Hackable Security Modules Reversing and exploiting a FIPS 140-2 lvl 3 HSM firmware - TIB AV-Portal

Hackable Security Modules Reversing and exploiting a FIPS 140-2 lvl 3 HSM firmware

00:00

599

Formal Metadata

Title

Hackable Security Modules Reversing and exploiting a FIPS 140-2 lvl 3 HSM firmware

Title of Series

REcon 2017 Brussels Hacking Conference

Part Number

12

Number of Parts

20

Author

License

CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/32391 (DOI)

Publisher

Release Date

Language

Production Place

Brüssel

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

From Web PKI and digital signatures to PCI-DSS and DNSSEC, a big part of the security industry currently depends on special cryptographic modules to implement cryptography, the so called Hardware Security Modules (HSMs). Every certificate used in the web has been signed by a key stored inside an HSM, and every time a DNSSEC query is being validated, the root keys generated by such an HSM are being used. In this presentation, the security of such a device, the Utimaco SecurityServer, will be evaluated. Inside the device, a Texas Instruments TMS320C64x DSP can be found which performs all operations. The TMS320C64x DSP is an exotic architecture compared to the classic x86, x86_64, ARM, MIPS and other common architectures, due to its unique features, such as the multiple functional units, each having its own assembly commands and the ability to execute multiple commands in parallel. This architecture, together with the ABI and a small introduction to the memory organization will be presented. The research will then mostly focus on the device’s firmware. Due to the inability of IDA pro to correctly disassemble the files, and the minimal number of tools for this architecture, the capstone disassembler has been extended and the TMS320C64x architecture has been added. Finally, a vulnerability to the HSM’s firmware will be presented, together with the methodology that was used in order to find the bug.

REcon 2017 Brussels Hacking Conference12 / 20

1

18:21

Poutine: Dusting Forgotten Lore

2

21:15

When your firewall turns against you

3

17:05

4

39:09

5

38:32

Analyzing iOS apps: road from AppStore to security analysis report

6

35:01

Teaching Old Shellcode New Tricks

7

23:08

Keeping your tools safe IDA

8

25:27

Contributor analysis

9

42:08

Embedded devices reverse engineering

10

49:02

GRAP: define and match graph patterns within binaries

11

37:58

Reverse Engineering: Satellite Based IP Content Distribution

12

40:55

Hackable Security Modules Reversing and exploiting a FIPS 140-2 lvl 3 HSM firmware

13

55:38

Breaking Code Read Protection on the NXP LPC-family Microcontrollers

14

1:05:04

Getting Physical with USB Type-C: Windows 10 RAM Forensics and UEFI Attacks

15

1:05:44

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems

16

55:22

Harnessing Intel Processor Trace on Windows for fuzzing and dynamic analysis

17

22:12

Legacy Crypto Never Dies

18

19:34

Your Chakra Is Not Aligned

19

40:38

Transforming Open Source to Open Access in Closed Applications

20

33:27

A Little Less Conversation, A Little More ActionScript

Automatic playback

Speech

Text

Image

00:00

Strategy gameComputer hardwareMachine codeComputer fontInformation securityReverse engineeringModule (mathematics)Sign (mathematics)NeuroinformatikVulnerability (computing)Public key certificateComputer scienceWebsiteComputer animation

01:13

AlgorithmData managementCryptographyMathematicsSoftwareTelecommunicationValidity (statistics)Semiconductor memoryType theoryValuation (algebra)Product (business)Level (video gaming)Software testingIntegrated development environmentFormal verificationBitContent (media)PhysicalismSampling (statistics)Database transactionNumberTime zoneRandom number generationRevision controlServer (computing)Operator (mathematics)RootAsynchronous Transfer ModeInformation securityFirmwareNational Institute of Standards and TechnologyControl flowCuboidEncryptionLatent heatModule (mathematics)Web browserStatement (computer science)PlastikkarteBackupProcess capability indexPasswordPseudozufallszahlenKey (cryptography)Different (Kate Ryan album)AuthorizationStandard deviation2 (number)Public key certificate1 (number)Computer hardwareInformationStaff (military)Computer programmingBus (computing)Dimensional analysisState of matterProof theoryForm (programming)Sheaf (mathematics)MereologyPhysical systemHypothesisQuicksortFamilyBasis <Mathematik>Process (computing)Set (mathematics)Communications protocolSoftware frameworkSurfaceGraph (mathematics)Sign (mathematics)Internet forumEndliche ModelltheorieSinc functionSymbol tableDegree (graph theory)Multiplication signFreewareRight angleService (economics)Position operatorComputer animation

