A Generic Approach for Protecting Java Card TM Smart Card Against Software Attacks Guillaume BOUFFARD PhD Defenced the 10 th of October, 2014 Supervised by Pr. Jean-Louis Lanet guillaume.bouff[email protected]Prix de thèse CNRS 2015 Action: « Objects intelligents Sécurisés et Internet des Objets » June 17 th , 2015 institut de recherche Guillaume BOUFFARD A Generic Approach for Protecting Java Card TM Smart Card Against Software Attacks 1/30 1 / 30
63
Embed
A Generic Approach for Protecting Java Card Smart Card ...cedric.cnam.fr/workshops/iot-cybersecurite-cyber... · A Generic Approach for Protecting Java CardTM Smart Card Against Software
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Generic Approach for Protecting Java CardTMSmart Card Against Software Attacks
Guillaume BOUFFARD
PhD Defenced the 10th of October, 2014Supervised by Pr. Jean-Louis Lanet
ContributionFault Tree AnalysisSmart Card Vulnerability Analysis using Fault Tree AnalysisCorrupting the Java Card’s Control FlowSecurity Automatons to Protect the Java Card Control Flow
Conclusion
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 2/302/30
The Smart Card
I Used in our everyday life:◦ Credit Card;◦ (U)SIM Card;◦ Health Card (French Vitale card);◦ Pay TV;◦ . . .
I Tamper-Resistant Computer;I Securely stores and processes information;I Most of the smart cards are based on Java
Card technology.
This device contains sensitive data
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 3/303/30
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 4/304/30
Java Card Attacks
Physical attacksI Side Channel attacks (timing
attacks, power analysis attack,etc.);
I Fault attacks (electromagneticinjection, laser beam injection,etc.).
Logical attacksI Execution of malicious Java
Card byte codes.
Combined attacksI Mix of physical and logical
attacks.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 5/305/30
Problematic
I Inductive Approach:◦ 1 attack = 1 countermeasure;◦ Bottom-up approach.
I Thesis Objectives:◦ Find and prevent each undesirable events;◦ Global vision to protect the smart card’s assets;◦ Design a top-down analytic approach.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 6/306/30
Problematic
I Inductive Approach:◦ 1 attack = 1 countermeasure;◦ Bottom-up approach.
I Thesis Objectives:◦ Find and prevent each undesirable events;◦ Global vision to protect the smart card’s assets;◦ Design a top-down analytic approach.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 6/306/30
The Fault Tree Analysis (FTA)
Root unde-sirable event
Intermediateundesir-
able event
Effect 3Effect 2
E1
Effect 1
E1
I Undesirable events;I Initial causes;I Gate connectors.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 7/307/30
The Fault Tree Analysis (FTA)
Root unde-sirable event
Intermediateundesir-
able event
Effect 3Effect 2
E1
Effect 1
E1
I Undesirable events;I Initial causes;I Gate connectors.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 7/307/30
The Fault Tree Analysis (FTA)
Root unde-sirable event
Intermediateundesir-
able event
Effect 3Effect 2
E1
Effect 1
E1
I Undesirable events;I Initial causes;I Gate connectors.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 7/307/30
The Fault Tree Analysis (FTA)
Root unde-sirable event
Intermediateundesir-
able event
Effect 3Effect 2
E1
Effect 1
E1
I Undesirable events;I Initial causes;I Gate connectors.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 7/307/30
Smart Card’s Assets
I The smart card’s assets are the code and the data;I Security properties:◦ Integrity;◦ Confidentiality;
I Undesirable events can affect:◦ Code integrity;◦ Data integrity;◦ Code confidentiality;◦ Data confidentiality;
An attack offers the execution of a malicious byte code.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 8/308/30
Smart Card’s Assets
I The smart card’s assets are the code and the data;I Security properties:◦ Integrity;◦ Confidentiality;
I Undesirable events can affect:◦ Code integrity;◦ Data integrity;◦ Code confidentiality;◦ Data confidentiality;
An attack offers the execution of a malicious byte code.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 8/308/30
Execution of a malicious code
Execution of amalicious code
Control flowcorruption
Typeconfusion
Invoking anunexpectedfunction
Foolingthe
exceptionmechanism
Corruptingfinally-clause
Faultytable
jumpingoperations
Corruptingthe
branchinginstructions
RA
FrameCorruption
Confusinginvoker’sstate
Contextcorruption
Returnaddress
modification
Code desynchronisation
RA
I For this presentation, two vulnerabilities will be introduced:◦ Modifying the return address;◦ Corrupting the finally-clause.
