Reverse engineering a Java Card memory management algorithm

Smart cards are tamper resistant devices that manipulate assets in a secure way. Among the assets, one is of a particular interest the native layers. If some attacks have succeeded in getting access to the applicative layer very few of them have had access to the native layers. We propose here to use applicative programs to perform data reverse engineering in order to understand the hidden algorithms that manage the memory allocation. We are then able to generate our own fake references on objects that can be manipulated by the system as legal objects. Then, we propose a new attack called auto-forges that leads the system to interpret its own data or program as valid Java meta data. This attack provides access to new memory fragments where the native layers are stored. Getting access to this asset allows us to start the reverse engineering of these native layers.

[1]  Jean-Louis Lanet,et al.  Chronicle of a Java Card death , 2017, Journal of Computer Virology and Hacking Techniques.

[2]  Robert S. Cohn,et al.  Optimizing Alpha Executables on Windows NT with Spike , 1998, Digit. Tech. J..

[3]  Emmanuel Prouff Smart Card Research and Advanced Applications - 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers , 2011, CARDIS.

[4]  A. V. Chernov,et al.  Automatic reconstruction of data types in the decompilation problem , 2009, Programming and Computer Software.

[5]  Jean-Louis Lanet,et al.  Reversing the operating system of a Java based smart card , 2014, Journal of Computer Virology and Hacking Techniques.

[6]  Julien Lancia,et al.  Java Card Virtual Machine Compromising from a Bytecode Verified Applet , 2015, CARDIS.

[7]  Erik Poll,et al.  Logical Attacks on Secured Containers of the Java Card Platform , 2016, CARDIS.

[8]  James H. Cross,et al.  Reverse engineering and design recovery: a taxonomy , 1990, IEEE Software.

[9]  Michael D. Ernst Static and dynamic analysis: synergy and duality , 2003 .

[10]  Thomas Dullien,et al.  Graph-based comparison of Executable Objects , 2005 .

[11]  Jean-Louis Lanet,et al.  Combined Software and Hardware Attacks on the Java Card Control Flow , 2011, CARDIS.

[12]  E. Poll,et al.  Transactions and non-atomic API calls in Java Card: specification ambiguity and strange implementation behaviours , 2004 .

[13]  Jean-Louis Lanet,et al.  Developing a Trojan applets in a smart card , 2010, Journal in Computer Virology.

[14]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[15]  Jean-Louis Lanet,et al.  The Hell Forgery - Self Modifying Codes Shoot Again , 2016, CARDIS.

[16]  Jean-Luc Hainaut,et al.  Contribution to a theory of database reverse engineering , 1993, [1993] Proceedings Working Conference on Reverse Engineering.

[17]  Guillaume Barbu,et al.  Attacks on Java Card 3.0 Combining Fault and Logical Attacks , 2010, CARDIS.

[18]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[19]  InSeon Yoo,et al.  Visualizing windows executable viruses using self-organizing maps , 2004, VizSEC/DMSEC '04.

[20]  David W. Wall,et al.  A practical system fljr intermodule code optimization at link-time , 1993 .

[21]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[22]  Bart Demoen,et al.  On the Static Analysis of Indirect Control Transfers in Binaries , 2000, PDPTA.

[23]  Emilie Faugeron,et al.  Manipulating the Frame Information with an Underflow Attack , 2013, CARDIS.

[24]  Jean-Louis Lanet,et al.  Memory Forensics of a Java Card Dump , 2014, CARDIS.

[25]  Cristina Cifuentes,et al.  Decompilation of binary programs , 1995, Softw. Pract. Exp..

[26]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 1999, Proceedings Seventh International Workshop on Program Comprehension.

[27]  Tarja Systä,et al.  Static and Dynamic Reverse Engineering Techniques for Java Software Systems , 2000 .