09:49

Assembly languageRow (database)InformationComputer architectureSoftwareTelecommunicationString (computer science)CodeComputer programmingSemiconductor memoryShift operatorFunctional programmingFlow separationL-functionBefehlsprozessorBlock diagramSheaf (mathematics)Structural loadMultiplicationPolygon meshSlide ruleExecution unitResultantSampling (statistics)NumberEmailRevision controlOperator (mathematics)Software bugSystem administratorFirmwareAuthenticationData storage deviceWordEncryptionObservational studyLatent heatModule (mathematics)Insertion loss32-bitJava appletFile formatSoftware frameworkComputer fileWhiteboardInterrupt <Informatik>Different (Kate Ryan album)Cycle (graph theory)LengthStandard deviationDisassemblerRight angleMachine codeSelf-organizationStaff (military)Descriptive statisticsBuildingIntegrated development environmentArithmetic meanBitPrice indexPower (physics)MereologyPhysical systemMarginal distributionTerm (mathematics)Heat transferCellular automatonSystem callWeightBinary fileMetropolitan area networkBeat (acoustics)SummierbarkeitPoint (geometry)Inheritance (object-oriented programming)GradientSet (mathematics)PixelThread (computing)Electronic mailing listGraph coloringSound effectLimit setEndliche ModelltheorieExtreme programmingBEEPOptical disc driveComputer animation

18:26

Assembly languageSequenceComputer hardwareImplementationInformationComputer architectureSelf-organizationCodeDescriptive statisticsFunction (mathematics)Computer programmingSemiconductor memoryType theoryFunctional programmingCloningAxiom of choiceLinker (computing)BitLine (geometry)Letterpress printingResultantTable (information)Hydraulic jumpConfiguration spaceLogical constantBranch (computer science)Operator (mathematics)Parameter (computer programming)Instance (computer science)Social classoutputOpen setWord32-bitSpeicheradresseFile formatSoftware frameworkAddress spaceKeyboard shortcutComputer fileOpen sourceSelectivity (electronic)Representation (politics)FlagCycle (graph theory)Uniform resource locatorStandard deviationDisplacement MappingDisassemblerInverse elementInterface (computing)Pattern languageProgramming languageLevel (video gaming)AxiomForm (programming)Sheaf (mathematics)SphereProjective planeExecution unitNumberLink (knot theory)QuicksortSystem callGoodness of fitCASE <Informatik>Field (computer science)Complete metric spaceSummierbarkeitBarrelled spaceOcean currentSet (mathematics)Reading (process)Binary decision diagramKurtosisConstructor (object-oriented programming)LengthFigurate numberMechanism designComputer animation

27:03

Assembly languageDatabaseImplementationMachine codeString (computer science)Computer programmingFunctional programmingLogic gateForm (programming)Sheaf (mathematics)Line (geometry)Directed graphMereologyPhysical systemExecution unitMilitary baseLogical constantBranch (computer science)Parameter (computer programming)CASE <Informatik>Metropolitan area networkInformation securityPointer (computer programming)Cross-correlationSummierbarkeitSocial classSet (mathematics)Data conversionMonster groupKeyboard shortcutWebsiteSelectivity (electronic)Key (cryptography)Different (Kate Ryan album)Constructor (object-oriented programming)Symbol tableIdentifiabilityMultiplication signBuffer overflowStandard deviationMappingTwitterComputer architectureSoftwareCodeProduct (business)Software testingFlow separationBitComputer simulationPairwise comparisonRevision controlSoftware bugTemplate (C++)Field (computer science)Principle of maximum entropyFirmwareOcean currentSpeicheradresseBuffer solutionOpen sourceCalculationUniform resource locatorPublic key certificateDisassemblerComputer animation

35:39

Computer animation

36:14

Machine codeMicroprocessorDigital signal processorFunctional programmingRecursionLoop (music)Execution unitCore dumpHydraulic jumpEmailPresentation of a groupPoint (geometry)Open setArray data structureKey (cryptography)ArmThermal conductivitySlide ruleSampling (statistics)AreaSystem callGoodness of fitProcess (computing)Set (mathematics)ProgrammschleifeCartesian coordinate systemSound effectOpen sourceView (database)Selectivity (electronic)Multiplication signLecture/Conference

40:35

Computer animation

Transcript: English(auto-generated)

00:09

on Brussels 2017.

