Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team – Xlim Labs – Universit´ e de Limoges aina.razafindralambo @etu.unilim.fr guillaume.bouffard @xlim.fr http://secinfo.msi.unilim.fr GDR SoC-SiP 2012 May 30 th , 2012 i nsti tut de recherche T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 1 / 37
Introduction Logical attacks Combined attacks Conclusion Outline Introduction 1 Logical attacks 2 Combined attacks 3 Conclusion 4 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 2 / 37
Introduction Logical attacks Combined attacks Conclusion Introduction 1 Smart Card Our Motivations Java Card Tools Logical attacks 2 Combined attacks 3 Conclusion 4 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 3 / 37
Introduction Logical attacks Combined attacks Conclusion Smart Card Smart Card A Smart Card is. . . Tamper-Resistant Computer Securely store and process information very used: (U)SIM; Credit Card; Health Insurance Card; Pay TV; etc. It contains critical information ! T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 3 / 37
Introduction Logical attacks Combined attacks Conclusion Our Motivations Our Motivations Our motivations Understand the implemented Java Card security mechanisms; Improve these implementations; Design the associated counter-measures; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 4 / 37
Introduction Logical attacks Combined attacks Conclusion Java Card Java Card Architecture Invented in 1996 by Schlumberger; Provides an open and secure platform; JavaCard Applet1 JavaCard Applet2 (V)OP APIs & Applet Manager Framework APIs Java Card Virtual Machine Native API Natives Layers Hardware: CPU + Memories + IO T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 5 / 37
Introduction Logical attacks Combined attacks Conclusion Java Card Java Card Security Model off-card Security Java Class Files Java Card Files Byte Code Verifier Byte Code Converter Byte Code Signer (BCV) on-card Security Installed applet Java Card Files BCV Linker Firewall T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 6 / 37
Introduction Logical attacks Combined attacks Conclusion Java Card Converted APplet (CAP) File T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 7 / 37
Introduction Logical attacks Combined attacks Conclusion Tools Tools Used CapMap Java-framework; Provides reading and modification of CAP files; Modification of any component of a CAP file; Available with a plug-in Eclipse and standalone GUI; OPAL Java-(Library & GUI); Supports Global Platform 2.x Specification; Open-Source Project; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 8 / 37
Introduction Logical attacks Combined attacks Conclusion Introduction 1 Logical attacks 2 EMAN 1: A trojan into a smart card EMAN 2: A Ghost in the Stack When the Java Card Linker helps us! Summary Combined attacks 3 Conclusion 4 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 9 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card EMAN 1 Motivation Insert a Trojan that can write and read everywhere Hypotheses Loading keys are known; No on-card BCV; The firewall doesn’t check the parameter of these instructions : putstatic , getstatic , invokestatic T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 9 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card How to EMAN 1 Write a shellcode in a given array; Retrieve it; Call your shellcode; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 10 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Jump jump jump... Object Methods Table Header @m1 @Class @m2 Owner Context @m3 Instance Data @m4 Class Method Header Header Byte Code Sec. Context ... Static Variable invokestatic xxxx ... @Method T able T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 11 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Java Stack T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 12 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Step 1 : get the array address T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 13 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card (1) Load the address of the array (pushed on top of the stack) (2)(3) Push the value FF on the stack (4) store it into locals T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 14 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Gotcha ! T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 15 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Do it again, but differently T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 16 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card Read and write everywhere and... p u b l i c void getMyAddress ( ) { p u b l i c void getMyAddress ( ) { // f l a g s : 0 max stack : 1 // f l a g s : 0 max stack : 1 // nargs : 0 m a x l o c a l s : 0 // nargs : 0 m a x l o c a l s : 0 7C 00 02 g e t s t a t i c b 2 7C 93 76 g e t s t a t i c b 93 76 78 s r e t u r n 78 s r e t u r n } } p u b l i c byte setMyAddress p u b l i c byte setMyAddress ( byte v a l ) { ( byte v a l ) { // f l a g s : 0 max stack : 1 // f l a g s : 0 max stack : 1 // nargs : 1 m a x l o c a l s : 0 // nargs : 1 m a x l o c a l s : 0 1D s l o a d 1 1D s l o a d 1 31 s s t o r e 2 00 nop 7C 00 02 g e t s t a t i c b 2 80 93 76 p u t s t a t i c b 93 76 78 s r e t u r n 78 s r e t u r n } } Original Modified T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 17 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 1: A trojan into a smart card ... troll dance T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 18 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack EMAN 2 Our Goal Change the Java Card Program Counter; To redirect the Java Card Control Flow Graph; Attack idea Locate the return address of the current function Modify this address . . . . . . to execute our malicious byte code T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 19 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Start! Hypotheses There is no on-card BCV The loading keys are known Requirements list 1 Find the array address (as into EMAN 1); 2 Discover where is located the return address in the stack; 3 Change this value in the stack; T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 20 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... Operand Stack Local variables T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... Operand Stack Frame header Local variables T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... Operand Stack Return Address Undefined use value Local variables T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37
Introduction Logical attacks Combined attacks Conclusion EMAN 2: A Ghost in the Stack Characterize the Java Card stack ... p u b l i c void Pushed ModifyStack ( byte [ ] apduBuffer , values APDU apdu , s h o r t a ) L 8 { s h o r t i =( s h o r t ) 0xCAFE ; Return s h o r t j =( s h o r t ) Address L 7 ( getMyAddressTabByte Undefined (MALICIOUS ARRAY) +ARRAY HEADER SIZE) ; L 6 use value i = j ; } 6 Locals L 0 T. Razafindralambo, G. Bouffard (SSD) Smart Card Attacks: Enter the Matrix Xlim/Univ. de Limoges 21 / 37
Recommend
More recommend