sar ssi 2012
play

SAR-SSI 2012 1 Introduction Java Card security model Off-card - PowerPoint PPT Presentation

Dec 28, 2022 •37 likes •227 views

Samiya Hamadouche, Guillaume Bouffard , Jean-Louis Lanet, Bruno Dorsemaine , Bastien Nouhant, Alexandre Magloire, Arnaud Reygnaud guillaume.bouffard@xlim.fr bruno.dorsemaine@etu.unilim.fr SAR-SSI 2012 1 Introduction Java Card security model

  1. Samiya Hamadouche, Guillaume Bouffard , Jean-Louis Lanet, Bruno Dorsemaine , Bastien Nouhant, Alexandre Magloire, Arnaud Reygnaud guillaume.bouffard@xlim.fr bruno.dorsemaine@etu.unilim.fr SAR-SSI 2012 1

  2. Introduction Java Card security model Off-card security model Java class Byte code Byte code Byte code Java Card files verifier (BCV) converter signer file On-card security model Java Card Installed Firewall BCV Linker file applet 2

  3. Introduction Our objectives  Understand the security of Java Card better  Improve it Process  Create ill typed files  Load files on the card 3

  4. Summary Introduction Overview Dr4ccarD & the results Counter measures Conclusion 4

  5. Overview Goals  Execute arbitrary & rich shell-codes Problem  The addresses of the methods are not access free 5

  6. Process How ?  Modifying the CAP file What ?  Method Component  Constant Pool Component  Reference Location Component When ?  Linking step 6

  7. Normal linking step : before [ … ] .ConstantPoolComponent { [ … ] 0006 - ConstantStaticMethodRef : ExternalStaticMethoddRef : packageToken 80 classToken 10 token 6 } Method referenced by [ … ] the token 0006 .MethodComponent { [ … ] Constant Pool reference @008a invokestatic 0006 [ … ] (token) } [ … ] .ReferenceLocationComponent { [ … ] offsets_to_byte2_indices = { [ … ] @008b Offset of a token [ … ] } [ … ] } [ … ] 7

  8. Normal linking step : after [ … ] .ConstantPoolComponent { [ … ] 0006 - ConstantStaticMethodRef : ExternalStaticMethoddRef : packageToken 80 classToken 10 token 6 } [ … ] .MethodComponent { [ … ] Real address to call the method #8553 invokestatic 0539 [ … ] } [ … ] .ReferenceLocationComponent { [ … ] offsets_to_byte2_indices = { [ … ] @008b [ … ] } [ … ] } [ … ] 8

  9. The attack Original code Call to the referenced method [ … ] @008a invokestatic 0006 Token @008d bspush 2a @008f sreturn Push the byte 0x2a as a [ … ] signed short on the stack Return the top of the stack Output 0x002a reference 0x002a @0089 @008a @008f after 9

  10. The attack Modified code [ … ] @008a sspush 0006 Push the token on the stack @008d nop @008e nop @008f sreturn [ … ] Output 0x0539 0x0539 @0089 @008a @008f after 10

  11. Summary Introduction Overview Dr4ccarD & the results Counter measures Conclusion 11

  12. Dr4ccarD Cap Map CAP files Ill typed files Dr4ccarD OPAL Analysis  Generic  Platform independent Final report  API version (in)dependent 12

  13. The results Reference Java Card GP Characteristics Address of getKey a-21a 2.1.1. 2.0.1. 0x8C08 a-22a 2.2. 2.1. 64k EEPROM 0x080A a-22c 2.1.1. 2.1.1. 36k EEPROM, RSA 0x020F b-21a 2.1.1. 2.1.2. 16k EEPROM, RSA 0x3267 c-22a 2.1.1. 2.0.1. RSA 0x810B 2.1.1. 72k EEPROM, dual c-22c 2.2. 0x810B interface, RSA d-21a 2.1. 2.0.1. 32K EEPROM, RSA 0x0003 d-22b 2.1.1. 2.1.1. 16k EEPROM 0x80BA e-21a 2.2. 2.1. 72k EEPROM 0x142F 13