00:21

So hello, everybody. We're going to talk about reversing hardware security modules. So some things about me. My name is Fotis Lukos. I work at SSL.com, CA focusing on SSL and code signing certificates. I hold a PhD in computer science,

00:40

and my work focuses on PKI, CA security, but I also do some vulnerability research and some reverse engineering. The outline of the talk, we'll start with some boring stuff about what is an HSM, the security requirements, and then we'll move on to the more interesting stuff,

01:01

the Utimaco HSM, our target, the firmware, the TMS 320 C64X DSP, adding support to Capstone, and finally, finding vulnerability. So what is an HSM? It's a special cryptographic module that implements cryptographic algorithms, methods, and protocols.

01:22

You can securely store cryptographic keys. You can manage keys, generate, perform cryptographic operations like encrypt, decrypt, sign, verify. And most of them come in two forms, either a network device or a PCI card. There are also some USB HSMs, but they're not used at all.

01:45

The biggest players are Gemalto, that bought Safenet, Safenet is famous for their Luna series of products. Sample value for an HSM, $30,000. Another big player is Thales, who bought Encypher.

02:04

Sample value for a USB HSM, $10,000. These are some of their products. I just could bring a PCI card with me. Couldn't break a network HSM.

02:21

And our target, Utimaco. Utimaco is famous for the crypto series, crypto server series of products. And they have a ready to deploy PKI solution using HBCA. HBCA is a very famous product for setting up a CA.

02:41

Sample value for a network HSM, $15,000. So as you can see, it's a business with a lot of money. Where do you use HSMs? PKI, all certification authorities must use HSMs. It's a requirement by the certification authorities and browsers forum.

03:02

DNSSEC, again, if you read the DNSSEC practice statement for the root zone KSK operator, you need to use an HSM. Electronic transactions, PCI DSS specifies that you must use HSMs for certain transactions.

03:22

So if you're going to implement serious crypto, you need an HSM. So as HSMs are used in critical applications, as we said before, there are a lot of standards that have been proposed to evaluate the security. The major ones are FIPS 140-2 and the common criteria.

03:43

FIPS 140-2, the full name is the Federal Information Processing Standard Publication 140-2, and it's the US stuff. The first version was made in 2001 by NIST and then updated in 2002. It's what everybody uses.

04:02

And it supersedes FIPS 140-1 and will be superseded by DAS 3. There's a very funny story behind FIPS 140-3. Three different drafts have been written so far, but none has been signed by the Secretary of Commerce.

04:22

It specifies four different security levels. The first level has some requirements about the algorithms that are implemented. Level 2 adds some physical security controls. Level 3 has more physical security controls. Level 4 is about HSMs that can be used

04:43

in physically protected environments. There's a special program, the Cryptographic Module Validation Program. There are 22 laboratories that are accredited to make this type of validation for HSMs.

05:03

The common criteria is ISO standards, the EU stuff. It has the valuation assurance levels, similar to the FIPS 140-2 levels. There are also some other stuff, like protection profiles, security targets. The standard EAL-4 says that all HSMs are methodically

05:28

designed, tested, reviewed, and the best security practices should be used during design and test. I'm not so sure about this. So, let's see the Utimaco HSM.

05:42

These are some models of the Utimaco HSM, the crypto server. These are not that important. So, the specifications. It's a FIPS 140-2 level 3 device. It also fulfills the common criteria. EAL-4 can be used by CAs.

06:06

It has support for many algorithms. It comes in both PCI Express Card and Network HSM. And depending on the license, you can get more transactions per second.

06:21

This license check is a simple check inside the firmware, and you can change it at any time. But you won't have FIPS-validated firmware. But the funny thing is that I can assure you no CA uses FIPS-validated firmware,

06:41

because FIPS is too old, and RSA with 4K bit key is not valid FIPS mode. So, no CA uses FIPS-validated firmware. The hardware, actually, network HSMs are simply

07:00

Linux boxes with PCI Express HSM inside. The PCI Express HSMs, as you can see, this one too, they have a special physical protection layer. There's a battery inside. If you try to bridge this thing over here,

07:25

the contents of the memory are erased. Even when the HSM is powered off, there are sensors that detect changes in temperature, in voltage. This is supposed to be, nope, it is supposed to be tamper-proof.

