virus dans une carte mythe ou proche r alit
play

Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 - PowerPoint PPT Presentation

Jul 13, 2023 •96 likes •708 views

Virus dans une carte mythe ou (proche) ralit ? Dcembre 2013 Sminaire Confiance Numrique Jean-Louis Lanet Jean-louis.lanet@unilim.fr Agenda Class of attacks Java Based Smart Card Hide this code and execute it.

  1. Virus dans une carte mythe ou (proche) réalité ? Décembre 2013 Séminaire Confiance Numérique Jean-Louis Lanet Jean-louis.lanet@unilim.fr

  2. Agenda • Class of attacks • Java Based Smart Card • Hide this code and execute it.

  3. Hypothesis • We always think in term of normal behavior, – We design software in order to provide the expected service, – The attacker has full authority to chose the rules. • To have confidence into the service delivery: – We must ensure (prove) that the service is delivered. – We must give guarantees that it does not what it is not expected to do. • In such a case proof is too hard, • Environment hypotheses are too huge, • Attacker behavior is difficult to mode, • Expertise and know-how remain the best defense.

  4. Invasive attacks • Chip is physically and irreversibly modified (remove the glue, can be visually detected later) – Passive attacks : • off line : reverse engineering of ROM code • in line : information reading (bus, memory, etc…) by probing or analysis of electrical potential. – Active attacks : • off line : modification of the component, • in line : injection of information.

  5. Side Channel Attack Algorithm to compute x = y d mod n: Begin m = bit-size of d Let x = y For i = m-2 down to 0 Let y= y*y mod n If (bit i of d) is 1 Then Let x = (x*y) mod n End End 2E C6 91 5B F9 4A 0 0 1 0 1 1 1 0 1 1 0 0 0 1 1 0 1 0 0 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 1 1 1 0 0 1 0 1 0 0 1 0 1 0 Key value : 4A F9 5B 91 C6 2E

  6. RSA 2012

  7. Perturbation attack • Perturbation attacks change the normal behaviour of an IC in order to create an exploitable error • The behaviour is typically changed either by applying an external source of energy during the operation, • For attackers, the typical external effects on an IC running a software application are as follows – Modifying a value read from memory during the read operation, (transient) – Modification of the Eeprom values, (permanent) – Modifying the program flow, various effects can be observed: • Skipping an instruction, Inverting a test, Generating a jump, Generating calculation errors

  8. 8 Mutant • Definition – A piece of code that passed the BC verification during the loading phase or any certification or any static analysis, and has been loaded into the EEPROM area, – This code is modified by a fault attack, – It becomes hostile : illegal cast to parse the memory, access to other pieces of code, unwanted call to the Java Card API (getKey ,…). SSD Team-Xlim

  9. 9 Example of mutant Bytecode Octets Java code 00 : aload_0 00 : 18 private void debit(APDU apdu) { 01 : getfield 85 60 01 : 83 85 60 04 : invokevirtual 81 00 04 : 8B 81 00 07 : ifeq 59 07 : 60 3B if ( pin.isValidated() ) { 09 : … 09 : … // make the debit operation … … } else { 59 : goto 66 59 : 70 42 ISOException.throwIt ( 61 : sipush 25345 61 : 13 63 01 SW_PIN_VERIFICATION_REQUIRED); 64 : invokestatic 6C 00 64 : 8D 6C 00 } 67 : return 67 : 7A Stack ref ref ref 0-1 ref 0-1 SSD Team-Xlim aload_0 getfield #4 invokevirtual #18 ifeq 59 09: …

  10. 10 Example of mutant Bytecode Octets Java code 00 : aload_0 00 : 18 private void debit(APDU apdu) { 01 : getfield 85 60 01 : 83 85 60 04 : invokevirtual 81 00 04 : 8B 81 00 07 : nop 07 : 00 if ( pin.isValidated() ) { 08 : pop 08 : 3B 09 : … 09 : … // make the debit operation … … 59 : goto 66 59 : 70 42 } else { 61 : sipush 25345 61 : 13 63 01 ISOException.throwIt ( 64 : invokestatic 6C 00 64 : 8D 6C 00 SW_PIN_VERIFICATION_REQUIRED); 67 : return 67 : 7A } Stack 0-1 ref ref ref 0-1 ref 0-1 SSD Team-Xlim aload_0 getfield #4 invokevirtual #18 nop pop 09: …

  11. Attack Hypothesis • Hardware and mixed attack – Ability to change a byte in the memory (EEPROM), – Ability to change a byte on the buses during the transfer from memory to the CPU, – Consequences: • Changes in the control flow • Changes in the type system – RAM is more difficult to attack by perturbation hardware, – Card can be withdraw at any time,

  12. Java Card Architecture Development Library Java source code .jar Java Class files Java Card Compiler Image .jar Byte code verifier, *.java converter, and signer Java Card Virtual Machine Off-card loader Java Card files API On-card Interpreter loader O.S. .cap

