Hardware Security Module - Executing Unsigned Code in HSM TEE

Presented at Black Hat Europe 2021, Nov. 11, 2021, 1:30 p.m. (40 minutes)

Trusted Execution Environment, or TEE, defines an isolation between trusted and untrusted environment. In terms of TEE environment executing the code, the protected area is guaranteed to execute only authenticated code and reject any instructions which are not exclusively provided by a legitimate authority. Furthermore, TEE should protect assets' confidentiality and integrity. To ensure these security requirements, cryptographic measures are applied. These are enclosed in a scheme, for instance - a digital signature scheme. The security level of the system built on top of TEE is reduced to the strength of used primitives and chosen scheme. Even if primitives were proven to be unbreakable within a reasonable time, adversaries may discover vulnerabilities in the implementations, scheme itself or mount an attack against a private key which is used to prove legitimacy to a given code or data. As it occurs, the underlying technology used for embedding a proof or evidence of authority (i.e. signature), may bring surprising functionalities, which at the end may be overlooked by TEE designers and lead to security breaches.

In this session, we will introduce a novel attack against verification code of digital signature scheme provided by Gemalto (ex. SafeNet) company in their Hardware Security Module - LunaSP. By abusing it, we are able to execute arbitrary, unsigned code within the LunaSP HSM protected application layer. Due to the nature of the issue, we think that similar attacks could be propagated to other systems as well.


Presenters:

  • Przemyslaw Duda - Security Researcher, Intel
    Przemyslaw Duda is a Security Researcher, working on Intel technologies since 2014. He received a M.S. degree in Microelectronics from Gdansk University of Technology. Currently, his focus is on server platform security.

Links:

Similar Presentations: