+ All Categories
Home > Documents > Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University...

Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University...

Date post: 23-Sep-2020
Category:

Documents
Upload: others
View: 1 times
Download: 0 times
Download Report this document
Share this document with a friend
19
Automated Reverse Engineering using Lego® Georg Chalupar and Stefan Peherstorfer University of Applied Sciences Upper Austria Erik Poll and Joeri de Ruiter Radboud University Nijmegen
Transcript
Page 1: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Automated Reverse Engineering using Lego®

Georg Chalupar and Stefan PeherstorferUniversity of Applied Sciences Upper Austria

Erik Poll and Joeri de RuiterRadboud University Nijmegen

Page 2: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 2 / 19

Introduction

● Used automated learning techniques to reverse engineer e.dentifier2

● Results in state machines● Previously done for bank cards

Page 3: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19

e.dentifier2

● Developed by Todos (now Gemalto)

● EMV-CAP● Can be used with or without USB● With USB:

● See-What-You-Sign● “the most secure sign-what-you-see

end user device ever seen”● Good idea!

Page 4: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 4 / 19

EMV-CAP

challenge

bitfilter(AC)

PIN

GENERATE AC (challenge,...)

AC

PIN

OK

Page 5: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 5 / 19

Protocol e.dentifier2

Page 6: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 6 / 19

Protocol e.dentifier2

Page 7: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 7 / 19

Protocol e.dentifier2

Page 8: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 8 / 19

Protocol e.dentifier2

Page 9: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 9 / 19

Automated learning

● Used LearnLib● Implementation of

adapted L* algorithm

● Complete Mealy machine

● Equivalence queries approximated● Random traces● W-method

Page 10: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 10 / 19

Using automated learning

● Reverse engineering● Manual inspection of correctness and security

● Fuzzing or model-based testing● Use as basis for automated fuzz testing

● Formal verification● Use as basis for model checking

Page 11: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 11 / 19

Automated reverse engineering

● Two different versions of the device● Programmable smart card

● All PIN codes accepted● Responses fixed

● Physical interaction needed

Page 12: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 12 / 19

Robot

● Built using Lego● Controlled by Raspberry Pi

● 3 motors: OK, Cancel, digit● Power USB line● USB commands

Page 13: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 13 / 19

Robot

Page 14: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 14 / 19

Robot

Page 15: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 15 / 19

Results

Page 16: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 16 / 19

Results

Page 17: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 17 / 19

Model checking

● Converted output to labelled transition system● Used model checker CADP● Checked property in modal logic

● Is valid cryptogram generated only after OK button is pushed?

● Resulted in an attack trace for the old device

Page 18: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 18 / 19

Conclusions

● Automated learning techniques● Useful in security analysis for embedded devices● Can automatically find security vulnerabilities● Good excuse to play with Lego

Page 19: Automated Reverse Engineering using Lego®...Joeri de Ruiter - Digital Security, Radboud University Nijmegen 3 / 19 e.dentifier2 Developed by Todos (now Gemalto) EMV-CAP Can be used

Joeri de Ruiter - Digital Security, Radboud University Nijmegen 19 / 19

Conclusions

● Automated learning techniques● Useful in security analysis for embedded devices● Can automatically find security vulnerabilities● Good excuse to play with Lego

Thanks for your attention!


Recommended
De Ruiter Makelaarshuis Fotopresentatie Rehorstplein 1 Amersfoort

De Ruiter Makelaarshuis Fotopresentatie Rehorstplein 1 Amersfoort

Documents

De Ruiter Makelaarshuis Fotopresentatie - Bekensteinselaan 59 Amersfoort

De Ruiter Makelaarshuis Fotopresentatie - Bekensteinselaan 59 Amersfoort

Documents

MultiApp ID Citizen 72K - ANSSI · 2018. 11. 30. · PayPass MCHIP Select v2.7 Biomatch J API v3.0.1 & Cryptomanager v2.0 Gemalto Gemalto Gemalto ... Card Specification – v2.1.1,

