Skip to main content
SpringerLink
Log in

Vulnerability Analysis of a Commercial .NET Smart Card

  • Conference paper
  • First Online:
Book cover Smart Card Research and Advanced Applications (CARDIS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8419))

Abstract

In this paper we discuss the operating system security measures of a commercial .NET smart card for mitigating risks of malicious smart card applications. We also investigate how these security measures relate to the card resident binary by analysing its proprietary file format to develop a new vulnerability research tool for .NET card applications. This tool enables us to modify compiled card applications for creating vulnerability research test cases. We then present the details of the vulnerabilities in the target .NET virtual machine (VM) which have been discovered using this tool. The vulnerabilities relate to potential misuse of administrator privileges, therefore, we conclude with recommending countermeasures to be implemented in the card manager application and .NET VM to fix those vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Multos International. Multos Technology. http://www.multos.com/technology/

  2. Sun Microsystems. Java Card Technology. http://www.oracle.com/technetwork/java/javacard/overview/index.html

  3. Microsoft IT forum 2004. .NET-based Smart Cards. http://www.prnewswire.com/news-releases/hive-minded-delivers-net-based-smart-cards-75449172.html

  4. Witteman, M.: Java card security. Inf. Secur. Bull. 8, 291–298 (2003)

    Google Scholar 

  5. TippingPoint. Zero Day Initiative, Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability, October 2011. http://www.zerodayinitiative.com/advisories/ZDI-11-306/

  6. Hogenboom, J., Mostowski, W.: Full Memory Read Attack on a Java Card. Department of Computing Science, Radboud University, Nijmegen (2009)

    Google Scholar 

  7. Iguchi-Cartigny, J., Lanet, J.L.: Developing trojan applets in a smart card. J. Comput. Virol. 6(4), 343–351 (2010)

    Article  Google Scholar 

  8. Microsoft. .NET Framework Security. http://msdn.microsoft.com/en-us/library/aa720329%28v=vs.71%29.aspx

  9. Microsoft. Object Serialization in the .NET Framework. http://msdn.microsoft.com/en-us/library/ms973893.aspx

Download references

Author information

Authors and Affiliations

  1. Microsoft Security Response Center, London, UK

    Behrang Fouladi

  2. Smart Card Centre Royal Holloway, University of London, Egham, Surrey, TW20 0EX, UK

    Konstantinos Markantonakis & Keith Mayes

Authors
  1. Behrang Fouladi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konstantinos Markantonakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Keith Mayes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Behrang Fouladi .

Editor information

Editors and Affiliations

  1. EURECOM, Biot, France

    Aurélien Francillon

  2. Cryptography Research Inc., San Francisco, California, USA

    Pankaj Rohatgi

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Fouladi, B., Markantonakis, K., Mayes, K. (2014). Vulnerability Analysis of a Commercial .NET Smart Card. In: Francillon, A., Rohatgi, P. (eds) Smart Card Research and Advanced Applications. CARDIS 2013. Lecture Notes in Computer Science(), vol 8419. Springer, Cham. https://doi.org/10.1007/978-3-319-08302-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08302-5_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08301-8

  • Online ISBN: 978-3-319-08302-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation