mirror of
https://sharelatex.tu-darmstadt.de/git/681e0e7a3a9c7c9c6b8bb298
synced 2025-12-07 05:08:01 +00:00
Update on Overleaf.
This commit is contained in:
nb72soza Bittner
@@ -116,6 +116,34 @@
|
||||
{9}{{{\color{numb}9}}}{1}
|
||||
}
|
||||
|
||||
\lstdefinelanguage{Log}{
|
||||
morekeywords={INFO, WARNING, ERROR},
|
||||
sensitive=false,
|
||||
morecomment=[l]{//},
|
||||
morestring=[b]",
|
||||
}
|
||||
|
||||
\lstdefinestyle{logstyle}{
|
||||
language=Log,
|
||||
basicstyle=\ttfamily\footnotesize,
|
||||
keywordstyle=\color{blue}\bfseries,
|
||||
commentstyle=\color{gray},
|
||||
stringstyle=\color{orange},
|
||||
showstringspaces=false,
|
||||
columns=fullflexible,
|
||||
keepspaces=true,
|
||||
breaklines=true,
|
||||
frame=single,
|
||||
backgroundcolor=\color{gray!5},
|
||||
}
|
||||
|
||||
% tables
|
||||
\usepackage{booktabs}
|
||||
\usepackage{pifont}
|
||||
|
||||
\newcommand{\cmark}{\ding{51}} % checkmark
|
||||
\newcommand{\xmark}{\ding{55}} % xmark
|
||||
|
||||
% forest
|
||||
\usepackage[edges]{forest}
|
||||
|
||||
|
||||
@@ -14,12 +14,62 @@
|
||||
% estk.me does not offer an isd-r for regular interaction with our lpa implmenetation -> tesing is limited
|
||||
% 9esim v2 offers both -> only testing isd-r not USAT for RSP related communication
|
||||
|
||||
\begin{table}[ht]
|
||||
\centering
|
||||
\begin{tabular}{|l|l|l|l|l|l|l|c|}
|
||||
\hline
|
||||
\textbf{Name} & \textbf{Manufacturer} & \textbf{Firmware} & \textbf{SVN} & \textbf{Apps} \\
|
||||
\hline
|
||||
\hline
|
||||
9esim v2 & Kigen & 36.18.5 & 2.3.0 & 12 \\
|
||||
9esim & Kigen & 36.17.4 & 2.3.0 & 11 \\
|
||||
sysmoEUICC & Kigen & 35.6.35 & 2.3.0 & 8 \\
|
||||
EIOTClub & Kigen & 36.7.24 & 2.3.0 & 10 \\
|
||||
esim.me & Eastcompeace & 4.2.0 & 2.2.0 & 0 \\
|
||||
estk.me & G+D & 4.6.0 & 2.2.0 & 0 \\
|
||||
5Ber & Eastcompeace & 4.2.0 & 2.2.2 & 0 \\
|
||||
Xesim & Eastcompeace & 4.2.0 & 2.2.2 & 0 \\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\caption{Overview of Analyzed eSIM Cards}
|
||||
\label{tab:esim-overview}
|
||||
\end{table}
|
||||
|
||||
% data fuzzing
|
||||
% data fuzzing was performed on all esim except the estk.me esim since this card does not offer an isd-r
|
||||
% each fuzzing test was performed on all esims one after one
|
||||
|
||||
% findings data fuzzing
|
||||
% data fuzzing succeeded for most cards
|
||||
% ProfileInfoList failed for 9esim, 9esim v2 and EIOTCLUB
|
||||
% Reported failure input was get_profiles(use_iccid=False, profile_class=None, tags=b'') with failure CardConnectionException from the smartcard library
|
||||
% noticable was that the transaction LED on the CardReader continued to blink (suggesting APDUs were still being sent) eventough no traffic was generated by our code
|
||||
% traffic LED continued to blink even when esim was removed
|
||||
% only stopped blinking when completly disconnected from PC
|
||||
% suggests possible bug in smartcard library
|
||||
|
||||
% findings
|
||||
\begin{table}[h!]