  13. The CAP file • Contains an executable representation of package classes • Contains a set of components (11) • Each component describes an aspect of CAP file – Class info – Executable byte code – Linking info,… • Optimized for small footprint by compact data structure • Loaded on card

  14. Stack underflow ? • The idea: – Locate the return address of the current function somewhere in the stack, – Modify this address . . . – Once you return you will execute our malicious byte code (the previous array). • We need to characterize the stack implementation, SSD Team-Xlim

  15. Java Frame implementation Tos parameter 2 Evaluation stack parameter 1 @method Unknown area Local variables SSD Team-Xlim

  16. Java Frame implementation Tos Tos L2 parameter 2 parameter 2 parameter 1 L1 Evaluation stack parameter 1 @method L0 @method Unknown area Previous frame Local variables SSD Team-Xlim

  17. Characterize the stack public void ModifyStack (byte[] apduBuffer,APDU apdu, short a) L2 L1 L3 { short i=(short) 0xCAFE ; L4 short j=(short)(getMyAddressTabByte (MALICIOUS L5 ARRAY)+6) ; i = j ; L0 = this } SSD Team-Xlim

  18. A ghost in the stack • Modify the CAP file to change the value of the index of the locals: public void ModifyStack (byte[] apduBuffer, APDU apdu, short a) { short i=(short) 0xCAFE ; short j=(short) (getMyAddressTabByte (MALICIOUS ARRAY)+6) ; i = j ; } SSD Team-Xlim

  19. A ghost in the stack • Modify the CAP file to change the value of the index of the locals: public void ModifyStack (byte[] apduBuffer, APDU apdu, short a) { short i=(short) 0xCAFE ; short j=(short) (getMyAddressTabByte (MALICIOUS ARRAY)+6) ; i = j ; } SSD Team-Xlim

  20. Return address • You changed the return address with a hostile array address, • It is the scrambled address ! The VM unscramble it ! • At the return you jump outside the method…! • Countermeasures: – Checks the index of the locals, – Check the jump, – Implement differently the stack (as a linked list for example), SSD Team-Xlim

  21. Discovering the API • Rich shell-codes need to access to the API e.g . sendAPDU, getKEY ,… • The linker is embedded in the card, the linked address are never accessible, • Need to lure the embedded linker to get this information, • Process: – Modify the CAP file (Method, Constant Pool & Reference Location) – Extract automatically the desired address from the stack, – Store it in the APDU buffer and send it. SSD Team-Xlim

  22. Linking step [ … ] .ConstantPoolComponent { [ … ] 0006 - ConstantStaticMethodRef : ExternalStaticMethoddRef : packageToken 80 classToken 10 token 6 } Method referenced by the token 0006 [ … ] .MethodComponent { [ … ] Constant Pool reference (token) @008a invokestatic 0006 [ … ] } [ … ] .ReferenceLocationComponent { [ … ] offsets_to_byte2_indices = { [ … ] @008b Offset of the token [ … ] } [ … ] } [ … ] SSD Team-Xlim

  23. Linking step [ … ] .ConstantPoolComponent { [ … ] 0006 - ConstantStaticMethodRef : ExternalStaticMethoddRef : packageToken 80 classToken 10 token 6 } [ … ] .MethodComponent { [ … ] Real address of the method #8553 invokestatic 0539 [ … ] } [ … ] .ReferenceLocationComponent { [ … ] offsets_to_byte2_indices = { [ … ] @008b [ … ] } [ … ] } [ … ] SSD Team-Xlim

  24. The attack Original code Call to the referenced method [ … ] Token @008a invokestatic 0006 @008d bspush 2a Push the byte 0x2a as a signed short on the stack @008f sreturn [ … ] Return the top of the stack Output 0x002a SSD Team-Xlim

  25. The attack Modified code [ … ] Push the resolved token on the stack @008a sspush 0006 @008d nop @008e nop @008f sreturn Return the top of the stack [ … ] Output 0x0539 SSD Team-Xlim

  26. Is the on board linker a compiler ? • You know all the pairs (token, address) • Design a code with only well chosen tokens, • The card generates the code to attack itself … ! SSD Team-Xlim

  27. Perturbation • Perturbation attacks change the normal behaviour of an IC in order to create an exploitable error • The behaviour is typically changed either by applying an external source of energy during the operation, • For attackers, the typical external effects on an IC running a software application are as follows – Modifying a value read from memory during the read operation, (transient) – Modification of the Eeprom values, (permanent) – Modifying the program flow, various effects can be observed: • Skipping an instruction, Inverting a test, Generating a jump, Generating calculation errors SSD Team-Xlim

