From Web PKI and digital signatures to PCI-DSS and DNSSEC, a big part of
the security industry currently depends on special cryptographic modules
to implement cryptography, the so called Hardware Security Modules
(HSMs). Every certificate used in the web has been signed by a key
stored inside an HSM, and every time a DNSSEC query is being validated,
the root keys generated by such an HSM are being used.In this presentation, the security of such a device, the Utimaco
SecurityServer, will be evaluated. Inside the device, a Texas
Instruments TMS320C64x DSP can be found which performs all operations.
The TMS320C64x DSP is an exotic architecture compared to the classic
x86, x86_64, ARM, MIPS and other common architectures, due to its unique
features, such as the multiple functional units, each having its own
assembly commands and the ability to execute multiple commands in
parallel. This architecture, together with the ABI and a small
introduction to the memory organization will be presented. The research
will then mostly focus on the device’s firmware. Due to the inability
of IDA pro to correctly disassemble the files, and the minimal number of
tools for this architecture, the capstone disassembler has been extended
and the TMS320C64x architecture has been added. Finally, a vulnerability
to the HSM’s firmware will be presented, together with the methodology
that was used in order to find the bug.