07:45

Inside the PCI Express HSM, we can find the TMS320-C64X DSP. This is the DSP that performs all cryptographic operations. There's a true random number generator and a crypto-secure pseudo random number generator.

08:05

And we have this key RAM. The key RAM contains a special key called the device key. Actually, this is something like a password manager. Everything is encrypted using this device key, and the device key cannot be extracted,

08:21

cannot be exported, imported. You have no access to this key. If you tamper with the HSM, this device key gets deleted, so you lose everything. There are also the master backup keys, which are, according to the specification,

08:42

256-bit AES keys, or 128-bit triple-desk keys. That's what the specification says, the manuals of the Utimago HSM. Of course, triple-desk does not support 128-bit keys.

09:01

No idea why they wrote all this stuff. These master backup keys are used to encrypt backups of cryptographic keys. They work using an NN-out-of-M scheme, using some recipient sharing, and keys inside the HSM are always encrypted

09:22

with the previous key, the device key, and when you want to export them, they're encrypted using these master backup keys. There are some tools that come together with the HSM. There's a command-line tool to manage both the PCI Express card and the network HSM.

09:42

There are command-line tools for communicating over the PKSS11 API, special API, the CXI API, and there are Java versions of the above tools. And there's also a simulator. It runs its own firmware,

10:01

and as we will see later on, this will be very useful. There are some other stuff like users, permissions. We're not going to see a lot of this. They're not that important. There's a custom communications protocol.

10:21

Network HSM uses exactly the same protocol. There's no public specification. We just know that it's encrypted and uses mesh authentication codes. And now we'll move on to the Utimaco firmware. The firmware is a single blob in a custom format.

10:42

There are both FIPS and non-FIPS versions. So after reversing a lot of things, I figured out that CS7, the tool that comes with the HSM, has an option to unpack these files. So first lesson learned, always read the FANI manual.

11:06

And after unpacking this MPKG, you get a number of MTC files. These are, for example, the MTC files from the latest firmware for the SC series.

11:22

These MTC files are individual firmware modules. Each of them is associated with a specific function. For example, you can see here, this is for administration. This is for implementing the AES encryption and decryption functions. ASN.1 encoding and decoding.

11:44

Everything is in here. So, let's use Bing walk. And we get this. Four copyright strings and one Unix path. Nobody uses a standard format. Okay, let's use Hexdump.

12:03

So if you use Hexdump, you can see over here, there's something that seems like a magic string, MTC header maybe. There's also a description. And later on, you can see two strings. .text and .data. That seem to be names of sections.

12:23

So, maybe it's a modified standard format and that's why Bing walk couldn't find out what it is. Okay, let's reverse the administration tool and see if we can find any info inside. After some hours, we could find these strings.

12:44

So, they should be co-files. Yes, but why didn't Bing walk recognize this? Someone thought it would be nice to add their own stuff inside the standard co-format. Okay, so now what?

13:01

We first identify the length of the section header. We can find the difference between the names of the sections and this would be the length of the section header. We then fit this record to the standard co-section header. The next step is to make exactly the same thing

13:22

but for the co-file header. And finally, we've got a co-file. So, now what? Of course, use IDA. And IDA supports this architecture. We open the file and we get this thing.

13:42

Of course, this is not assembly code. And now we can insert multiple slides with face palms and R2, some Bing utils stuff. Only Texas Instruments had disassembler but it is completely unusable

14:02

and I also found some bugs at their disassembler. Okay, so let's write our own disassembler. To write our own disassembler, you must first study the architecture of the DSP then study the memory organization, study the ABI,

14:21

find some potential frameworks you can use and finally write the actual disassembler. The architecture is a very exotic architecture compared to x86, ARM, MIPS, anything I have seen at least. It's a very long instruction board DSP. It has eight functional units.

14:42

The functional units are something like mini CPUs inside the DSP. Its functional unit has its own assembly instructions. It can execute multiple instructions in parallel at different functional units. It has two data paths with separate register files and the cross path to transfer data

15:02

between those two data paths. This is the block diagram. This is the first data path and this is the second one. Instructions are fixed and they're dispatched to the correct functional unit.

