An Observe-and-Detect Methodology for the Security and Functional Testing of Smart Card Applications

Germain Jolly, Sylvain Vernois, Christophe Rosenberger

Abstract

Smart cards are tamper resistant devices but vulnerabilities are sometimes discovered. We address in this paper the security and the functional testing of embedded applications in smart cards. We propose an original methodology for the evaluation of applications and we show its benefit by comparing it to a classical certification process. The proposed method is based on the observation of the APDU (Application Protocol Data Unit) communication with the smart card. Some specific properties are verified as a complementary method in the evaluation process and allows the on-the-fly detection of an anomaly and the reasons that triggered this anomaly during the test. Here are presented two uses of this method: a simple use to illustrate the use of properties to verify an implementation of an application and a more complex illustration by applying the fuzzing method to show what we can obtain with the proposed approach, i.e. an analysis of an anomaly.

References

  1. Aarts, F., De Ruiter, J., and Poll, E. (2013). Formal models of bank cards for free. In Software Testing, Verification and Validation Workshops (ICSTW), 2013 IEEE Sixth International Conference on, pages 461-468. IEEE.
  2. Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., et al. (2005). The key tool. Software & Systems Modeling, 4(1):32-54.
  3. Alimi, V., Vernois, S., and Rosenberger, C. (2014). Analysis of embedded applications by evolutionary fuzzing. In High Performance Computing & Simulation (HPCS), 2014 International Conference on, pages 551-557. IEEE.
  4. Alliance, S. C. (2011). Card payment roadmap in the united states: How will emv impact the future payments infrastructure? White Paper. February.
  5. Bekrar, S., Bekrar, C., Groz, R., and Mounier, L. (2012). A taint based approach for smart fuzzing. In Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on, pages 818- 825. IEEE.
  6. Bkakria, A., Bouffard, G., Iguchi-Cartigny, J., and Lanet, J.- L. (2011). Opal: an open-source global platform java library which includes the remote application management over http. In e-Smart 2011.
  7. CardContact (2012). http://www.openscdp.org/.
  8. Distefano, D. and Parkinson J, M. J. (2008). jstar: Towards practical verification for java. In ACM Sigplan Notices, volume 43, pages 213-226. ACM.
  9. EMVCo (2012). https://www.emvco.com/approvals.aspx.
  10. EMVCo (2013).
  11. for Standardization, I. O. (1994). ISO 8402: 1994: Quality Management and Quality Assurance-Vocabulary. International Organization for Standardization.
  12. Haneberg, D., Grandy, H., Reif, W., and Schellhorn, G. (2007). Verifying smart card applications: an asm approach. In Integrated Formal Methods, pages 313- 332. Springer.
  13. Jacobs, B., Marché, C., and Rauch, N. (2004). Formal verification of a commercial smart card applet with multiple tools. In Algebraic Methodology And Software Technology, pages 241-257. Springer.
  14. Jolly, G., Vernois, S., and Lambert, J.-L. (2014). Improving test conformance of smart cards versus emvspecification by using on the fly temporal property verification. InRecent Trends in Computer Networks and Distributed Systems Security, pages 192-201. Springer.
  15. Lancia, J. (2011). Un framework de fuzzing pour cartes à puce: application aux protocoles emv. In Symposium sur la Sécurité des Technologies de lInformation et des Communications (SSTIC), page 82.
  16. Lanet, J.-L. and Requet, A. (2000). Formal proof of smart card applets correctness. In Smart Card Research and Applications, pages 85-97. Springer.
  17. Mueller, D. (2012). https://code.google.com/p/pcsc-sharp/.
  18. Pannetrat, A. (2010). https://code.google.com/p/cardpeek/.
  19. Philippaerts, P., Mühlberg, J. T., Penninckx, W., Smans, J., Jacobs, B., and Piessens, F. (2014). Software verification with verifast: Industrial case studies. Science of Computer Programming, 82:77-97.
  20. Philipps, J., Pretschner, A., Slotosch, O., Aiglstorfer, E., Kriebel, S., and Scholl, K. (2003). Model-based test case generation for smart cards. Electronic Notes in Theoretical Computer Science, 80:170-184.
  21. Posegga, J. and Vogt, H. (1998). Byte code verification for java smart cards based on model checking. In Computer SecurityESORICS 98, pages 175-190. Springer.
  22. Radatz, J., Geraci, A., and Katki, F. (1990). Ieee standard glossary of software engineering terminology. IEEE Std, 610121990:121990.
  23. Rankl, W. (2007). Smart Card Applications: Design Models for Using and Programming Smart Cards. Wiley Online Library.
  24. Rankl, W. and Effing, W. (2010). Smart card handbook. John Wiley & Sons.
  25. Rouit, O. (2011). http://www.codeproject.com/articles/170 13/smart-card-framework-for-net.
  26. Sabatier, D. and Lartigue, P. (1999). The use of the b formal method for the design and the validation of the transaction mechanism for smart card applications. In FM99Formal Methods, pages 348-368. Springer.
  27. Sasc (2014). https://github.com/sasc999/javaemvreader.
  28. van Weelden, A., Oostdijk, M., Frantzen, L., Koopman, P., and Tretmans, J. (2005). On-the-fly formal testing of a smart card applet. In Security and Privacy in the Age of Ubiquitous Computing, pages 565-576. Springer.
  29. Vernois, S. and Alimi, V. (2010). Winscard tools: a software for the development and security analysis of transactions with smartcards. Norsk informasjonssikkerhetskonferanse (NISK).
  30. Wallace, D. R., Ippolito, L. M., and Cuthill, B. B. (1996). Reference information for the software verification and validation process, volume 500. DIANE Publishing.
  31. Watanabe, T., Howell, P., and Pugh, S. (2006). Easing emv: Emvco's new common payment application. Card Technology Today, 18(2):12-13.
Download


Paper Citation


in Harvard Style

Jolly G., Vernois S. and Rosenberger C. (2016). An Observe-and-Detect Methodology for the Security and Functional Testing of Smart Card Applications . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 282-289. DOI: 10.5220/0005682202820289


in Bibtex Style

@conference{icissp16,
author={Germain Jolly and Sylvain Vernois and Christophe Rosenberger},
title={An Observe-and-Detect Methodology for the Security and Functional Testing of Smart Card Applications},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={282-289},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005682202820289},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - An Observe-and-Detect Methodology for the Security and Functional Testing of Smart Card Applications
SN - 978-989-758-167-0
AU - Jolly G.
AU - Vernois S.
AU - Rosenberger C.
PY - 2016
SP - 282
EP - 289
DO - 10.5220/0005682202820289