niklas/master_thesis
1
0
Fork 0
mirror of https://sharelatex.tu-darmstadt.de/git/681e0e7a3a9c7c9c6b8bb298 synced 2025-12-08 05:27:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update on Overleaf.

Browse Source
This commit is contained in:
nb72soza Bittner
2025-07-12 22:54:06 +00:00
committed by node
parent bf7e86572e
commit f9130f1aee
4 changed files with 119 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
Chapters/Evaluation.tex
View File

@@ -17,6 +17,12 @@
The primary objective of this evaluation is to apply differential testing to analyze the behavior and potential security implications of various commercial eSIM on SIM solutions. This methodology aims to uncover inconsistencies, implementation deviations, and potential vulnerabilities by observing how different cards react to the same input sequences under controlled conditions.
To conduct a thorough and representative evaluation, we selected a diverse set of eSIM-on-SIM cards from multiple vendors. In total, \textbf{eight} different cards were included in the analysis, as shown in Table~\ref{tab:esim-overview}. These cards vary in terms of manufacturer, supported features, and firmware versions. The tests were conducted using the tracing, mutation, and fuzzing infrastructure described in \cref{ch:implementation}.
% experiments were conduct on a host machine running arch linux
% 32 GB of RAM, and and Ryzen 7 (find out actual version)
% smart card reader is the HID OMNIKEY 3121 USB
All experiments were performed on a host machine running Arch Linux, equipped with 32\,GB of RAM and an AMD Ryzen 7 5800X processor. For physical communication with the \gls{esim} cards, an HID OMNIKEY 3121 USB smart card reader was used.
\todo{List Hardware specs}
\begin{table}[ht]
@@ -127,7 +133,7 @@ Among all evaluated \glspl{esim}, \texttt{estk.me} stands out due to its publicl
The firmware image accompanying the update utility appears to be encrypted or obfuscated. An entropy analysis conducted using the Shannon entropy metric indicates a consistently high entropy across all tested firmware files, suggesting the presence of encryption or compression. For instance, the entropy of the T001V06 firmware image was measured at approximately \texttt{7.998}, which is close to the theoretical maximum of \texttt{8.0} for purely random data.
\begin{figure}[htbp]
\begin{figure}[ht]
\centering
\begin{tikzpicture}
\begin{axis}[
@@ -142,6 +148,7 @@ The firmware image accompanying the update utility appears to be encrypted or ob
xmin=0,
ymin=0,
grid,
axis lines=left
]
\addplot[
@@ -165,7 +172,7 @@ The firmware image accompanying the update utility appears to be encrypted or ob
\end{axis}
\end{tikzpicture}
\caption{Shannon entropy values across blocks for three different firmware versions.}
\todo{Start with block 0, explain drop off at 200}
\todo{explain drop off at 200}
\end{figure}
A deeper static analysis using Ghidra~\cite{nsa_ghidra_2025} did not reveal any recognizable structure or file headers, further supporting the assumption of encryption. Similarly, tools like Binwalk~\cite{refirmlabs_binwalk_2025} did not detect known compression schemes, embedded file systems, or file signatures. Consequently, firmware payload analysis could not be meaningfully performed beyond block-level transmission.