15:22

The four functional units at each data path is the .L functional unit which is an ALU, the .S functional unit, the shifter, there's also a multiplier, another subtractor and the register file with 32 32-bit registers.

15:40

And as we said before, this is the cross path between the two data paths. Eight execution units can execute up to eight commands in parallel. Of course, at any single time, only one command can use the cross path. How are these executed in parallel?

16:02

The DSP fetch is not a single instruction but fetches eight words in a single fetch packet. So this can be scheduled to be executed in different functional units. And you can execute instructions in parallel that belong to two different fetch packets.

16:22

The registers. There are 64 general purpose registers. All functions operate on 8, 16, 32 or 40-bit data, not 64-bit. For 40-bit operations, one register from the even register file is used

16:41

and the corresponding register from the old file is used for the 8-bits. So if you use this register pair, 32-bits are read from A10 and 8-bits from A11. There are also instructions that operate on packed data like SSE, for example.

17:01

And the only instructions that operate on 64-bit are loads and stores that are performed in a single operation. Furthermore, six registers are also conditional registers. All instructions in this DSP take a conditional prefix

17:21

and those instructions are executed only when the corresponding register is either zero or non-zero. There's also the register control file that has control registers like the program counter, interrupt clear register, interrupt set register and a lot of stuff.

17:42

These are some sample instructions. This is the instruction shift right. It will be executed at the .s1 functional unit and it shifts right 81 by 10 and stores the result to A2. This is another instruction that's executed at the same functional unit

18:01

but it uses the cross path. This is the X over here because it needs to transfer from register file B to register file A. These two instructions will be executed in parallel. These two bars over here mean that they will be executed at the same cycle but at different functional units

18:21

and this is an if-then-else in a single cycle that will be executed in a single cycle. If A0 is equal to zero then this command will be executed otherwise this command will be executed and all this is executed in a single cycle but not all instructions are executed at a single cycle.

18:42

There are some multi-cycle instructions that read the sequence at one cycle and write the result at a different one. For example, branches. Branches read the jump target at cycle I and jump to this target at cycle I plus five.

19:01

In the meantime, this register may change its value, everything may happen. There's a table over here, not that important, it specifies the right cycles. So, if you still wonder why no tools are available

19:21

it's a pretty exotic architecture. I mean, it's pretty difficult to make tools for this thing. Let's see the memory organization. We have a 32-bit byte addressable address space. It can be used using two configurations either on-chip memory or off-chip memory. If you use an on-chip memory

19:41

you have two separate spaces, the data space and the program space. If you use an off-chip memory then these are unified via the external memory interface. Some calling conventions. No stack exists, at least as we know it from x86.

20:03

To call a function you need to calculate the return address by adding the program counter to the relative offset of the return address using a special assembly instruction. Then you store this to a register B3

20:22

and you jump the target and finally to return you jump back to B3. If the displacement is larger than a 21-bit word the linker must generate some tremble lines to jump to the final location.

20:41

This is an example of a jump. So we have the branch over here. The target is read at cycle 1, let's say. This is executed at cycle 2. This is executed at cycle 3.

21:00

This one over here is the return address. The relative offset. It adds this to the program counter. It stores it to B3. Then this instruction is executed. The following two instructions are executed in parallel. Finally the fifth instruction is executed and then the branch is taken.

21:24

At the end, this is a return and it returns over here. So this is how you call a function. There are 12 call and save registers. Some special registers, as I said before, B3 keeps the return address.

21:44

You can pass the first 10 arguments in registers. So we know the architecture. We know the memory layout. We know the ABI. Now what? We have some framework choices.

22:03

You could use binutils or LLVM, but this is too much work. You can use R2, which is a potential choice, but I found it much more attractive to implement new architecture at Capstone.

22:21

So, Capstone. Capstone is based on LLVM and it's open source, written in pure C. It has bindings for many program languages, but unfortunately you can't find any documentation on adding a new architecture.

22:40

So how do we start? Okay, let's first clone the project, see how other architectures are implemented, and try to implement our own. How do you implement an architecture? We must write a table send file. The table send file has a description of the architecture

23:00

and it helps generate the register, instructions, sub-target info files, disassembler tables, the assembly writer, using a special LLVM tool. But there's a lot of stuff that we need to implement too. So, let's first generate this file and we'll see about the rest.