Recommend

9. Quand Je Serai Grand(e): Using The Future 9.1 Reminder: Le Futur Proche 9.2 The Future Tense

9. Quand Je Serai Grand(e): Using The Future 9.1 Reminder: Le Futur Proche 9.2 The Future Tense

9. Quand Je Serai Grand(e): Using The Future 9.1 Reminder: Le Futur Proche 9.2 The Future Tense (Regular and Irregular Verbs) 9.3 Interrogative Pronouns 9.1 Reminder: Le Futur Proche To express events that will happen in the near future,

493 views • 27 slides
Supply Chain optimisation for Hospitality Andrew ONeill MIH Hosp Ho spit ital alit ity

Supply Chain optimisation for Hospitality Andrew ONeill MIH Hosp Ho spit ital alit ity

Supply Chain optimisation for Hospitality Andrew ONeill MIH Hosp Ho spit ital alit ity y Solutions NI utions NI ww www.h .hospit ospital alit itysoluti ysolutionsni onsni.c .com om Introduction With the Hospitality Industry

169 views • 15 slides
Products available for hospitality hospitality Axminster a la Carte Choose from the design

Products available for hospitality hospitality Axminster a la Carte Choose from the design

hospitality Products available for hospitality hospitality Axminster a la Carte Choose from the design Liberary -Design book -Website floorart -USB stick -Designs from a la -Carte Book Axminster and Colortec Wilton Woven Printed

108 views • 10 slides
The w hat, w hy and how of long-term data preservation Ingrid Dillo Deputy Director DANS/

The w hat, w hy and how of long-term data preservation Ingrid Dillo Deputy Director DANS/

The w hat, w hy and how of long-term data preservation Ingrid Dillo Deputy Director DANS/ Member of RDA TAB e-IRG Workshop Long-term Sustainability Malta, 9 June 2017 dans.knaw.nl DANS is an institute of KNAW en NWO DANS organisation

571 views • 28 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
CORONAVIRUS COVID-19 ABOUT THE VIRUS We all know about it, but not everyone knows how serious it

CORONAVIRUS COVID-19 ABOUT THE VIRUS We all know about it, but not everyone knows how serious it

CORONAVIRUS COVID-19 ABOUT THE VIRUS We all know about it, but not everyone knows how serious it is: The virus is offjcially called SARS-CoV-2 It is suspected that the virus was transmitted by animals to humans There are more than

838 views • 51 slides
Le Lega gal is l issu sues es an and l d leg egal alit ity y ba barriers iers fo for

Le Lega gal is l issu sues es an and l d leg egal alit ity y ba barriers iers fo for

Le Lega gal is l issu sues es an and l d leg egal alit ity y ba barriers iers fo for sma mallh llhold older er pl plan anta tatio tion n ow owne ners rs in in La Lao P o PDR DR Dr Hilary Smith Co Contex ntext

409 views • 13 slides
Grapevine Virus Tales of Woe Not Just One Tale 11% of all vineyards have at least one block with

Grapevine Virus Tales of Woe Not Just One Tale 11% of all vineyards have at least one block with

Grapevine Virus Tales of Woe Not Just One Tale 11% of all vineyards have at least one block with known virus Virus in New Vines Newly planted vineyards with 1- 10% virus coming directly from the nursery. (Leafroll and Red Blotch)

303 views • 9 slides
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS VIRUS A virus must meet two A computer virus is a small criteria:

525 views • 23 slides
ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1. CONSTRUCTING our TEACHING CHALLENGES in a low tech 1. ORCHESTRATION environment 1. SHOW-AND-TELL Selma Hamdani Psychology / DALC / Neuroscience

836 views • 50 slides
Viruses What is a virus? What is a virus? A small infectious agent that reproduces only

Viruses What is a virus? What is a virus? A small infectious agent that reproduces only

Viruses What is a virus? What is a virus? A small infectious agent that reproduces only within a host cell ( obligate intracellular parasites ) Infect all life forms, including bacteria Lack metabolic enzymes and equipment for making

228 views • 21 slides
Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus engines resulted in stronger virus scanners. Paper focuses on how virus creators have challenged virus scanners over the past decade. Evolution of

446 views • 16 slides
A A La Carte Emb mbedding: Ch Cheap but Effective Induction on of of Se Semantic Feature

A A La Carte Emb mbedding: Ch Cheap but Effective Induction on of of Se Semantic Feature

A A La Carte Emb mbedding: Ch Cheap but Effective Induction on of of Se Semantic Feature Vector ors Mikhail Khodak* ,1 , Nikunj Saunshi *,1 , Yingyu Liang 2 , Tengyu Ma 3 , Brandon Stewart 1 , Sanjeev Arora 1 1: Princeton University, 2:

636 views • 45 slides
ZIKA VIRUS WHAT IS IT? WHERE DID IT COME FROM? HOW DID IT GET HERE? L I L I A N A V . R I O S

ZIKA VIRUS WHAT IS IT? WHERE DID IT COME FROM? HOW DID IT GET HERE? L I L I A N A V . R I O S

ZIKA VIRUS WHAT IS IT? WHERE DID IT COME FROM? HOW DID IT GET HERE? L I L I A N A V . R I O S , M . D . I N F E C T I O U S D I S E A S E C O N S U L T A N T S EPIDEMIOLOGY A single stranded RNA virus Genus: Flavivirus

330 views • 22 slides
COVID 19 what is it all about ? CORONA VIRUS ELECTRON MICROSCOPE VIRUS REPLICATING

COVID 19 what is it all about ? CORONA VIRUS ELECTRON MICROSCOPE VIRUS REPLICATING

COVID 19 what is it all about ? CORONA VIRUS ELECTRON MICROSCOPE VIRUS REPLICATING COVID 19 IN THE LUNGS Infects 2 cell types: cilia and mucous cells Debris fills airways .. Cough, fever difficulty breathing Many

1.16k views • 83 slides
Phases 1-3 Virus Status Community spread of the virus is increasing and substantial. There is

Phases 1-3 Virus Status Community spread of the virus is increasing and substantial. There is

Governor Gretchen Whitmer MI SAFE START Phases 1-3 Virus Status Community spread of the virus is increasing and substantial. There is concern about health system capacity. Testing and tracing efgorts may not be

338 views • 18 slides
Probl` emes inverses ` a la fronti` ere pour l equation de Beltrami dans des domaines

Probl` emes inverses ` a la fronti` ere pour l equation de Beltrami dans des domaines

Probl` emes inverses ` a la fronti` ere pour l equation de Beltrami dans des domaines plans, approximation dans des classes de Hardy g en eralis ees Juliette Leblond projet APICS joint work with L. Baratchart, S. Rigat, E.

652 views • 26 slides
M arcel Aym est n le 29 mars 1902 Joigny, dans lYonne, o son pre, matre

M arcel Aym est n le 29 mars 1902 Joigny, dans lYonne, o son pre, matre

Marcel Aym (1902-1967) 1 Biographie M arcel Aym est n le 29 mars 1902 Joigny, dans lYonne, o son pre, matre marchal-ferrant dans un rgiment de Dragons, tait en garnison. Il tait le benjamin de six enfants et ses

454 views • 7 slides
Mosquito Control Strategy March 15, 2016 maricopa-az.gov Mosquito Mosquito viruses West

Mosquito Control Strategy March 15, 2016 maricopa-az.gov Mosquito Mosquito viruses West

Community Services Mosquito Control Strategy March 15, 2016 maricopa-az.gov Mosquito Mosquito viruses West Nile virus St. Louis Encephalitis virus Chikungunya virus Dengue virus Zika virus Yellow Fever

234 views • 8 slides
cGMP virus manufacture and evolving release tests Eleanor Berrie QP First in Man Virus

cGMP virus manufacture and evolving release tests Eleanor Berrie QP First in Man Virus

cGMP virus manufacture and evolving release tests Eleanor Berrie QP First in Man Virus Manufacturing, University of Oxford (UK) CAT-ESGCT Satellite Workshop 27 October 2011 Advanced Therapy Medicinal Products: from Promise to Reality

219 views • 19 slides
Ea East Portlan land R Resili liency cy C Coal alit ition ( (EP EPRC) Opportunity to

Ea East Portlan land R Resili liency cy C Coal alit ition ( (EP EPRC) Opportunity to

Ea East Portlan land R Resili liency cy C Coal alit ition ( (EP EPRC) Opportunity to expand on existing neighborhood collaboration Build connections between groups working in East Portland Create new, innovative projects at

334 views • 6 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
la carte Entropy Derek M. Jones <derek@knosof.co.uk> Background Researchers' go to

la carte Entropy Derek M. Jones <derek@knosof.co.uk> Background Researchers' go to

la carte Entropy Derek M. Jones <derek@knosof.co.uk> Background Researchers' go to topic when they have no idea what else to talk about http://shape-of-code.coding-guidelines.com/2015/04/04/entropy-

250 views • 12 slides
L ABLATION DANS LES ABLATION DANS LES L ARYTHMIES ARYTHMIES SUPRAVENTRICULAIRES

L ABLATION DANS LES ABLATION DANS LES L ARYTHMIES ARYTHMIES SUPRAVENTRICULAIRES

L ABLATION DANS LES ABLATION DANS LES L ARYTHMIES ARYTHMIES SUPRAVENTRICULAIRES SUPRAVENTRICULAIRES PROF L DE ROY UNIVERSITE DE LOUVAIN BELGIQUE AV NODE ABLATION AV NODE ABLATION RF ON ACCESSORY PATHWAYS ACCESSORY PATHWAYS RF

1.22k views • 43 slides

More recommend