@@ -284,52 +291,33 @@ While tracing provides valuable insights into command sequencing and \gls{aid} s
\todo{Introduce different setups to make it more obvious when conducting seperate experiments}
\begin{table}[h]
\begin{table}[t]
\begin{adjustwidth}{-.5in}{-1.5in}
\centering
\caption{Data fuzzing results for 5ber, eSIM.me, and EIOTCLUB}
\label{tab:data_fuzzing_result_part1}
\begin{tabular}{lccc}
\caption{Data fuzzing results for for all tested eSIM-on-SIM cards. }
\label{tab:data_fuzzing_result}
\begin{tabular}{lcccccc}
\toprule
\textbf{Function} & \textbf{5ber} & \textbf{eSIM.me} & \textbf{EIOTCLUB} \\
\textbf{Function} & \textbf{5ber} & \textbf{eSIM.me} & \textbf{EIOTCLUB} & \textbf{9esim} & \textbf{9esim v2} & \textbf{Xesim} \\
\midrule
SetDefaultDpAddress & \cmark & \cmark & \cmark \\
EuiccMemoryReset & \cmark & \cmark & \cmark \\
RetrieveNotificationsList & \cmark & \cmark & \cmark \\
ListNotification & \cmark & \cmark & \cmark \\
ProfileInfoList & \cmark & \cmark & \xmark \\
SetNickname & \cmark & \cmark & \cmark \\
PrepareDownload & \cmark & \cmark & \cmark \\
AuthenticateServer & \cmark & \cmark & \cmark \\
BoundProfilePackage & \cmark & \cmark & \cmark \\
SetDefaultDpAddress & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
EuiccMemoryReset & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
RetrieveNotificationsList & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
ListNotification & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
ProfileInfoList & \cmark & \cmark & \xmark & \xmark & \xmark & \cmark \\
SetNickname & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
PrepareDownload & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
AuthenticateServer & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
BoundProfilePackage & \cmark & \cmark & \cmark & \cmark & \cmark & \cmark \\
\bottomrule
\end{tabular}
\end{table}
\begin{table}[h]
\centering
\caption{Data fuzzing results for 9esim, 9esim v2, and Xesim}
\label{tab:data_fuzzing_result_part2}
\begin{tabular}{lccc}
\toprule
\textbf{Function} & \textbf{9esim} & \textbf{9esim v2} & \textbf{Xesim} \\
\midrule
SetDefaultDpAddress & \cmark & \cmark & \cmark \\
EuiccMemoryReset & \cmark & \cmark & \cmark \\
RetrieveNotificationsList & \cmark & \cmark & \cmark \\
ListNotification & \cmark & \cmark & \cmark \\
ProfileInfoList & \xmark & \xmark & \cmark \\
SetNickname & \cmark & \cmark & \cmark \\
PrepareDownload & \cmark & \cmark & \cmark \\
AuthenticateServer & \cmark & \cmark & \cmark \\
BoundProfilePackage & \cmark & \cmark & \cmark \\
\bottomrule
\end{tabular}
\todo{Merge tables and explain check mark and cross}
\caption*{\cmark \hspace{.2cm} indicates that fuzzing did not find any bug \\ \xmark \hspace{.2cm} indicates an error during the fuzzing operation}
\end{adjustwidth}
\end{table}
We conducted data fuzzing, as described in \cref{subsec:data_fuzzing}, on all tested \gls{esim} cards with the exception of \texttt{estk.me}. Each test case is executed sequentially across all eligible \glspl{esim} to ensure consistency and reproducibility of results.
The majority of the cards handled the fuzzed input data as expected, either processing the requests successfully or rejecting them gracefully with standard-compliant error responses. However, notable exceptions were observed during the execution of the \texttt{GetProfileInfo} test case as shown in \cref{tab:data_fuzzing_result_part1} and \cref{tab:data_fuzzing_result_part2}, particularly for the following cards:
The majority of the cards handled the fuzzed input data as expected, either processing the requests successfully or rejecting them gracefully with standard-compliant error responses. However, notable exceptions were observed during the execution of the \texttt{GetProfileInfo} test case as shown in \cref{tab:data_fuzzing_result}, particularly for the following cards:
\begin{itemize}
\item 9esim
\item 9esim v2
@@ -417,8 +405,7 @@ To evaluate the robustness of \gls{rsp} protocol handling and smart card behavio
Initial fuzzing experiments revealed that applying aggressive mutations across all \glspl{apdu} early in a transaction significantly hindered code path exploration. In many cases, although a mutation in an early \gls{apdu} succeeded in provoking an altered behavior or state change, subsequent mutated \glspl{apdu} caused premature failures. As a mitigation strategy, we adopted a greedy mutation approach: once a mutation led to a successful state transition, the subsequent \glspl{apdu} in that session were executed unmutated to allow complete transaction processing and thereby maximize coverage.
\subsection*{Experimental Setup}
All tests were conducted using a HID OMNIKEY 3121 USB smart card reader.\glspl{esim} were inserted into a Sysmocom 2FF-to-full-size adapter to ensure compatibility with the reader. For consumer-grade \glspl{esim}, the following profile was used:
\todo{Reference where the profiles are comming from}
All tests are conducted with test profiles that use the \gls{gsma} Live CI and are offered by various \glspl{mno} \cite{welte_euicc_2024}. For consumer-grade \glspl{esim}, the following profile was used:
\begin{center}
\texttt{LPA:1\$rsp.truphone.com\$QR-G-5C-1LS-1W1Z9P7}
\end{center}