesson, Frame Relay introduces some cost savings benefits over point-to-point leased lines. This lesson will

396 views • 14 slides
degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS

degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS

estimated camera position estimated camera rotation 500 80 60 40 degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS errors using prev (:) vs. model ( ) 60 50 RMS intensity error 40 30 20

717 views • 23 slides
How to use Dates & Times with pandas Manipulating Time Series Data in Python Date & Time

How to use Dates & Times with pandas Manipulating Time Series Data in Python Date & Time

MANIPULATING TIME SERIES DATA IN PYTHON How to use Dates & Times with pandas Manipulating Time Series Data in Python Date & Time Series Functionality At the root: data types for date & time information Objects for points in

279 views • 25 slides
Text-Adaptive Generative Adversarial Networks: Manipulating Images with Natural Language

Text-Adaptive Generative Adversarial Networks: Manipulating Images with Natural Language

Text-Adaptive Generative Adversarial Networks: Manipulating Images with Natural Language Seonghyeon Nam, Yunji Kim, Seon Joo Kim Dept. of Computer Science, Yonsei University Seoul, South Korea Manipulating Images with Natural Language Icons

193 views • 16 slides
Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of

Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of

Introduction Automata Manipulations Symbolic String Vulnerability Analysis Composite String Analysis Implementation and Summary Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of Management Information

1.62k views • 138 slides
Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud platform that lets organizations deliver amazing experiences and workflows to users on all connected devices . Pixels user input Confidential Why

540 views • 21 slides
Rearranging and manipulating h e a d e r = T R U E , n a . s t r i n g s =

Rearranging and manipulating h e a d e r = T R U E , n a . s t r i n g s =

An introduction to WS 2019/2020 m y d a t a < - r e a d . t a b l e ( fj l e = " m y d a t a . t x t " , Rearranging and manipulating h e a d e r = T R U E , n a . s t r i n g

199 views • 6 slides
Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration

Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration

Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration While we still have more lessons left to fully cover the major aspects of Frame Relay and its configuration, I wanted to include a couple of short,

435 views • 14 slides
Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A

Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A

Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A Workshop in Honor of Chuck Fillmore June 27, 2014 * Thanks to Desai Chen, Kuzman Ganchev, Karl Moritz Hermann, Andr Martins, Nathan Schneider, Noah

1.63k views • 152 slides
Do You Want To Provide Food or Do You Want Your Patients To Eat? Manipulating a foodservice

Do You Want To Provide Food or Do You Want Your Patients To Eat? Manipulating a foodservice

Do You Want To Provide Food or Do You Want Your Patients To Eat? Manipulating a foodservice system to achieve patient centred outcomes . Sally McCray, APD Director Nutrition and Dietetics Mater Health Services, Brisbane, Australia

686 views • 24 slides
Manipulating the Human Memory for Fun and Profit Stefan Schumacher

Manipulating the Human Memory for Fun and Profit Stefan Schumacher

Manipulating the Human Memory for Fun and Profit Stefan Schumacher www.sicherheitsforschung-magdeburg.de Magdeburger Institut fr Sicherheitsforschung DeepSec 2018 Stefan @0xKaishakunin Schumacher Manipulating Human Memory 9th December 2018

506 views • 34 slides
pointer-manipulating programs Nadia Polikarpova joint work with Ilya Sergey (Yale-NUS) follow

pointer-manipulating programs Nadia Polikarpova joint work with Ilya Sergey (Yale-NUS) follow

SuSLik: synthesis of safe pointer-manipulating programs Nadia Polikarpova joint work with Ilya Sergey (Yale-NUS) follow along https://github.com/TyGuS/suslik-tutorial 2 pointer-manipulating programs network / security operating systems

1.23k views • 105 slides
Reconciling the Payroll Ledger June 18, 2019 Basics of Manipulating Data Reconciliation

Reconciling the Payroll Ledger June 18, 2019 Basics of Manipulating Data Reconciliation

Reconciling the Payroll Ledger June 18, 2019 Basics of Manipulating Data Reconciliation Based on Job Code Balancing to the General Ledger Specific Reconciliation by Employee Basics of Manipulating Data In Data Warehouse EZ Access:

250 views • 10 slides
GIS-Geographical Information System A universal ( x , y , z ) frame: (latitude, longitude,

GIS-Geographical Information System A universal ( x , y , z ) frame: (latitude, longitude,

GIS-Geographical Information System A universal ( x , y , z ) frame: (latitude, longitude, elevation). Usually, only a lat-long (X-Y) plane, with z as a function. Layers and Functions Layers: Diagrams in the X-Y plane, such as features,

234 views • 19 slides
Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Frame

Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Frame

Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Frame semantics Laura Kallmeyer, Timm Lichte, Rainer Osswald & Simon Petitjean University of Dsseldorf DGfS CL Fall School, September 14, 2017 SFB 991

1.47k views • 136 slides
Polynomial-Time What-If Analysis for Prefix-Manipulating MPLS Networks and Segment Routing!

Polynomial-Time What-If Analysis for Prefix-Manipulating MPLS Networks and Segment Routing!

Polynomial-Time What-If Analysis for Prefix-Manipulating MPLS Networks and Segment Routing! ... Stefan Schmid Jiri Srba University of Vienna, Austria Aalborg University, Denmark Polynomial-Time What-If Analysis for Prefix-Manipulating

853 views • 58 slides
Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration

Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration

Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration While we still have more lessons left to fully cover the major aspects of Frame Relay and its configuration, I wanted to include a couple of short,

325 views • 11 slides
Handling Missingness Manipulating Time Series Data in R: Case Studies Missingness > citydata

Handling Missingness Manipulating Time Series Data in R: Case Studies Missingness > citydata

MANIPULATING TIME SERIES DATA IN R: CASE STUDIES Handling Missingness Manipulating Time Series Data in R: Case Studies Missingness > citydata citydata pop 1980-01-01 562994 1981-01-01 564179 1982-01-01 565361 570000 1983-01-01 565491

187 views • 14 slides
RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT. BOOT https://github.com/boot-clj/boot BOOT TEMPLATES boot -d seancorfield/boot-new new -t tenzing -n <name> [+a <option>]* $ cd

566 views • 22 slides

More recommend