I Thanks to minimal cut set, a countermeasure to protect theexecution flow was developed: the security automatons.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 9/309/30
Execution of a malicious code
Execution of amalicious code
Control flowcorruption
Typeconfusion
Invoking anunexpectedfunction
Foolingthe
exceptionmechanism
Corruptingfinally-clause
Faultytable
jumpingoperations
Corruptingthe
branchinginstructions
RA
FrameCorruption
Confusinginvoker’sstate
Contextcorruption
Returnaddress
modification
Code desynchronisation
RA
I For this presentation, two vulnerabilities will be introduced:◦ Modifying the return address;◦ Corrupting the finally-clause.
I Thanks to minimal cut set, a countermeasure to protect theexecution flow was developed: the security automatons.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 9/309/30
Execution of a malicious code
Execution of amalicious code
Control flowcorruption
Typeconfusion
Invoking anunexpectedfunction
Foolingthe
exceptionmechanism
Corruptingfinally-clause
Faultytable
jumpingoperations
Corruptingthe
branchinginstructions
RA
FrameCorruption
Confusinginvoker’sstate
Contextcorruption
Returnaddress
modification
Code desynchronisation
RA
I For this presentation, two vulnerabilities will be introduced:◦ Modifying the return address;◦ Corrupting the finally-clause.
I Thanks to minimal cut set, a countermeasure to protect theexecution flow was developed: the security automatons.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 9/309/30
Execution of a malicious code
Execution of amalicious code
Control flowcorruption
Typeconfusion
Invoking anunexpectedfunction
Foolingthe
exceptionmechanism
Corruptingfinally-clause
Faultytable
jumpingoperations
Corruptingthe
branchinginstructions
RA
FrameCorruption
Confusinginvoker’sstate
Contextcorruption
Returnaddress
modification
Code desynchronisation
RA
I For this presentation, two vulnerabilities will be introduced:◦ Modifying the return address;◦ Corrupting the finally-clause.
I Thanks to minimal cut set, a countermeasure to protect theexecution flow was developed: the security automatons.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 9/309/30
Execution of a malicious codeExecution of amalicious code
Control flowcorruption
Typeconfusion
Invoking anunexpectedfunction
Foolingthe
exceptionmechanism
Corruptingfinally-clause
Faultytable
jumpingoperations
Corruptingthe
branchinginstructions
RA
FrameCorruption
Confusinginvoker’sstate
Contextcorruption
Returnaddress
modification
Code desynchronisation
RA
SecurityAutomatons
I For this presentation, two vulnerabilities will be introduced:◦ Modifying the return address;◦ Corrupting the finally-clause.
I Thanks to minimal cut set, a countermeasure to protect theexecution flow was developed: the security automatons.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 9/309/30
The Java Method Return
“ The current frame is used in this case to restore the state ofthe invoker, including its local variables and operand stack,with the program counter of the invoker appropriatelyincremented to skip past the method invocation instruction.Execution then continues normally in the invoking method’sframe with the returned value (if any) pushed onto the operandstack of that frame. (source: Java 8 Virtual Machine Specification) ”
I A frame header may include:
◦ Previous frame’s size;◦ Program counter of the
invoker (the return address) ;◦ Security context of the
invoker.
