niklas/master_thesis
1
0
Fork 0
mirror of https://sharelatex.tu-darmstadt.de/git/681e0e7a3a9c7c9c6b8bb298 synced 2026-02-04 11:07:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update on Overleaf.

Browse Source
This commit is contained in:
nb72soza Bittner
2025-06-23 20:19:09 +00:00
committed by node
parent 9305d82b15
commit 09b1b30a05
4 changed files with 65 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
Chapters/RelatedWork.tex
View File

@@ -7,6 +7,43 @@
The ecosystem surrounding \gls{esim} and \gls{euicc} technology is supported by a combination of practical implementations and academic research. As this thesis focuses on differential testing of consumer \gls{esim} cards, it is essential to examine both established software tools that enable interaction with such cards and the existing academic efforts that analyze their security, functionality, and protocol correctness.
\section{Literature}
% SIMURAI
% - focuses on the possiblility of compromised / attacker controlled SIM cards
% - implemented a SIM card emulation framework consisting of: swSIM -> open source SIM and swICC -> smart Card framework
% - Research goal: find out if malicious SIM cards are a credible attack vector
% - they demonstrate their framwork by emulating SIM cards to enable fuzzing against user equipment
% - propose 2 different attack scenarios: Rouge Carrier and interposer with physical access
% - they evalute each attack scenario and propose possible mitigations
% - used their implementation to discover multiple high value memory corruption vulnerabilities inside the
% - exploit those vulns by implementing spyware (similar to SIMjacker) that is remotly patched onto the SIM and sends information to the attacker
% - show that hostile SIMs can be used to exploit vulnerabilites and urge that hostile SIMs should be considered as serious attack vectors
% Security Analysis of the Consumer Remote SIM Provisioning Protocol
% - implement a formal modal of RSP in ProVerfiy to remotly provision SIM profiles
% - found different failure modes, however most of them assume a rather strong attacker -> e.g. TLS private key compromise, etc
% - most practical one: no method to verify user intend -> attacker can order/request profile for victim euicc from sm-dp+ -> victim may be able to download attacker ordered profile
% Transparency of SIM profiles for the consumer remote SIM provisioning protocol
% - says that the entire security of the RSP relies on the PKI in which the GSMA signs domains of sm-dp+ server
% - argues that RSP could be compromised if only a single sm-dp+ server is breached -> attacker could clone profiles
% - propose SPTS (SIM profile transparency protocol) protocol that gives more transparency to the RSP profile provisioning process
% - introduces two new actors to the protol which serve as a private index for IMSIs and a transperncy ledger which protocols each action in the RSP protocol for transparency
% - using formal security analysis of their protocol with ProVerif and develope a prototype that uses the SPTS
\texttt{Simurai} is a research framework that investigates the potential threat of compromised or attacker-controlled \gls{sim} cards~\cite{lisowski_simurai_2024}. The authors introduce a \gls{sim} card emulation system comprising two core components: \texttt{swSIM}, an open-source \gls{sim} card emulator, and \texttt{swICC}, a smart card framework. Their primary goal is to evaluate whether malicious \gls{sim} cards represent a credible attack vector against user equipment.
To support this, they demonstrate how their framework enables fuzz testing by emulating arbitrary \gls{sim} card behaviors. The study proposes two concrete attack scenarios: (1) a rogue carrier scenario, in which a malicious network operator issues hostile \gls{sim} cards, and (2) a physical card interposer attack, where an attacker inserts a interposer between the legitimate \gls{sim} and the phone. For both scenarios, the researchers conduct evaluations and suggest potential mitigations.
Using their emulation framework, the authors discovered multiple high-impact memory corruption vulnerabilities in baseband implementations. These were exploited via spyware-like payloads reminiscent of the \textit{SIMjacker}attack~\cite{enea_simjacker_2019}, remotely installed onto the \gls{sim} card. This spyware exfiltrates information to the attacker without requiring user interaction. Their findings underscore the seriousness of hostile SIMs as an attack vector and argue that such threat models should be incorporated into mobile security considerations.
