Campus - Amphi H, ENSIMAG

access information at http://ensimag.grenoble-inp.fr : follow "Plan d’acces" and "Le plan d’acces l’Ensimag sur le campus"

INRIA is pleased to invite you to a workshop on Embedded System (In)Security on Wednesday 7th of January from 2pm to 6pm in the Amphi H of Ensimag (on Saint Martin d’Heres Campus ).

This workshop will feature the 3 following talks :

 2pm-3pm : Code Injection in Smart Cards, Jean-Louis Lanet, Universite de Limoges, FR.
 3:15pm-4:15pm : Practical Attacks on low power microcontroller, Travis Goodspeed, University of Tennessee, Knoxville, USA.
 4:30pm-5:30pm : Code Injection in Sensor Networks, Aurelien Francillon, INRIA Rhone-Alpes, projet PLANETE, FR.

For more information please contact : Claude.Castelluccia

Summary of the talks :
 Code Injection in Smart Cards, Jean-Louis Lanet :

We present a method to create an hostile ill-formed applet in Javacard if an attacker has the rights to download applet in the smart card and the card has no bytecode verifier. For this we use two weakness in the Java card specifications 3.0 (the classic edition) : one about static fields not checked by firewall under certain conditions, and another one about the on-board linking process. Once downloaded, our malicious applet is able to search for pattern in other applets (even if they are not in the same package and we have no rights on them) and replace bytecodes to bypass important security checks.

 Practical Attacks on low power microcontroller, Travis Goodspeed :

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. When its JTAG fuse is blown, the device’s firmware is kept private by a serial bootstrap loader (BSL), certain revisions of which are vulnerable to a side-channel timing analysis attack. This lecture concerns the attack in both theory and implementation, including the non-standard serial traffic necessary to expose the password by timing.

 Code Injection in Sensor Networks, Aurelien Francillon :

We will present different code injection attacks on wireless sensors networks. We will see in more details how to exploit program vulnerabilities to permanently inject code into the program memory of an Atmel AVR-based sensor (micaz) . AVR microcontrollers use an Harvard based architecture, it was believed that code injection were impossible on such an architecture. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.