Operand stack
Header data
Local variables
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 10/3010/30
The Java Method Return
“ The current frame is used in this case to restore the state ofthe invoker, including its local variables and operand stack,with the program counter of the invoker appropriatelyincremented to skip past the method invocation instruction.Execution then continues normally in the invoking method’sframe with the returned value (if any) pushed onto the operandstack of that frame. (source: Java 8 Virtual Machine Specification) ”
I A frame header may include:
◦ Previous frame’s size;◦ Program counter of the
invoker (the return address) ;◦ Security context of the
invoker.
Operand stack
Header data
Local variables
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 10/3010/30
EMAN2: A Ghost In the StackI Modifying the return address;
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 11/3011/30
EMAN2 and Its Avatars
I Stack overflow from the local variables [Bouffard et al., CARDIS 2011]
◦ sstore, sinc, etc.;
I Stack underflow from the operand stack [Faugeron, CARDIS 2013]
◦ dup_x, swap_x, etc.;
I Countermeasures from the literature:◦ Checking the integrity of the frame’s header data;◦ Verifying each access to the frame’s areas [Lackner et al., CARDIS 2012];◦ Scrambling the memory [Barbu’s PhD Thesis, 2012] [Razafindralambo et al.,
SNDS 2012];◦ These countermeasures are at the same level than the attacks which
they prevent;
I This attack modifies the Java Program Counter value upon thereturn address register. Recent smart cards embed countermeasuresagainst this attack! . . . only the path is protected;
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 12/3012/30
EMAN2 and Its Avatars
I Stack overflow from the local variables [Bouffard et al., CARDIS 2011]
◦ sstore, sinc, etc.;
I Stack underflow from the operand stack [Faugeron, CARDIS 2013]
◦ dup_x, swap_x, etc.;
I Countermeasures from the literature:◦ Checking the integrity of the frame’s header data;◦ Verifying each access to the frame’s areas [Lackner et al., CARDIS 2012];◦ Scrambling the memory [Barbu’s PhD Thesis, 2012] [Razafindralambo et al.,
SNDS 2012];◦ These countermeasures are at the same level than the attacks which
they prevent;I This attack modifies the Java Program Counter value upon the
return address register. Recent smart cards embed countermeasuresagainst this attack! . . . only the path is protected;
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 12/3012/30
The finally-Clause
I A finally-statement used the jsr (“jump to subroutine”) andret (“return from subroutine”) instructions (deprecated sinceJava 6) ;
I The jsr pushes the address of the instruction immediatelyfollowing it (typed as ReturnAddress);
I Saves the return value (if any) in a local variable;I The ret instruction continues the execution from the value saved
in the local variable.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 13/3013/30
Corrupting the finally-ClauseCorrupting
finally-clause
Malicious code
Code modification
Fault InjectionType confusion
No typed heap[Bouffard et al.,CARDIS 2014]
No typed stack
No BCV
Setting a creepyReturnAddress
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 14/3014/30
How to Exploit the jsr instruction?
I Hypothesis:◦ No verified by a BCV◦ No typed stack
[ INFO: ] Verifying CAP file maliciousCAPFile.cap[ INFO: ] Verification completed with 0 warnings and 0 errors.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 17/3017/30
. . . Can Be Executed
I EMAN4 [Bouffard et al., CARDIS 2011] introduced a way to change aninstruction’s parameter upon a laser beam injection;◦ This attack focuses on wide instructions;◦ goto_w, if_*_w, . . .
I if_scmpeq_w 0xFF05
⇒ if_scmpeq_w 0x0005
I That can be viewed as a logical attack enabler.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 18/3018/30
. . . Can Be Executed
I EMAN4 [Bouffard et al., CARDIS 2011] introduced a way to change aninstruction’s parameter upon a laser beam injection;◦ This attack focuses on wide instructions;◦ goto_w, if_*_w, . . .
I if_scmpeq_w 0xFF05
⇒ if_scmpeq_w 0x0005I That can be viewed as a logical attack enabler.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 18/3018/30
. . . Can Be Executed
I EMAN4 [Bouffard et al., CARDIS 2011] introduced a way to change aninstruction’s parameter upon a laser beam injection;◦ This attack focuses on wide instructions;◦ goto_w, if_*_w, . . .
