Skip to main content

Advertisement

SpringerLink
Log in

Hiding a fault enabled virus through code construction

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Smart cards are very secure devices designed to execute applications and store confidential data. Therefore, they become the target of many hardware and software attacks that aim to bypass their embedded security mechanisms in order to gain access to the sensitive stored data. Recently, a new kind of attacks called combined attacks has appeared. They aim to induce perturbations in the application’s execution environment. Thus, correct and legitimate application can be dynamically modified to become a hostile one after being loaded in the card using a fault injection. In this paper, we treat the problem from another angle: how to design an innocent looking code in such a way that it becomes intentionally hostile after being activated by a fault injection? We present an original approach of backward code construction based on constraints satisfaction and a tree traversal algorithm. After that, we propose a way to optimize the search process by introducing heuristics for a faster convergence towards more realistic solutions. This approach is implemented in a Trace Generator tool. Thereafter, we evaluate its capacity to generate the required solutions while giving a proof-of-concept of the code desynchronization technique.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

Notes

  1. CAP file (Converted Applet) is a converted Class file adapted for the resource-limited devices.

  2. Available on: https://bitbucket.org/ssd/capmap-free.

  3. A JCA (Java Card Assembly) file is a text representation of the contents of a CAP file.

References

  1. Armstrong, D.B.: A deductive method for simulating faults in logic circuits. IEEE Trans. Comput. 100(5), 464–471 (1972)

    Article  MATH  Google Scholar 

  2. Bailey, M.W., Coleman, C.L., Davidson, J.W.: Defense against the dark arts. ACM SIGCSE Bull. 40(1), 315–319 (2008)

    Article  Google Scholar 

  3. Balakrishnan, A., Schulze, C.: Code obfuscation literature survey (2005)

  4. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)

    Article  Google Scholar 

  5. Barbu G., Duc G., Hoogvorst P.: Java Card operand stack: fault attacks, combined attacks and countermeasures. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 297–313 (2011)

  6. Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on Java Card 3.0 combining fault and logical attacks. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 148–163 (2010)

  7. Barenghi, A., Bertoni, G., Parrinello, E., Pelosi, G.: Low voltage fault attacks on the RSA cryptosystem. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, pp. 23–31 (2009)

  8. Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanović, D.: Randomized instruction set emulation. ACM Trans. Inf. Syst. Secur. (TISSEC) 8(1), 3–40 (2005)

    Article  Google Scholar 

  9. Barták, R.: Constraint programming: in pursuit of the holy grail. In: Proceedings of the Week of Doctoral Students (WDS99), vol. 4. MatFyzPress Prague, pp. 555–564 (1999)

  10. Bartak, R.: Constraint Propagation and Backtracking-Based Search. Charles Universität, Prag (2005)

    Google Scholar 

  11. Barták, R., Salido, M.A., Rossi, F.: New trends in constraint satisfaction, planning, and scheduling: a survey. Knowl. Eng. Rev. 25(3), 249–279 (2010)

    Article  Google Scholar 

  12. Blömer, J., Otto, M., Seifert, J.-P.: A new CRT-RSA algorithm secure against bellcore attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, pp. 311–320 (2003)

  13. Borello, J.-M., Mé, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)

    Article  Google Scholar 

  14. Bouffard, G., Iguchi-Cartigny, J., Lanet, J.-L.: Combined software and hardware attacks on the Java Card control flow. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 283–296 (2011)

  15. Bouffard, G., Lanet, J.-L.: The ultimate control flow transfer in a Java based smart card. Comput. Secur. 50, 33–46 (2015)

    Article  Google Scholar 

  16. Bouffard, G., Lanet, J.-L., Machemie, J.-B., Poichotte, J.-Y., Wary, J.-P.: Evaluation of the ability to transform SIM applications into hostile applications. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 1–17 (2011)

  17. Brailsford, S.C., Potts, C.N., Smith, B.M.: Constraint satisfaction problems: algorithms and applications. Eur. J. Oper. Res. 119(3), 557–581 (1999)

    Article  MATH  Google Scholar 

  18. Bukasa, S,K., Lashermes, R., Lanet, J.-L., Leqay, A.: Let’s shock our IoT’s heart: ARMv7-M under (fault) attacks. In: Proceedings of the 13th International Conference on Availability, Reliability and Security. ACM, pp. 33 (2018)

  19. Cappaert, J.: Code obfuscation techniques for software protection. PhD thesis, University of Katholieke Leuven (2012)

