Jump to content
Nytro

Hacking Soft Tokens

Recommended Posts

Hacking Soft Tokens

Advanced Reverse Engineering on Android

Bernhard Mueller © 2016

Vantage Point Security Pte. Ltd.

 

Table of Contents
Introduction............................................................................................................................................................... 5
Mobile One-Time Password Token Overview.................................................................................................... 6
OATH TOTP..................................................................................................................................................................................6
Proprietary Algorithms...................................................................................................................................................................7
Provisioning......................................................................................................................................................................................7
Attacks...............................................................................................................................................................................................8
Retrieval from Memory..............................................................................................................................................................9
Code Lifting and Instrumentation ...........................................................................................................................................9
The Android Reverser’s Toolbox......................................................................................................................... 10
De-Compilers, Disassemblers and Debuggers.....................................................................................................................10
Tracing Java Code.....................................................................................................................................................................11
Tracing Native Code ................................................................................................................................................................15
Tracing System Calls.................................................................................................................................................................17
Classic Linux Rootkit Style......................................................................................................................................................19
Dynamic Analysis Frameworks..............................................................................................................................................19
Drawbacks Emulation-based Analysis ..................................................................................................................................21
Hacking Soft Tokens - Bernhard Mueller © 2016 Vantage Point Security Pte. 4 of 68
Runtime Instrumentation with Frida .....................................................................................................................................22
Building A Sandbox................................................................................................................................................ 23
Sandbox Overview....................................................................................................................................................................24
Customizing the Kernel...........................................................................................................................................................25
Customizing the RAMDisk.....................................................................................................................................................26
Booting the Environment .......................................................................................................................................................28
Customizing ART.....................................................................................................................................................................29
Hooking System Calls ..............................................................................................................................................................31
Automating System Call Hooking with Zork.......................................................................................................................35
Case Studies ............................................................................................................................................................. 36
RSA SecurID: ProGuard and a Proprietary Algorithm...........................................................................................................37
Analyzing ProGuard-processed Bytecode ............................................................................................................................37
Data Storage and Runtime Encryption .................................................................................................................................39
Tool Time: RSACloneId..........................................................................................................................................................41
Vendor Response......................................................................................................................................................................44
Summary.....................................................................................................................................................................................45
Vasco DIGIPASS: Advanced Anti-Tampering........................................................................................................................47
Initial Analysis ...........................................................................................................................................................................47
Root Detection and Integrity Checks....................................................................................................................................51
Native Debugging Defenses ...................................................................................................................................................54
JDWP Debugging Defenses....................................................................................................................................................56
Static-dynamic Analysis............................................................................................................................................................58
Attack Outline ...........................................................................................................................................................................59
Tool Time: VasClone....................................................................................................................................................................60
Vendor Comments........................................................................................................................................................................64
Summary.....................................................................................................................................................................................65
TL; DR...................................................................................................................................................................... 66
Attack Mitigation...........................................................................................................................................................................66
Software Protection Effectiveness..............................................................................................................................................66
REFERENCES....................................................................................................................................................... 67

Download: http://gsec.hitb.org/materials/sg2016/whitepapers/Hacking Soft Tokens - Bernhard Mueller.pdf

  • Like 1
  • Upvote 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...