I if_scmpeq_w 0xFF05 ⇒ if_scmpeq_w 0x0005
I That can be viewed as a logical attack enabler.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 18/3018/30
. . . Can Be Executed
I EMAN4 [Bouffard et al., CARDIS 2011] introduced a way to change aninstruction’s parameter upon a laser beam injection;◦ This attack focuses on wide instructions;◦ goto_w, if_*_w, . . .
I if_scmpeq_w 0xFF05 ⇒ if_scmpeq_w 0x0005I That can be viewed as a logical attack enabler.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 18/3018/30
Protecting the Execution Flow
I Direct modification:◦ Integrity → can be bypassed when the JPC is updated by the JCVM;
I Transient fault:◦ Executing twice the same piece of code;◦ It is a very expensive solution;
I Solution: dynamically check the applet’s CFG:◦ Séré’s countermeasures [Séré’s PhD thesis, 2010] based on Field of bits,
Basic block method or Path check technique;◦ This kind of countermeasure can be computed in the card?
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 19/3019/30
Security Automatons and Execution MonitorPrinciple
I Detecting a deviant behaviour ⇒ safety property “nothing badhappens”;
I Preventing some attacks: several partial traces of events aredefined:◦ Property can be encoded by a finite state automaton;
I Schneider automatons: (Q, q0, δ), where Q is a set of states, qo isthe initial state and δ is a transition function (Q · I)→ 2Q);
I The CFG can be computed during the loading process;I When interpreting a byte code, the monitor checks:◦ If the transition generates an authorized partial trace;◦ If not, it takes an appropriate countermeasure.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 20/3020/30
Security Automatons and Execution Monitor (Cont.)Principle
q0start
q1
q2
δ3
δ1
δ2
δ4
δ5
Security automaton(computed inside the card)
State q0 q1 q2q0 δ1 δ3q1 δ2q2 δ5 δ4
State matrix (binary implementationof the security automaton)
I [Bouffard et al., SSCC 2013], [Bouffard et al., SAR-SSI 2013] and extended in[Bouffard et al., IJTMCC 2014].
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 21/3021/30
Security Automaton in Practiceprotected Protocolpayment (byte[] buffer, short offset, byte length) {
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 25/3025/30
The Security Automaton
I The execution flow is checked by the security automaton upon afinite state machine;
I Each transition is verified by the execution monitor;I The CFG can be automatically computed by the loading process;I The CFG can be encoded upon a sparse matrix → optimised solution
to store the CFGI The JCVM and the loader should be modified to handle
automatons.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 26/3026/30
Conclusion
I This thesis aimed at designing efficient and affordablecountermeasure using a top-down approach;
I It is based on the Fault Tree Analysis which this approach aims atbeing generic;
I We identified major undesirable events:◦ We discovered new attack paths, someones are generic;◦ And introduced high level-countermeasures.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 27/3027/30
Conclusion (Cont.)
I We focused on the code integrity:◦ Modification of the control flow;◦ Corruption of the Java Card Linker [Hamadouche et al., SAR-SSI 2012],
[Razafindralambo et al., SNDS 2012] and [Bouffard et al., CRiSIS 2013];
I Each evaluated attacks succeeded on different cards◦ Bottom-up approach ?◦ We wear a white hat;
I Our approach aims at helping card manufacturers to clearly identifythe assets to protect.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 28/3028/30
Thank you for your attention!Questions?
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 29/3029/30
Publications
During my PhD thesis, I have co-written 27 publications:I 2 book chapters;I 5 journal articles;I 3 invited conferences;I 12 articles in international conferences with review and proceedings;I 4 articles in national conferences with review and proceedings;I 1 articles in national conferences with review and without
proceeding;I 1 posters.
Guillaume BOUFFARD A Generic Approach for Protecting Java CardTM Smart Card Against Software Attacks 30/3030/30