Update on Overleaf.

2025-12-07 05:08:01 +00:00 · 2025-06-23 23:43:11 +00:00
parent 09b1b30a05
commit 63c5048682
1 changed files with 104 additions and 2 deletions
--- a/Chapters/Evaluation.tex
+++ b/Chapters/Evaluation.tex
@@ -57,8 +57,110 @@
 % when applying these mutations to every firmware section blob the esim would immediatly reject the section 
 % based on this behaviour we assume that there is some signing of the blocks involved or some checksum or hash implementeted in each section to prevent transmission errors and subsequently writing a faulty firmware image, which in the worst case could corrupt the fwupd mechanism and prevent further fixing of the image

-% skipping signature verification
-%
+
+
+% tracing
+% using simtrace 2 tracing and recording traffic showed that some esims use different aids for the isdr
+% -> insert sample trace
+% line X shows that the selected aid could not be mapped to anything known
+% probably done by vendors to force people to use their own lpa implementations eventough this is also limited by the ara-m
+% we found the following isdr aids 
+% xesim: A0000005591010FFFFFFFF8900000177
+% 5ber: A0000005591010FFFFFFFF8900050500
+% esim.me: A0000005591010000000008900000300
+
+% replaying the traffic to other esims did not show any relevant or interisting behaviour
+% limited to small subset of esim functionality due to usage of nonces for specific tasks
+
+
+% apdu fuzzing
+
+% differences in execution time
+
+% 
+
+% error messages thrown by failed traces
+% SCP03TSecurityError
+% ApduException
+% InvalidCertificate
+% InvalidSignature
+% UnsupportedRemoteOpType
+
+
+% analyzing recorded apdu fuzzing
+% PATHS = glob.glob("recordings/*.resim")
+% 
+% for path in PATHS:
+%     with open(path, "rb") as f:
+%         try:
+%             recorder: OperationRecorder = pickle.load(f)
+%         except Exception as e:
+%             print(f"Failed to load {path}: {e}")
+%             continue
+% 
+%         print(f"Processing {path}")
+% 
+%     def get_successfully_mutated_data(tree: MutationTreeNode) -> bool:
+%         if tree.leaf:
+%             return tree.failure_reason is None
+% 
+%         has_successful_child = False
+% 
+%         for child in tree.children:
+%             is_successful = get_successfully_mutated_data(child)
+% 
+%             if is_successful:
+%                 has_successful_child = True
+% 
+%             if (
+%                 is_successful
+%                 and tree.recording
+%                 and tree.mutation_type != MutationType.NONE
+%             ):
+%                 diff = difflib.ndiff(
+%                     tree.recording.original_apdu.data.hex(),
+%                     tree.recording.mutated_apdu.data.hex(),
+%                 )
+%                 pprint(
+%                     {
+%                         "recording": path,
+%                         "function": tree.func_name,
+%                         "mutation_type": tree.mutation_type,
+%                         "original_apdu": tree.recording.original_apdu.data.hex(),
+%                         "mutated_apdu": tree.recording.mutated_apdu.data.hex(),
+%                         "diff": "".join(diff),
+%                     }
+%                 )
+% 
+%         return has_successful_child
+% 
+%     get_successfully_mutated_data(recorder.root)
+% 
+% load recordings
+% loop through nodes and find nodes where the branch is successfull and the mutation type is not none
+% shows all successful mutations in the recodings folder
+% ndiff: compares two strings and returns a diff view that shows the differences for both strings
+% 
+
+% get_euicc_info_1 truncate success
+% truncation of trailing 00
+% bf2000 -> bf20
+
+% firstSequenceOf87 bitflip success
+% diff:  a- 0+ 1  1  a  8  7  1  8  8  b  0  c  9  1  6  5  4  1  1  3  9  '
+%         'd  f  b  1  d  4  f  0  6  3  c  7  b  c  2  d  7  4  b  d  f  1  2  '
+%         'e  b  0  7  8  0  4  5  e  0  0  b'
+% a0 -> a1
+% indicates another channel was used
+
+
+% authenticate_server was truncated but still successful
+% last 75% of authenticate_server apdu are truncated
+% only able to trigger 1 time -> problem: next mutation type selection was based on enum order
+% solution: check if mutation in trace history was successful, if so: do not mutate anything and return MutationType.NONE; if no mutation happend: return a random mutation that was not yet used 
+% from triggering it only once -> triggering it every run
+% TODO: go into detail on what is happening exactly
+% only happening on Eastcompeace euiccs


 \begin{table}[ht]