  14. Summary Introduction Overview Dr4ccarD & the results Counter measures Conclusion 14

  15. Counter measures Use an embedded BCV  O(n * 43 + p)  n : number of instructions  p : number of tokens 15

  16. Counter measures Only link real tokens  O(p * log(log(43)))  p : number of tokens .ReferenceLocationComponent { [ … ] @008b [ … ] Belong to {new, invokestatic, } invokevirtual , …} ? @008a invokestatic 0006 16

  17. Summary Introduction Overview Dr4ccarD & the results Counter measures Conclusion 17

  18. Conclusion  Map of the Java Card API  Reverse engineering is easier  Affordable counter measure  Ongoing work : Use a laser beam to bypass an embedded BCV 18

  19. Thank you for your attention Do you have any question ? guillaume.bouffard@xlim.fr bruno.dorsemaine@etu.unilim.fr http://secinfo.msi.unilim.fr/ 19

Recommend

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02 11 2012 Source: Wijewantha (1964); Fox (1977); Basuki (1981); Peries & Liyanage (1983) 3 02 11 2012 Source: Situmorang,

381 views • 13 slides
12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health

12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health

12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health effects (besides those mentioned in this slide) e.g. laxation, gut functioning and other types of cancer. This presentation will focus on healthy

696 views • 30 slides
2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission

2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission

CENTER FOR I NVASI VE PLANT MANAGEMENT Liz Galli-Noble, CI PM Director 2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission To promote ecologically sound management of invasive plants in western North

600 views • 18 slides
Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians

Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians

2/21/2012 How Natural Forces Affected Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians Mesopotamians 3 2/21/2012 Pyramids(118) of Egypt Acropolis, Athens Persepolis, Iran 4 2/21/2012 The roots of

1.05k views • 59 slides
(1) Adjudication! 3 October 2012 (2) Estidama! 4 October 2012 2 October 2012 (3) The

(1) Adjudication! 3 October 2012 (2) Estidama! 4 October 2012 2 October 2012 (3) The

October 2012 Can Adjudication assist Abu Dhabi in achieving its Sustainability (Estidama) goals for the construction industry? Presentation by: Paul Straker FCInstCES, FRICS, FICE, MCIArb October 2012 1 October 2012 Credit to Others

492 views • 36 slides
New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012

New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012

New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 February 2012 Preliminary Results 2011 1 Recently upgraded facilities on New Britain 2 Introduction New Britain Palm Oil Ltd 2012 Record

686 views • 44 slides
H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011

H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011

Reykjavk, 30 August 2012 H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011 2011 2010 Net interest income 18,573 16,849 10,020 8,553 9,704 7,145 32,649 24,685 Profit after taxes 11,877

419 views • 17 slides
Timeline May 7, 2012 Reviewed Scenarios A and B May 14, 15 & 16, 2012 Held

Timeline May 7, 2012 Reviewed Scenarios A and B May 14, 15 & 16, 2012 Held

10/18/2012 August 15, 2011 Began discussion of the California Voting Rights Act and its impacts on RUSD February 6, 2012 Board of Education adopted legal and local preference demographical criteria to be used in

324 views • 8 slides
2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results - Review Angus Cockburn Chief Financial Officer 4 2012 Results Pre-Exceptional 2011 2012 Movement m m As reported Underlying Revenue 1,583

442 views • 21 slides
Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3

Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3

Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3 2012 Henkel Analyst & Investor Meeting Disclaimer This information contains forward-looking statements which are based on current estimates

932 views • 33 slides
2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012

2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012

2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012 l Fabienne Lecorvaisier l Chief Financial Officer 2012 H1 Performance Paris, July 30, 2012 Soft growth in Q2 Performance preserved Strong cash

811 views • 52 slides
2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August

2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August

10/15/2012 2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August 9, 2012 | Madison, WI September 20, 2012 | Denver, CO Diep Nguyen, Ph.D. NorthEastern Illinois University n-nguyen8@neiu.edu

555 views • 14 slides
2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial

2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial

2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial Review Angus Cockburn Finance Director 2012 Interim Results 2012 2011 Movement m m As reported Underlying Revenue 734 637 15% 16%

400 views • 23 slides
Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological

Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological

iGEM 2012 iGEM 2012 Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological drugs Advantages Specific Safe OUR SURVEY OF HEPATITIS C PATIENTS Effective None 12% Drawbacks Strong 37%