|
||||
\centering
|
||||
\caption{Data fuzzing results for each function per eSIM}
|
||||
\label{tab:data_fuzzing_result}
|
||||
\begin{tabular}{lcccccc}
|
||||
\toprule
|
||||
\textbf{Function} & \textbf{5ber} & \textbf{eSIM.me} & \textbf{9esim} & \textbf{9esim v2} & \textbf{EIOTCLUB} & \textbf{Xesim} \\
|
||||
\midrule
|
||||
SetDefaultDpAddress & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
EuiccMemoryReset & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
RetrieveNotificationsList & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
ListNotification & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
ProfileInfoList & \cmark & \cmark & \xmark & \xmark & \xmark & \cmark \\
|
||||
SetNickname & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
PrepareDownload & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
AuthenticateServer & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
BoundProfilePackage & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
|
||||
\bottomrule
|
||||
\end{tabular}
|
||||
\end{table}
|
||||
|
||||
% general findings
|
||||
|
||||
% estk.me fwupd
|
||||
% estk.me offers an esim firmware update utility on their website
|
||||
@@ -96,6 +146,13 @@
|
||||
% tracing
|
||||
% using simtrace 2 tracing and recording traffic showed that some esims use different aids for the isdr
|
||||
% -> insert sample trace
|
||||
\begin{lstlisting}[style=logstyle, caption={Traced APDUs when launching the esim.me App}]
|
||||
INFO Captured MANAGE CHANNEL Apdu(00 70 00 00 01 01 9000)
|
||||
INFO Captured SELECT MF/ADF.ISD-R Apdu(01 A4 04 00 10 a0000005591010ffffffff8900000100 6f1f8410a0000005591010ffffffff8900000100a5049f6501ffe0058203020200 9000)
|
||||
INFO Captured MANAGE CHANNEL Apdu(00 70 00 00 01 01 9000)
|
||||
WARNING SELECT UNKNOWN AID a0000005591010000000008900000300
|
||||
INFO Captured SELECT Apdu(01 A4 04 00 10 a0000005591010000000008900000300 6a82)
|
||||
\end{lstlisting}
|
||||
% line X shows that the selected aid could not be mapped to anything known
|
||||
% probably done by vendors to force people to use their own lpa implementations eventough this is also limited by the ara-m
|
||||
% we found the following isdr aids
|
||||
@@ -285,33 +342,20 @@
|
||||
% check if possible when using different valid profiles on same smdpp
|
||||
% use "LPA:1$rsp.truphone.com$QR-G-5C-1LS-1W1Z9P7" activation code for initial provisioning with bitflip
|
||||
% use "LPA:1$rsp.truphone.com$QRF-SPEEDTEST" activation code for truncated provisioning
|
||||
% successfull mutual authentication aswell as profile binding and download
|
||||
% successful provisioning
|
||||
% both provisionings used the same certificate
|
||||
% Could not test with different certificates -> no available profiles with production GSMA cert (other available one is "LPA:1$rsp-eu.redteamobile.com$5901981126831169" but smdp refuses due to "campaign resource pool is empty")
|
||||
%
|
||||
% successfull mutual authentication aswell as profile binding and download
|
||||
|
||||
% using different smdpp
|
||||
% 1. 'LPA:1$rsp-eu.redteamobile.com$5901981126831169'
|
||||
% 2. 'LPA:1$rsp.truphone.com$QRF-SPEEDTEST'
|
||||
% results in UndefinedError during the authenticateServerRequest -> probably due to not being able to decode the server signed information of the new request with the public key of the previously sent Certificate
|
||||
|
||||
\begin{table}[ht]
|
||||
\centering
|
||||
\begin{tabular}{|l|l|l|l|l|l|l|c|}
|
||||
\hline
|
||||
\textbf{Name} & \textbf{Manufacturer} & \textbf{Firmware} & \textbf{SVN} & \textbf{Apps} \\
|
||||
\hline
|
||||
\hline
|
||||
9esim v2 & Kigen & 36.18.5 & 2.3.0 & 12 \\
|
||||
9esim & Kigen & 36.17.4 & 2.3.0 & 11 \\
|
||||
sysmoEUICC & Kigen & 35.6.35 & 2.3.0 & 8 \\
|
||||
EIOTClub & Kigen & 36.7.24 & 2.3.0 & 10 \\
|
||||
esim.me & Eastcompeace & 4.2.0 & 2.2.0 & 0 \\
|
||||
estk.me & G+D & 4.6.0 & 2.2.0 & 0 \\
|
||||
5Ber & Eastcompeace & 4.2.0 & 2.2.2 & 0 \\
|
||||
Xesim & Eastcompeace & 4.2.0 & 2.2.2 & 0 \\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\caption{Overview of Analyzed eSIM Cards}
|
||||
\label{tab:esim-overview}
|
||||
\end{table}
|
||||
% based on this information it would suggest that when we sent the first request but switch the public key to the one from the second request -> would leed to successful installation
|
||||
% still results in UndefinedError Exception
|
||||
% same result when switching out the whole certificate
|
||||
% suggests that more than just the certificate is beeing reused from the previouse session
|
||||
|
||||
% TODO: Find out which parts are reused aswell -> serverSigned1, serverSignature
|
||||
% TODO: serverSigned1 -> check if signature is verified
|
||||
|
||||
\section{Design}
|
||||
|
||||
|
||||
@@ -509,7 +509,7 @@ Hypothesis is a property-based testing framework, which allows developers to def
|
||||
|
||||
Hypothesis integrates seamlessly with \texttt{pytest} and uses the \texttt{@given} decorator to specify input generation strategies. For example, given the \gls{asn1} structure defined in the \gls{sgp22} specification for the \texttt{GetProfileInfo} function:
|
||||
|
||||
\begin{verbatim}
|
||||
\begin{lstlisting}[caption={ASN.1 definition of the ProfileInfoListRequest}]
|
||||
ProfileInfoListRequest ::= [45] SEQUENCE {
|
||||
searchCriteria [0] CHOICE {
|
||||
isdpAid [APPLICATION 15] OctetTo16,
|
||||
@@ -518,11 +518,11 @@ ProfileInfoListRequest ::= [45] SEQUENCE {
|
||||
} OPTIONAL,
|
||||
tagList [APPLICATION 28] OCTET STRING OPTIONAL
|
||||
}
|
||||
\end{verbatim}
|
||||
\end{lstlisting}
|
||||
|
||||
We define the following Hypothesis test for the Python implementation of \texttt{GetProfileInfo}:
|
||||
|
||||
\begin{lstlisting}[language=Python, caption={Hypothesis-based fuzzing of \texttt{GetProfileInfo}}]
|
||||
\begin{lstlisting}[language=Python, caption={Hypothesis-based fuzzing of \texttt{GetProfileInfo} function which sends a \texttt{ProfileInfoListRequest}.}]
|
||||
@given(
|
||||
use_iccid=st.booleans(),
|
||||
profile_class=st.one_of(st.integers(min_value=-20, max_value=20), st.none()),
|
||||
|
||||
Reference in New Issue
Block a user