\textcite{ahmed_security_2024} present a formal model of the \gls{rsp} protocol based on the \gls{sgp22} specification. The model is developed using \texttt{ProVerif} to verify the security properties of remote profile provisioning. Although many of the identified failure modes require strong attacker capabilities—such as compromise of \gls{tls} private keys—the study highlights a particularly practical issue: the absence of a robust mechanism to verify user intent. An attacker could initiate a profile download to a victim's \gls{euicc} without user consent, provided they have access to the device or provisioning channel, resulting in unauthorized profile installation.
\textcite{ahmed_transparency_2021} critiques the centralized trust model underlying the \gls{rsp} ecosystem. The study emphasizes that the entire trust infrastructure hinges on the \gls{pki} used by the \gls{gsma} to certify \gls{smdpp} domains. A breach of any single \gls{smdpp} server could allow an attacker to issue cloned or rogue profiles of that operator to attacker controlled \glspl{euicc}. To address this, the authors propose the \gls{sptp}, a protocol designed to enhance transparency and trust in the provisioning process.
\gls{sptp} introduces two new entities: a private index service for managing \glspl{imsi}, and a transparency ledger that logs profile provisioning actions. Formal security analysis of the \gls{sptp} protocol using \texttt{ProVerif}, alongside a functional prototype, demonstrates that such an approach can mitigate the identified risks without significant architectural changes to the existing infrastructure.
\section{Software Implementations}
\paragraph{pySim}
@@ -27,7 +64,7 @@ The ecosystem surrounding \gls{esim} and \gls{euicc} technology is supported by
The \texttt{pySim} suite comprises five primary scripts: \texttt{pySim-shell}, \texttt{pySim-read}, \texttt{pySim-prog}, \texttt{pySim-trace}, and \texttt{pySim-smdpp}. Among these, \texttt{pySim-shell} is the core component, offering an interactive shell interface to navigate the \gls{sim} card file system and issue application-specific commands. It supersedes the legacy \texttt{pySim-read} script, which only supports a limited subset of shell commands and is primarily used to extract commonly accessed data fields from \gls{sim} cards.
The \texttt{pySim-trace} script provides a tracing utility and protocol decoder for \gls{sim} card-related communication. It integrates with \texttt{simtrace2} to intercept and decode communication between a user device and the \gls{sim} card. This functionality is limited to passive recording and does not support active injection or modification of messages.
The \texttt{pySim-trace} script provides a tracing utility and protocol decoder for \gls{sim} card-related communication. It integrates with \texttt{SIMtrace2} to intercept and decode communication between a user device and the \gls{sim} card. This functionality is limited to passive recording and does not support active injection or modification of messages.
The \texttt{pySim-smdpp} script serves as a proof-of-concept implementation of the \gls{sgp22} \gls{smdpp} server component. Notably, \texttt{pySim} does not implement the full \gls{sgp22} protocol stack on the client side (i.e., communication between the \gls{euicc} and the \gls{smdpp} server); its \gls{sgp22} functionality is restricted to the server role only.
@@ -86,41 +123,3 @@ One of the core components of \texttt{SIMTester} is its integrated fuzzing modul
However, the scope of \texttt{SIMTester} is explicitly limited to physical \gls{sim} cards. It does not support or test \gls{esim}-specific features or functionalities, such as profile provisioning, profile switching, or remote \gls{sim} management as defined in the \gls{sgp22} specification. As such, while useful for legacy systems and certain classes of attacks, its applicability in the context of modern \gls{esim} testing is limited.