  20. Charreteur, F., Gotlieb, A.: Constraint-based test input generation for Java bytecode. In: IEEE 21st International Symposium on Software Reliability Engineering (ISSRE). IEEE, pp. 131–140 (2010)

  21. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand (1997)

  22. Drape, S.: Intellectual property protection using obfuscation. In: Proceedings of SAS 2009, vol. 4779, pp. 133–144 (2009)

  23. Eyrolles, N.: Obfuscation with mixed boolean-arithmetic expressions: reconstruction, analysis and simplification tools. PhD thesis, University of Paris-Saclay (2017)

  24. Faruki, P., Fereidooni, H., Laxmi, V., Conti, M., Gaur, M.: Android code protection via obfuscation techniques: past, present and future directions. arXiv preprint arXiv:1611.10231 (2016)

  25. Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(02), 56 (2014)

    Google Scholar 

  26. Giraud, C., Thiebeauld, H.: A survey on fault attacks. In: Smart Card Research and Advanced Applications VI. Springer, pp. 159–176 (2004)

  27. Guilley, S., Sauvage, L., Danger, J.-L., Selmane, N., Pacalet, R.: Silicon-level solutions to counteract passive and active attacks. In: FDTC. IEEE-CS, pp. 3–17 (2008)

  28. Habing, D.H.: The use of lasers to simulate radiation-induced transients in semiconductor devices and circuits. IEEE Trans. Nuclear Sci. 39, 1647–1653 (1992)

    Article  Google Scholar 

  29. Hamadouche, S., Lanet, J.-L.: Virus in a smart card: Myth or reality? J. Inf. Secur. Appl. 18(2–3), 130–137 (2013)

    Google Scholar 

  30. Hamadouche, S., Mezghiche, M., Gotlieb, A., Lanet, J.-L.: Vers une approche de construction de virus pour cartes à puce basée sur la résolution de contraintes. Actes de la 13 ème édition d’AFADL, Atelier Francophone sur les Approches Formelles dans l’Assistance au Développement de Logiciels (2014)

  31. Hardie, F.H., Suhocki, R.J.: Design and use of fault simulation for saturn computer design. IEEE Trans. Electron. Comput. 4, 412–429 (1967)

    Article  Google Scholar 

  32. Hosseinzadeh, S., Rauti, S., Laurén, S., Mäkelä, J.-M., Holvitie, J., Hyrynsalmi, S., Leppänen, V.: Diversification and obfuscation techniques for software security: a systematic literature review. Inf. Softw. Technol. 104, 72–93 (2018)

    Article  Google Scholar 

  33. Hutter, M., Schmidt, J.-M.: The temperature side channel and heating fault attacks. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 219–235 (2013)

  34. Karaklajić, D., Schmidt, J.-M., Verbauwhede, I.: Hardware designer’s guide to fault attacks. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 21(12), 2295–2306 (2013)

    Article  Google Scholar 

  35. Kc G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, pp. 272–280 (2003)

  36. Kelly, M.S., Mayes, K., Walker, J.F.: Characterising a CPU fault attack model via run-time data analysis. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, pp. 79–84 (2017)

  37. Korak, T., Hoefler, M.: On the effects of clock and power supply tampering on two microcontroller platforms. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, pp. 8–17 (2014)

  38. Kumar, V.: Algorithms for constraint-satisfaction problems: a survey. AI Mag. 13(1), 32 (1992)

    MathSciNet  Google Scholar 

  39. Lancia, J.: Java Card combined attacks with localization-agnostic fault injection. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 31–45 (2012)

  40. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)

    Article  Google Scholar 

  41. Low, D.: Java control flow obfuscation. Master’s thesis, University of Auckland (1998)

  42. Menon, P.R., Chappell, S.G.: Deductive fault simulation with functional blocks. IEEE Trans. Comput. 8, 689–695 (1978)

    Article  MATH  Google Scholar 

  43. Mesbah, A., Lanet, J.-L., Mezghiche, M.: Reverse engineering Java Card and vulnerability exploitation: a shortcut to ROM. Int. J. Inf. Secur. 18(1), 1–16 (2018)

    Google Scholar 

  44. Mesbah, A., Mezghiche, M., Lanet, J.-L.: Persistent fault injection attack from white-box to black-box. In: 5th International Conference on Electrical Engineering Boumerdes (ICEE-B). IEEE, pp. 1–6 (2017)

  45. Miguel, I., Shen, Q.: Solution techniques for constraint satisfaction problems: foundations. Artif. Intell. Rev. 15(4), 243–267 (2001)