23:23

The table send file format. It's a file containing targets, sub-targets, processors, the instruction set, registers, calling conventions. But in our case, we won't need the calling conventions. After all, we're just generating disassembler. We won't do any compilation.

23:42

We don't need the instruction selection pattern. LLVM needs this to convert from the IR to the final assembly and we won't need the many flags. What we will need is the description of the registers and description of the instructions with the hardware encoding,

24:02

the input-output registers, the operands, and the assembly string. Let's see how we can define the register. We first define a register class, TMS-320c-64x-reg. That is a sub-class of the standard register class.

24:20

We specify the hardware encoding and we define instances of this class, which are the actual registers. So, this is pretty simple. Let's see how we will define instructions. We first have to define all operands, then instruction classes, multi-classes, and finally we will define the instructions.

24:45

How do we define an operand? We always make an instance of this class, the operand class, and we have to define a decoder method, an encoder method, and the print method.

25:00

What these methods do is the decoder takes the hardware encoded bits and converts it to an internal LLVM representation. The print method takes this internal LLVM representation and converts it to a string.

25:22

The encoder is the inverse of the decoder. Now, let's see how we define instruction classes. We make sub-classes from the instruction class and we first make the superclass common for all instructions.

25:43

We define the condition, if the register is zero or not, decide if the instruction is executed in parallel with the rest of the instructions. We must define the output operands, the input operands over here. All these are considered operands

26:00

because there's no other way to describe them as inputs to the decoder. And we specify at which bits every operand can be found, the size of the instruction, and these are some standard stuff.

26:22

Then we define some sub-classes for every type of instruction. For example, the first type of instructions, the functional units, have this format. They have two source operands, one destination operand, and the value of the operation.

26:43

The source operands are stored at these fields. The destination operand is stored over there, the operation is stored at these bits, and this is a constant. This is another example. It has also the cross path.

27:02

It's for some instructions that use the cross path like add and end. Instruction multi-classes are actually something like templates. You define an instruction multi-class when you have two or more instructions that are similar.

27:25

In this example, you have two instructions that are similar, but the only difference is that this one has general purpose register as the first source operand, and this has a five-bit unsigned constant.

27:41

And finally, we define instructions. As you can see over here, this is the instruction selection pattern, which is empty because we can't assemble. We have the string, the operands, this is the operation, and this defines this instruction. So we must take the data sheet and implement this thing for all instructions for all functional units.

28:10

So we've done this. Are we done? Not even close. We need to implement all the code for encoding, decoding, printing operands.

28:20

We need to implement instruction mappings. We need to add a lot of supporting code. And we need at least the Python bindings. Okay. We start working on this, and after some hours, not some hours, some days, I found some problems.

28:43

First problem was that the converter was not the standard LLVM one, but a different version that produces C code instead of C++. LLVM is written in C++, Capstone is written in C. So I had to convert the converter.

29:02

Decoding of all fields must be done manually. We have the documentation. We can do it. Instructions with PC-relative addressing must be handled specially. It's pretty difficult. You must keep always the program counter, make the calculations correctly.

29:22

While I was coding support for this architecture, I found several bugs at other architectures that didn't implement PC-relative addressing correctly. Another problem are the branches. Branches must be handled with care

29:40

because they're not relative to the current instruction, but they're relative to the first instruction in the fetch packet. So you must get the program counter, find the fetch packet, find the first instruction of the fetch packet, and then calculate the target address. Another problem is the parallel bit.

30:04

As you saw before in the assembly, we put two bars so that this instruction will be executed in parallel with the previous one. But this is not encoded in the current instruction, but it's encoded at the previous instruction. So it's pretty difficult due to the way Capstone and LLVM works.

30:24

It had to be done using some post-processing. After completing all this, we had a disassembler we could use. So what can we do now? We can disassemble everything, but we have no symbols.

30:41

And we have thousands of lines of this strange assembly code that you can't even calculate when it jumps to another location. Where will it return? It's awful. Okay, so let's check the simulator firmware. We use exactly the same tools to extract the internal binary,

31:03

and this time it's a DLL. So we've got symbols. What can we do? We correlate string references in both frameworks. The same strings should be referenced by the same functions. This is pretty easy to complete.