\section{Literature}
% SIMURAI
% - focuses on the possiblility of compromised / attacker controlled SIM cards
% - implemented a SIM card emulation framework consisting of: swSIM -> open source SIM and swICC -> smart Card framework
% - Research goal: find out if malicious SIM cards are a credible attack vector
% - they demonstrate their framwork by emulating SIM cards to enable fuzzing against user equipment
% - propose 2 different attack scenarios: Rouge Carrier and interposer with physical access
% - they evalute each attack scenario and propose possible mitigations
% - used their implementation to discover multiple high value memory corruption vulnerabilities inside the
% - exploit those vulns by implementing spyware (similar to SIMjacker) that is remotly patched onto the SIM and sends information to the attacker
% - show that hostile SIMs can be used to exploit vulnerabilites and urge that hostile SIMs should be considered as serious attack vectors
% Security Analysis of the Consumer Remote SIM Provisioning Protocol
% - implement a formal modal of RSP in ProVerfiy to remotly provision SIM profiles
% - found different failure modes, however most of them assume a rather strong attacker -> e.g. TLS private key compromise, etc
% - most practical one: no method to verify user intend -> attacker can order/request profile for victim euicc from sm-dp+ -> victim may be able to download attacker ordered profile
% Transparency of SIM profiles for the consumer remote SIM provisioning protocol
% - says that the entire security of the RSP relies on the PKI in which the GSMA signs domains of sm-dp+ server
% - argues that RSP could be compromised if only a single sm-dp+ server is breached -> attacker could clone profiles
% - propose SPTS (SIM profile transparency protocol) protocol that gives more transparency to the RSP profile provisioning process
% - introduces two new actors to the protol which serve as a private index for IMSIs and a transperncy ledger which protocols each action in the RSP protocol for transparency
% - using formal security analysis of their protocol with ProVerif and develope a prototype that uses the SPTS
\texttt{Simurai} is a research framework that investigates the potential threat of compromised or attacker-controlled \gls{sim} cards~\cite{lisowski_simurai_2024}. The authors introduce a \gls{sim} card emulation system comprising two core components: \texttt{swSIM}, an open-source \gls{sim} card emulator, and \texttt{swICC}, a smart card framework. Their primary goal is to evaluate whether malicious \gls{sim} cards represent a credible attack vector against user equipment.
To support this, they demonstrate how their framework enables fuzz testing by emulating arbitrary \gls{sim} card behaviors. The study proposes two concrete attack scenarios: (1) a rogue carrier scenario, in which a malicious network operator issues hostile \gls{sim} cards, and (2) a physical card interposer attack, where an attacker inserts a interposer between the legitimate \gls{sim} and the phone. For both scenarios, the researchers conduct evaluations and suggest potential mitigations.
Using their emulation framework, the authors discovered multiple high-impact memory corruption vulnerabilities in baseband implementations. These were exploited via spyware-like payloads reminiscent of the \textit{SIMjacker} attack, remotely installed onto the \gls{sim} card. This spyware exfiltrates information to the attacker without requiring user interaction. Their findings underscore the seriousness of hostile SIMs as an attack vector and argue that such threat models should be incorporated into mobile security considerations.
\textcite{ahmed_security_2024} present a formal model of the \gls{rsp} protocol based on the \gls{sgp22} specification. The model is developed using \texttt{ProVerif} to verify the security properties of remote profile provisioning. Although many of the identified failure modes require strong attacker capabilities—such as compromise of \gls{tls} private keys—the study highlights a particularly practical issue: the absence of a robust mechanism to verify user intent. An attacker could initiate a profile download to a victim's \gls{euicc} without user consent, provided they have access to the device or provisioning channel, resulting in unauthorized profile installation.
\textcite{ahmed_transparency_2021} critiques the centralized trust model underlying the \gls{rsp} ecosystem. The study emphasizes that the entire trust infrastructure hinges on the \gls{pki} used by the \gls{gsma} to certify \gls{smdpp} domains. A breach of any single \gls{smdpp} server could allow an attacker to issue cloned or rogue profiles. To address this, the authors propose the \gls{sptp}, a protocol designed to enhance transparency and trust in the provisioning process.
\gls{sptp} introduces two new entities: a private index service for managing \glspl{imsi}, and a transparency ledger that logs profile provisioning actions. Formal security analysis of the \gls{sptp} protocol using \texttt{ProVerif}, alongside a functional prototype, demonstrates that such an approach can mitigate the identified risks without significant architectural changes to the existing infrastructure.