Iqela labaphandi abavela kwi-Ledger, inkampani eyenza i-wallet ye-hardware ye-cryptocurrency, Ubuthathaka obuninzi kwizixhobo ze-HSM (), engasetyenziselwa ukukhupha izitshixo okanye ukwenza uhlaselo olukude ukuze ubuyisele i-firmware yesixhobo se-HSM. Inika ingxelo yengxaki ngoku kuphela ngesiFrentshi, ingxelo yolwimi lwesiNgesi icwangcisiwe ngo-Agasti ngexesha lenkomfa ye-Blackhat USA 2019 I-HSM sisixhobo sangaphandle esikhethekileyo esilungiselelwe ukugcina izitshixo zoluntu kunye nezabucala ezisetyenziselwa ukuvelisa iisignesha zedijithali kunye noguqulelo lwedatha.
I-HSM ikuvumela ukuba ukhulise kakhulu ukhuseleko, njengoko ihlukanisa ngokupheleleyo izitshixo kwinkqubo kunye nezicelo, ibonelela kuphela nge-API yokuphumeza iiprimitives ezisisiseko eziphunyeziweyo kwicala lesixhobo. Ngokuqhelekileyo, i-HSM isetyenziswa kwiindawo apho inqanaba eliphezulu lokhuseleko lifunekayo, njengeebhanki, utshintshiselwano lwe-cryptocurrency, kunye namagunya esatifikethi sokuqinisekisa kunye nokuvelisa izatifikethi kunye neesignesha zedijithali.
Iindlela zokuhlaselwa ezicetywayo zivumela umsebenzisi ongagunyaziswanga ukuba afumane ulawulo olupheleleyo kwimixholo ye-HSM, kubandakanywa ukukhupha zonke izitshixo ze-cryptographic kunye neziqinisekiso zomlawuli ezigcinwe kwisixhobo. Iingxaki zibangelwa kukuphuphuma kwebuffer kwi-PKCS#11 yomphathi womyalelo kunye nempazamo ekuphunyezweni kokhuseleko lwe-cryptographic firmware, ekuvumela ukuba ugqithe uqinisekiso lwe-firmware usebenzisa i-PKCS#1v1.5 umsayino wedijithali kwaye uqalise ukulayisha eyakho. firmware kwi HSM.
Njengomboniso, i-firmware elungisiweyo yakhutshelwa, apho i-backdoor yongezwa, ehlala isebenza emva kofakelo olulandelayo lohlaziyo lwe-firmware oluqhelekileyo oluvela kumenzi. Kutyholwa ukuba uhlaselo lunokwenziwa kude (indlela yohlaselo ayichazwanga, kodwa mhlawumbi ithetha ukubuyisela i-firmware ekhutshelweyo okanye ukudlulisela izatifikethi ezikhutshiweyo ezikhutshelwe ngokukodwa).
Ingxaki ichongiwe ngexesha lovavanyo lwe-fuzz yophumezo lwangaphakathi lwe-PKCS#11 imiyalelo ecetywayo kwi-HSM. Uvavanyo lwaququzelelwa ngokulayisha imodyuli yayo kwi-HSM kusetyenziswa iSDL eqhelekileyo. Ngenxa yoko, ukuphuphuma kwe-buffer kwachongwa ekuphunyezweni kwe-PKCS#11, ethe yavela ingaxhatshazwa kungekuphela nje kwimo engqongileyo yangaphakathi ye-HSM, kodwa nangokufikelela kwi-PKCS#11 umqhubi osuka kweyona nkqubo isebenzayo yekhompyuter. apho imodyuli yeHSM iqhagamshelwe kuyo.
Emva koko, ukuphuphuma kwe-buffer kwasetyenziswa ukwenza ikhowudi kwicala le-HSM kunye nokugqithisa iiparitha zokufikelela. Ngexesha lokufunda lokuzaliswa, kwachongwa omnye ubuthathaka okuvumela ukuba ukhuphele i-firmware entsha ngaphandle kwesiginesha yedijithali. Ekugqibeleni, imodyuli yesiko yabhalwa kwaye yalayishwa kwi-HSM, elahla zonke iimfihlo ezigcinwe kwi-HSM.
Igama lomenzi apho izixhobo ze-HSM zichongiwe ubuthathaka azikachazwa, kodwa kutyholwa ukuba izixhobo ezinengxaki zisetyenziswa ngamanye amabhanki amakhulu kunye nabanikezeli benkonzo yelifu. Kuxelwe ukuba ulwazi malunga neengxaki lwaluthunyelwe ngaphambili kumenzi kwaye sele ebususile ubuthathaka kuhlaziyo lwe-firmware yamva nje. Abaphandi abazimeleyo bacebisa ukuba ingxaki ingaba kwizixhobo ezivela eGemalto, ngoMeyi Uhlaziyo lwe-Sentinel LDK kunye nokupheliswa kobuthathaka, ukufikelela kulwazi malunga nokuba kusekho .
umthombo: opennet.ru