    Article  MATH  Google Scholar 

  46. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, pp. 77–88 (2013)

  47. Nashimoto, S., Homma, N., Hayashi, Y., Takahashi, J., Fuji, H., Aoki, T.: Buffer overflow attack with multiple fault injection and a proven countermeasure. J. Cryptogr. Eng. 7(1), 35–46 (2017)

    Article  Google Scholar 

  48. Oracle: Java Card™Platform, Version 3.0.5 Classic Edition : Virtual Machine Specification. Oracle America (2015)

  49. Pearson, J., Jeavons, P.G.: A survey of tractable constraint satisfaction problems. Technical report, Technical Report CSD-TR-97-15, Royal Holloway, University of London (1997)

  50. Piscitelli, R., Bhasin, S., Regazzoni, F.: Fault attacks, injection techniques and tools for simulation. In: Sklavos, N., Chaves, R., Di Natale, G., Regazzoni, F. (eds.) Hardware Security and Trust, pp. 27–47. Springer, Cham (2017)

    Chapter  Google Scholar 

  51. Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)

    Google Scholar 

  52. Riviere, L., Najm, Z., Rauzy, P., Danger, J.-L., Bringer, J., Sauvage, L.: High precision fault injections on the instruction cache of ARMv7-M architectures. arXiv preprint arXiv:1510.01537 (2015)

  53. Schmidt, J.-M., Hutter, M.: Optical and EM fault-attacks on CRT-based RSA: Concrete results. na (2007)

  54. Sere, A.A.K., Iguchi-Cartigny, J., Lanet, J.-L.: Evaluation of countermeasures against fault. Int. J. Secur. Appl. 5(2), 49–60 (2011)

    Google Scholar 

  55. Sharma, A., Sahay, S.K.: Evolution and detection of polymorphic and metamorphic malwares: a survey. arXiv preprint arXiv:1406.7061 (2014)

  56. Singh, J., Singh, J.: Challenge of malware analysis: malware obfuscation techniques. Int. J. Inf. Secur. Sci. 7(3), 100–110 (2018)

    Google Scholar 

  57. Singla, S., Gandotra, E., Bansal, D., Sofat, S.: Detecting and classifying morphed malwares: a survey. Int. J. Comput. Appl. 122(10), 28–33 (2015)

    Google Scholar 

  58. Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer, pp. 2–12 (2002)

  59. Timmers, N., Spruyt, A., Witteman, M.: Controlling PC on ARM using fault injection. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, pp. 25–35 (2016)

  60. Tsang, E.: Foundations of Constraint Satisfaction. Academic Press Limited, Cambridge (1995)

    Google Scholar 

  61. Ulrich, E.G., Baker, T., Williams, L.R.: Fault-test analysis techniques based on logic simulation. In: Proceedings of the 9th Design Automation Workshop. ACM, pp. 111–115 (1972)

  62. Vetillard, E., Ferrari, A.: Combined attacks and countermeasures. In: International Conference on Smart Card Research and Advanced Applications. Springer, pp. 133–147 (2010)

  63. Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM, pp. 92–97 (2004)

  64. Winter, S.: On the utility of higher order fault models for fault injections. PhD thesis, Technische Universität (2015)

  65. Xu, H., Zhou, Y., Kang, Y., Lyu, M.R.: On secure and usable program obfuscation: a survey. arXiv preprint arXiv:1710.01139 (2017)

  66. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA). IEEE, pp. 297–300 (2010)

  67. Yuce, B., Schaumont, P., Witteman, M.: Fault attacks on secure embedded software: threats, design, and evaluation. J. Hardw. Syst. Secur. 2(2), 1–20 (2018)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LIMOSE Laboratory, Faculty of science, University M’Hamed Bougara of Boumerdes, Avenue de l’Indépendance, 35000, Boumerdes, Algeria

    Samiya Hamadouche & Mohamed Mezghiche

  2. INRIA, LHS-PEC, 263 Avenue Général Leclerc, 35042, Rennes, France

    Jean-Louis Lanet

Authors
  1. Samiya Hamadouche
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jean-Louis Lanet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohamed Mezghiche
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Samiya Hamadouche.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hamadouche, S., Lanet, JL. & Mezghiche, M. Hiding a fault enabled virus through code construction. J Comput Virol Hack Tech 16, 103–124 (2020). https://doi.org/10.1007/s11416-019-00340-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-019-00340-z

Keywords

Search

Navigation