Abstract
In this paper we discuss the operating system security measures of a commercial .NET smart card for mitigating risks of malicious smart card applications. We also investigate how these security measures relate to the card resident binary by analysing its proprietary file format to develop a new vulnerability research tool for .NET card applications. This tool enables us to modify compiled card applications for creating vulnerability research test cases. We then present the details of the vulnerabilities in the target .NET virtual machine (VM) which have been discovered using this tool. The vulnerabilities relate to potential misuse of administrator privileges, therefore, we conclude with recommending countermeasures to be implemented in the card manager application and .NET VM to fix those vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Multos International. Multos Technology. http://www.multos.com/technology/
Sun Microsystems. Java Card Technology. http://www.oracle.com/technetwork/java/javacard/overview/index.html
Microsoft IT forum 2004. .NET-based Smart Cards. http://www.prnewswire.com/news-releases/hive-minded-delivers-net-based-smart-cards-75449172.html
Witteman, M.: Java card security. Inf. Secur. Bull. 8, 291–298 (2003)
TippingPoint. Zero Day Initiative, Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability, October 2011. http://www.zerodayinitiative.com/advisories/ZDI-11-306/
Hogenboom, J., Mostowski, W.: Full Memory Read Attack on a Java Card. Department of Computing Science, Radboud University, Nijmegen (2009)
Iguchi-Cartigny, J., Lanet, J.L.: Developing trojan applets in a smart card. J. Comput. Virol. 6(4), 343–351 (2010)
Microsoft. .NET Framework Security. http://msdn.microsoft.com/en-us/library/aa720329%28v=vs.71%29.aspx
Microsoft. Object Serialization in the .NET Framework. http://msdn.microsoft.com/en-us/library/ms973893.aspx
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Fouladi, B., Markantonakis, K., Mayes, K. (2014). Vulnerability Analysis of a Commercial .NET Smart Card. In: Francillon, A., Rohatgi, P. (eds) Smart Card Research and Advanced Applications. CARDIS 2013. Lecture Notes in Computer Science(), vol 8419. Springer, Cham. https://doi.org/10.1007/978-3-319-08302-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-08302-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08301-8
Online ISBN: 978-3-319-08302-5
eBook Packages: Computer ScienceComputer Science (R0)