823 views • 42 slides
Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this

Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this

Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this presentation are unaudited. On 18 April 2012, BNP Paribas issued a restatement of its quarterly results for 2011 reflecting, in particular, an

1.23k views • 73 slides
Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this

Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this

Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this presentation are unaudited. On 18 April 2012, BNP Paribas issued a restatement of its quarterly results for 2011 reflecting, in particular, an

935 views • 77 slides
enersis 9M 2012 results Enersis consolidated results 9M 2012 Highlights in 9M 2012 Distribution:

enersis 9M 2012 results Enersis consolidated results 9M 2012 Highlights in 9M 2012 Distribution:

07 | 11 | 2012 enersis 9M 2012 results Enersis consolidated results 9M 2012 Highlights in 9M 2012 Distribution: an increase in 2,373 GWh in physical sales and close to 380 thousand new customers were added in the period Generation: despite the

725 views • 30 slides
endesa chile 9M 2012 results Endesa Chile consolidated results 9M 2012 Highlights of 9M 2012

endesa chile 9M 2012 results Endesa Chile consolidated results 9M 2012 Highlights of 9M 2012

07 | 11 | 2012 endesa chile 9M 2012 results Endesa Chile consolidated results 9M 2012 Highlights of 9M 2012 Growth of 2.5% in electricity demand in the region Lower Revenues due to an increase in Operating Costs, related with higher fuel and

241 views • 21 slides
2012 LEVY HEARING December 18, 2012 Meeting of the Board 2012 Levy Calendar Discussion

2012 LEVY HEARING December 18, 2012 Meeting of the Board 2012 Levy Calendar Discussion

12/11/12 2012 LEVY HEARING December 18, 2012 Meeting of the Board 2012 Levy Calendar Discussion Preliminary Discussion October 9, 2012 of Proposed 2012 Levy Tentative Levy Approval November 20, 2012 Levy Request Published December

292 views • 10 slides
Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman

Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman

Full Year 2012 1 Results presentation Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman Nightingale Woods,Wendover Full Year 2012 3 Mark Clare Group Chief Executive Newberry Corner, Churchinford Full

928 views • 60 slides
enersis 1H 2012 results Enersis consolidated results 1H 2012 Highlights in 1H 2012 Distribution:

enersis 1H 2012 results Enersis consolidated results 1H 2012 Highlights in 1H 2012 Distribution:

26 | 07 | 2012 enersis 1H 2012 results Enersis consolidated results 1H 2012 Highlights in 1H 2012 Distribution: an increase in 1,582 GWh in physical sales and close to 377,000 new customers were added in the period Generation: despite the

669 views • 29 slides
P P O O H H S S K K R R O O W W 2012 2012 24 25 October

P P O O H H S S K K R R O O W W 2012 2012 24 25 October

Special program P P O O H H S S K K R R O O W W 2012 2012 24 25 October www.people.marcegaglia.com WED n o i s i 24 v i d p i r t s a l i g a g e c r a M i g , a i B o z n e r o L New steel

364 views • 24 slides
Staff Meeting November 6, 2012 1 00 1:00 p.m. 2:00 p.m. 2 00 SEB 2099 November 6, 2012 1

Staff Meeting November 6, 2012 1 00 1:00 p.m. 2:00 p.m. 2 00 SEB 2099 November 6, 2012 1

11/7/2012 Staff Meeting November 6, 2012 1 00 1:00 p.m. 2:00 p.m. 2 00 SEB 2099 November 6, 2012 1 11/7/2012 Todays Agenda 1. Opening Remarks and Welcome 2. Approval of Agenda 3. Approval of Minutes April 27, 2012 4. Faculty

638 views • 21 slides
P P O O H H S S K K R R O O W W 2012 2012 24 25 October

P P O O H H S S K K R R O O W W 2012 2012 24 25 October

Special program P P O O H H S S K K R R O O W W 2012 2012 24 25 October www.people.marcegaglia.com THU Marcegaglia sheet & heavy plate division 25 Nazzareno Rubino, The flat universe: Marcegaglia expertise 0 0 . 4

600 views • 36 slides

More recommend