Reverse Engineering a Code without the Code: Reverse Engineering of a Java Card Dump

Retrieving assets from inside a secure element should be difficult. While the most attractive assets are the cryptographic keys stored in the Non Volatile Memory (NVM) area, the algorithms which are executed are also of interest. This means that the confidentiality of binary code embedded in the Read Only Memory (ROM) of that device should also be protected from extraction and reverse engineering. Thanks to a previous attack, we obtained a dump of the NVM, but not of the ROM. In this paper, we demonstrate that we can reverse engineer the algorithms without having access to the code by taking advantage of the object oriented features of the platform. We have only access to the data. We use a specifically designed graphic tool to reason about the data such that we are able to understand the principle of the algorithm. Then, we are able to bypass the protection mechanism in order to get access to the binary code.

[1]  Tarja Systä,et al.  Static and Dynamic Reverse Engineering Techniques for Java Software Systems , 2000 .

[2]  Brendan Dolan-Gavitt,et al.  Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[3]  Tobias Klein,et al.  All your private keys are belong to us Extracting RSA private keys and certificates out of the process memory , 2006 .

[4]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[5]  InSeon Yoo,et al.  Visualizing windows executable viruses using self-organizing maps , 2004, VizSEC/DMSEC '04.

[6]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[7]  A. V. Chernov,et al.  Automatic reconstruction of data types in the decompilation problem , 2009, Programming and Computer Software.

[8]  Jean-Louis Lanet,et al.  Reversing the operating system of a Java based smart card , 2014, Journal of Computer Virology and Hacking Techniques.

[9]  Michael D. Ernst Static and dynamic analysis: synergy and duality , 2003 .

[10]  Jean-Louis Lanet,et al.  Developing a Trojan applets in a smart card , 2010, Journal in Computer Virology.

[11]  Jean-Louis Lanet,et al.  The Hell Forgery - Self Modifying Codes Shoot Again , 2016, CARDIS.

[12]  Nick L. Petroni,et al.  Volatools : Integrating Volatile Memory Forensics into the Digital Investigation Process , 2007 .

[13]  Anton Chuvakin,et al.  Security warrior - know your enemy , 2004 .

[14]  William J. Premerlani,et al.  An approach for reverse engineering of relational databases , 1993, [1993] Proceedings Working Conference on Reverse Engineering.

[15]  T. Dullien,et al.  Graph-based comparison of Executable Objects ( English Version ) , 2005 .

[16]  Jean-Luc Hainaut,et al.  Contribution to a theory of database reverse engineering , 1993, [1993] Proceedings Working Conference on Reverse Engineering.