31:21

Then we check out branches. The same functions should branch to the same functions. The rest will be fixed by hand, and we can read the code and profit. So can we actually profit? We said that these products are methodically tested.

31:42

The best security practices are used during design, so bugs should not exist, right? So at least simple, easy to identify bugs, bugs should be eliminated. Let's see an example. This is a function that is used to extract the MBK databases in general.

32:07

The MBK cannot be extracted according to the documentation. This is a security check. First two bold instructions load the address of this string,

32:21

VMBK1, to register A5. 1 is subtracted, it's loaded to A4. B4 holds a pointer to the database, the string that's the name of the database that we're going to load. And all this is a part of mem compare,

32:43

not the full mem compare. So what this does, it checks if the string starts with VMBK1, MBK, or session nodes. These are some sensitive databases that you can't extract. If the tests pass,

33:03

the common open function is used to open the database. After reversing this function, I found that the first argument of this function is the name of the database, for example, cxi-key.db,

33:21

which can be prefixed with the location. This database, cxi-key.db, exists inside the flash, so we can use flash, backslash, cxi-key.db to extract this database. So what if we extract flash, backslash, vmbk1.db?

33:47

Sometimes one face palm is not enough. You can extract it at any time. What about other bugs? Okay, all the code has the same quality,

34:02

and I'm absolutely sure that there are more logical errors. I'm 100% sure. And I haven't searched for buffer overflows yet. I have some strong evidence that buffer overflows exist. Something that's very interesting is the disclosure timeline.

34:25

I first tried to contact Tumaco at the 10th of March, 2016. I just wanted their PGP keys or a certificate because I couldn't find them anywhere at their website.

34:40

After two months, I finally got the PGP keys. It's two months. Next day, I send them the details, and after one month, I receive the first official answer. After four months, I got access to a network HSM with the updated firmware. So I first tried to contact them at March,

35:05

and they fixed it at October. And the final step over here.

35:24

So should be... And you can start cloning.

35:49

So any questions? Okay, do you need the mic, maybe?

36:06

I'm only curious. How did you debug this stuff? How? Did you debug this stuff? So I have access to Tumaco HSM, and I didn't debug this.

36:22

I mean, I just read the code and started trying all this stuff at the real HSM. Because for me, from my point of view, it seems a very nasty architecture. I mean, the parallel unit. For what? I mean, to call a function,

36:43

like how many instructions? Six, seven, I counted, or something like that. And I'm still thinking about how they are able to debug or whatever. So that is why no tools exist. Let me find this light.

37:12

That's why no tools exist. This is the jump, as you said. You have code that's like this, and this is a simple jump.

37:21

If you try to check out a recursive loop or something like this, no way you can find out what's going on inside. Yeah, exactly. And why? That is my question. Why they did all this kind of stuff for only a jump? Ask Texas Instruments.

37:41

Don't ask me. Okay, thanks. Very cool presentation. Yeah, I can comment on this question, actually. The thing is that it's a DSP. It's digital signal processor. It's supposed to work like that. Its main purpose is not to execute code, like functional code. It's just to process data.

38:01

So it's optimized for loops, for processing arrays of data, and that's why it has long delay slots and stuff like that. It's optimized for processing big arrays of data. That's why it's like that. Yeah, and now my real question. I'm just wondering, when you saw this picture in IDA, why you didn't email hex-ray support?

38:22

Because otherwise we would have a boring talk? Well, why not implement Capstone, which is open source? Okay, so you wanted to have some fun? Yeah, maybe this is why I did it. I don't know. I mean, Capstone seemed nice.

38:44

Okay, thank you. Hi, thank you very much. That was great.

39:01

DSP320 very often comes with two cores, one being the DSP itself, and the other one can be an ARM, like in DaVinci series. Did you notice some kind of other update that suggests that a side more application-centric processor could be on the same die?

39:21

As far as I know, this HSM comes only with this DSP. Just this. It doesn't have an ARM core or anything else.

39:42

Anyone else? Oh, okay. Hi, just a quick question. Did you manage to find...

40:03

Did you run some plug-in that could allow you to find presence of keys or to notice how keys are stored inside the HSM? Because that's the... Well, the things that should be protected. Did they use some...?

40:21

Okay, can we discuss this afterwards? Yeah, very happily. Thank you. So, no more questions?

40:43

Okay, thank you.