MultiApp ID Citizen 72K - ANSSI · 2018. 11. 30. · PayPass MCHIP Select v2.7 Biomatch J API v3.0.1 & Cryptomanager v2.0 Gemalto Gemalto Gemalto ... Card Specification – v2.1.1,

Documents

The Early Universe by Ricardo de Ruiter

The Early Universe by Ricardo de Ruiter

Documents

Gemalto MPCOS Version 0.1

Gemalto MPCOS Version 0.1

Software

De Ruiter Makelaarshuis - Oliesteeg 4 Amersfoort

De Ruiter Makelaarshuis - Oliesteeg 4 Amersfoort

Documents

Building trust in mobile apps: the consumer perspective · PDF fileGemalto, October 2016 Gemalto Building Trust in Mobile Apps: The Consumer Perspective 2 About Gemalto: Gemalto is

Building trust in mobile apps: the consumer perspective · PDF fileGemalto, October 2016 Gemalto Building Trust in Mobile Apps: The Consumer Perspective 2 About Gemalto: Gemalto is

Documents

Gemalto Protiva Sale A00

Gemalto Protiva Sale A00

Documents

Bruno Colmant, Kasper Peters, Joeri Gussé, Wouter Vanderheere · Bruno Colmant, Kasper Peters, Joeri Gussé, Wouter Vanderheere. Key messages > Deposits form the cornerstone of the

Bruno Colmant, Kasper Peters, Joeri Gussé, Wouter Vanderheere · Bruno Colmant, Kasper Peters, Joeri Gussé, Wouter Vanderheere. Key messages > Deposits form the cornerstone of the

Documents

De Ruiter Makelaarshuis Fotopresentatie - Coornhertlaan 14 Zeist

De Ruiter Makelaarshuis Fotopresentatie - Coornhertlaan 14 Zeist

Documents

MultiApp ID IAS ECC Security Target - ssi.gouv.fr · SECURITY TARGET ST Applicable on: December 2008 Page : 3 / 58 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential

MultiApp ID IAS ECC Security Target - ssi.gouv.fr · SECURITY TARGET ST Applicable on: December 2008 Page : 3 / 58 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential

Documents

Sentinel LDK - gemalto-sm.cn

Sentinel LDK - gemalto-sm.cn

Documents

eTravel EAC 1.4: BAC Security Target€¦ · eTravel EAC 1.4: BAC Security Target ST Applicable on: Page : 2 / 52 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential

eTravel EAC 1.4: BAC Security Target€¦ · eTravel EAC 1.4: BAC Security Target ST Applicable on: Page : 2 / 52 ⌧ Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential

Documents

Gemalto M2M Automotive - · PDF file30/06/2016 · Gemalto M2M technology LTE solution in market ... Gemalto M2M Automotive Support Packages 9 ng Design-In ... (over 1 billion cycles)

Gemalto M2M Automotive - · PDF file30/06/2016 · Gemalto M2M technology LTE solution in market ... Gemalto M2M Automotive Support Packages 9 ng Design-In ... (over 1 billion cycles)

Documents

Anne Meilhac - Gemalto

Anne Meilhac - Gemalto

Documents

eTravel v2.2 on MultiApp v4.0.1 platform BAC, EAC and AA ... · ST Rev : 1.1p Page : 1 / 71 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret .

eTravel v2.2 on MultiApp v4.0.1 platform BAC, EAC and AA ... · ST Rev : 1.1p Page : 1 / 71 Gemalto Public Gemalto Private Gemalto Restricted Gemalto Confidential Gemalto Secret .

Documents

De Ruiter Makelaarshuis Diashow - Planciusstraat 35 Amersfoort

De Ruiter Makelaarshuis Diashow - Planciusstraat 35 Amersfoort

Documents

De Ruiter Makelaarshuis Fotopresentatie - Pascalstraat 18 Amersfoort

De Ruiter Makelaarshuis Fotopresentatie - Pascalstraat 18 Amersfoort

Documents