Inside .NET Smart Card Operating System
-
Upload
sensepost -
Category
Technology
-
view
6.857 -
download
0
description
Transcript of Inside .NET Smart Card Operating System
![Page 2: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/2.jpg)
What is a smart card?
VS
![Page 3: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/3.jpg)
What is a smart card?
![Page 4: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/4.jpg)
Single Application Smart Cards
![Page 5: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/5.jpg)
Multi-Application Smart Card
Access Control
Identification
Card Parking
Cashless Payments
Computer Access
![Page 6: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/6.jpg)
Did you know?
• How many of you have Orange SIM cards?• What applications are running on your SIM
card?• Any other apps working silently?
![Page 7: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/7.jpg)
Example: SIM Tracker Applet
• Operators goal: sending the MMS/APN settings to the new handset• Can also be used for investigation purposes
![Page 8: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/8.jpg)
In The News…
– Oyster card: Crypto-1 encryption algorithm attack, 2004
– Cambridge university: EMV relay attack, 2010– Sykipot malware Targeting US DoD smart cards,
2011-2012
![Page 9: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/9.jpg)
In The News…
![Page 10: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/10.jpg)
Why?
![Page 11: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/11.jpg)
Why?
• 8 billion smart cards by 2014• The “Internet of Things”• Chip-enabled mobile payments• Hardware backdoors• Malware is everywhere!
![Page 12: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/12.jpg)
Smart Card Firewall
![Page 13: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/13.jpg)
Multi-application Smart Card Platforms
MULTOS
.NET card
JavaCard
![Page 14: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/14.jpg)
.NET Smart Card
• First .NET virtual machine on the chip• Native support in Windows 7 and server 2008• Used in:– Smart card based corporate badges (Microsoft
employees badge)– Remote Access Control (USA DoD and UK MOD)
![Page 15: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/15.jpg)
.NET smart card overview
![Page 16: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/16.jpg)
.NET smart card security model
App Domain A
App Domain B
App Domain C
RSA Sig(A)RSA Sig(C)
RSA Sig(B)
![Page 17: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/17.jpg)
Public Key Token
![Page 18: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/18.jpg)
Code Access Security
![Page 19: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/19.jpg)
Data Access Security
![Page 20: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/20.jpg)
Card application development
??Deployment & Debugging ??
Communication (APDU) ??
![Page 21: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/21.jpg)
Card application development
.NET assembly
ConverterPlug-in
Comm. Proxy
(1) Compiles program
(2) Conversion to card binary
(3) Signed card binary
(4) .NET remoting comm.
(5) APDU comm.
Vendor’s SDK
![Page 22: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/22.jpg)
How secure is .NET card?
• Has EAL5+ certified Infenion chip • EAL certification is widely used by smart card
industry (EAL3 to EAL7)• .NET card OS is designed to achieve EAL4+• EAL4+ audit:– takes 6 to 9 months, costs high 10sk to low 100sk £– includes independent penetration testing and source
code review in some case • No published vulnerabilities so far
![Page 23: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/23.jpg)
Rev. Engineering For Vuln. Discovery
![Page 24: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/24.jpg)
Smart Card Vuln. research
• No Chip OS binary is available• Traditional tools (debuggers, disassemblers)
are useless• No publicly available testing tools • Secure chips have sensors, shields, encryption • ON-card bytecode/IL code verifier
![Page 25: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/25.jpg)
“HiveMod” Tool
![Page 26: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/26.jpg)
HiveMod
• Vulnerability research tool, for:– .NET card binary (Hive format) visualization– Card Binary manipulation– Card binary Re-signing
![Page 27: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/27.jpg)
.NET Card Binary
Compiler Header
Digital signature Header
Object counters Header
Namespaces reference table
Types reference table
Methods reference table
Fields reference table
Blob definitions
Type definitions
Method definitions
Program code (IL code)
RSA signature
![Page 28: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/28.jpg)
HIVE manipulation/fuzzing
![Page 29: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/29.jpg)
Manipulating Digital Signature Header
offset Field name size32 SHA1 hash of the full assembly 2052 Public key token 860 RSA modulus length 4 (len)64 RSA public exponent 468 RSA modulus len
Compiler Header
Digital signature Header
Object counters Header
Namespaces reference table
Types reference table
Methods reference table
Fields reference table
Blob definitions
Type definitions
Method definitions
Program code (IL code)
RSA signature
![Page 30: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/30.jpg)
Manipulating Digital Signature Header
PBKT=Reverse(Right(SHA1(RSA_modulus),8))
![Page 31: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/31.jpg)
(Bypassing .NET card app Firewall)Old school attack: Public Key Token Spoofing
![Page 32: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/32.jpg)
Attack DemoLet’s use the HiveMod tool to test this
vulnerability!
![Page 33: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/33.jpg)
![Page 34: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/34.jpg)
Manual testing vs. HiveMod
• Rev. engineering the SDK: ~2 months• Hex editor for binary patching : Frustrating• Modified card binary needs to be signed • Destroying at least 10 cards: ~200 Euros
![Page 35: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/35.jpg)
Real World Attack?
Employeecorporate cafeteria
POS terminal
Attacker’s system
(1) Attacker plants malwarein e-purse
Access control app
E-Purse app
GSM (data)
GSM (data)
(2) Payment
(3) Access control data exfiltration
(4) save to card(no G
SM access)
![Page 36: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/36.jpg)
Fiction or Real?
Document available on the internet
![Page 37: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/37.jpg)
Vendor’s Response• “An attacker needs administration key to be able to
upload his malicious application on the card, This Key is normally securely stored in a HSM or a smart card based controller”.
![Page 38: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/38.jpg)
Vendor’s Response
• “Knowledge of the Public Key Token of the targeted application is required”.
![Page 39: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/39.jpg)
Vendor’s Response
• “The targeted application must use private file-system storage for its data to be exposed. Therefore, internal (Application Domain) storage is immune to such attack”.
byte[] key={0xaf,0x09,0x45,0x12,....};
![Page 40: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/40.jpg)
More Vulnerabilities...
• Unauthorized memory read in InitializeArray():public static void InitializeArray(Array array,RuntimeFieldHandle fldHandle);
• Results: Partial memory dump• Destroys the card (no reliable exploitation
yet)
![Page 41: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/41.jpg)
More Vulnerabilities...
![Page 42: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/42.jpg)
Conclusions
• don’t worry!• check the apps PKTs for tampering.• Use a secure card management system• Smart card apps can be patched/updated , but
not the card’s OS!• Smart cards OS and apps and card
management software need pen tests too!
![Page 43: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/43.jpg)
Closing words
• HiveMod Tool would be available to Smart Card vendors and security researchers (contact [email protected])
![Page 44: Inside .NET Smart Card Operating System](https://reader033.fdocuments.us/reader033/viewer/2022061120/54664416af795988338b4fe6/html5/thumbnails/44.jpg)
Questions?