Project Description
SCFuzz is a smart card middleware fuzz testing tool (fuzzer). Using API hooking, SCFuzz modifies data returned by the card in order to find bugs in the host.

Details
The purpose of SCFuzz is to demonstrate the impact that a rogue smart card can have on Windows applications, including system components, that are smart card-aware. Fuzzing is a powerful tool for exposing protocol bugs in gray-box testing.

The type of fuzz testing supported by SCFuzz is intended to be interative rather than purely random. By analyzing the TLV (type, length, value) buffers (typically based on ISO 7816) exchanged between the host and a smart card, it becomes apparent what byte positions may be modified to be produce unexpected conditions. For example, if the length encoded in the TLV contradicts a separate length indicator encoded in the payload data, which does the application use? Can a buffer overflow can be induced?

Implementation
At runtime, SCFuzz starts by loading a smart card middleware DLL (see SCardFuzz.cpp). It then patches the import address table for that DLL to redirect the winscard!SCardTransmit API to its own custom implementation (see _MySCardTransmit). Finally, CryptoAcquireContext is called in order to force the smart card middleware to initialize (it is assumed that a smart card has been inserted into a reader device). This results in several commands being exchanged with the card.

Under the covers, _MySCardTransmit is where the iterative fuzzing is done. Each send and receive buffer is displayed as debug output for analysis. Certain smart card commands can be filtered, modified, randomized, etc, until an unhandled error condition is forced.

Last edited Aug 27, 2012 at 3:21 PM by dangriffin, version 2