Abstract
ARM TrustZone is a system-on-chip security solution that provides hardware guarantees to isolate the untrusted applications running in the normal world from sensitive computation and data by placing them in the secure world. In a multi-tenant scenario, such isolation is paramount to protect tenants from each other and is guaranteed by partitioning resources (memory, peripherals, etc.) between the tenants. Several third-party defence mechanisms add to this isolation through techniques like statically whitelisting communication channels. Consequently, two tenants cannot communicate with each other except using two legitimate channels: (1) shared memory and (2) legitimate API calls. However, we show that seemingly simple covert channels can be created to break this isolation and create a third illegitimate channel. We use simple thread counters and TrustZone configurations to demonstrate a break in Trustzone’s isolation through a non-root, cross-core, cross-user, bidirectional (secure to normal world and vice-versa), cross-world covert channel on OP-TEE implementation on ARM TrustZone that, by design, places no limit on channel capacity. Our channel bypasses the established defence mechanisms (which mainly target cache occupancy measurements and performance monitoring units) in ARM TrustZone, achieves a maximum bandwidth of 130 KBps with a 2.5% error rate, and allows arbitrary code execution in the secure world leading to denial-of-service attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The current ARM version used in a majority of processors is ARMv8.
- 2.
BusyBox is a software suite providing Unix utilities in a single executable file.
- 3.
We demonstrate a practical denial of service, leading to a system stall, in Sect. 6.
- 4.
This is a legitimate syscall that a non-privileged TA can use to access REE clock.
- 5.
References
Apertis: Integration of OP-TEE in Apertis. https://www.apertis.org/concepts/op-tee/
ARM: ARM TrustZone. https://www.arm.com/technologies/trustzone-for-cortex-m
Arnautov, S., et al.: Scone: secure Linux containers with Intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 689–703 (2016)
Banerjee, S., et al.: Sesame: software defined enclaves to secure inference accelerators with multi-tenant execution. arXiv preprint arXiv:2007.06751 (2020)
Benhani, E.M., Bossuet, L.: DVFS as a security failure of TrustZone-enabled heterogeneous SoC. In: 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS), pp. 489–492. IEEE (2018)
Bernal, A.E., et al.: Methodology for computer security incident response teams into IoT strategy. KSII Trans. Internet Inf. Syst. (TIIS) 15(5), 1909–1928 (2021)
OP-TEE Blog: OP-TEE Blog (2021). https://www.trustedfirmware.org/blog/
Braun, B.A., Jana, S., Boneh, D.: Robust and efficient elimination of cache and timing side channels. arXiv preprint arXiv:1506.00189 (2015)
Busch, M., Westphal, J., Müller, T.: Unearthing the TrustedCore: a critical review on Huawei’s trusted execution environment. In: 14th USENIX Workshop on Offensive Technologies (WOOT 2020) (2020)
Chen, L., et al.: EnclaveCache: a secure and scalable key-value cache in multi-tenant clouds using intel SGX. In: Proceedings of the 20th International Middleware Conference, pp. 14–27 (2019)
Cho, H., et al.: Prime+ count: novel cross-world covert channels on arm TrustZone. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 441–452 (2018)
OTC Documentation: Cryptographic implementation. https://optee.readthedocs.io/en/latest/architecture/crypto.html
F-secure: OP-TEE TrustZone bypass on multiple NXP i.MX models (2021). https://labs.f-secure.com/advisories/op-tee-trustzone-bypass-on-multiple-nxp-i-mx-models/
GlobalPlatform: TEE Client API specification (2010). https://globalplatform.org/specs-library/tee-client-api-specification/
GlobalPlatform: TEE Internal Core API specification (2018). https://globalplatform.org/wp-content/uploads/2016/11/GPD_TEE_Internal_Core_API_Specification_v1.2_PublicRelease.pdf
Green, M., et al.: AutoLock: why cache attacks on arm are harder than you think. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 1075–1091 (2017)
Gruss, D., et al.: Strong and efficient cache side-channel protection using hardware transactional memory. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 217–233 (2017)
Hua, Z., et al.: VTZ: virtualizing arm TrustZone. In: 26th USENIX Security Symposium, pp. 541–556 (2017)
Huang, H., et al.: Detection of and countermeasure against thermal covert channel in many-core systems. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 41, 252–265 (2021)
iWave: Securing Edge IoT devices with OP-TE. https://www.iwavesystems.com/news/securing-edge-iot-devices-with-op-tee/
Jang, J.S., et al.: Secret: secure channel between rich execution environment and trusted execution environment. In: NDSS, pp. 1–15 (2015)
Jang, J., Kang, B.B.: Securing a communication channel for the trusted execution environment. Comput. Secur. 83, 79–92 (2019)
Lee, S., et al.: Fine-grained access control-enabled logging method on arm TrustZone. IEEE Access 8, 81348–81364 (2020)
Lee, S., Choi, W., Jo, H.J., Lee, D.H.: How to securely record logs based on arm TrustZone. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 664–666 (2019)
Liang, Q., Shenoy, P., Irwin, D.: AI on the edge: characterizing AI-based IoT applications using specialized edge architectures. In: 2020 IEEE International Symposium on Workload Characterization (IISWC), pp. 145–156. IEEE (2020)
Lipp, M., et al.: ARMageddon: cache attacks on mobile devices. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 549–564 (2016)
Liu, N., Yu, M., Zang, W., Sandhu, R.S.: Cost and effectiveness of TrustZone defense and side-channel attack on arm platform. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 11(4), 1–15 (2020)
Machiry, A., et al.: BOOMERANG: exploiting the semantic gap in trusted execution environments. In: NDSS (2017)
Masti, R.J., et al.: Thermal covert channels on multi-core platforms. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 865–880 (2015)
Novković, B., Božić, A., Golub, M., Groš, S.: Confidential computing as an attempt to secure service provider’s confidential client data in a multi-tenant cloud environment. In: 2021 44th International Convention on Information, Communication and Electronic Technology (MIPRO), pp. 1213–1218. IEEE (2021)
Stoyanova, M., et al.: A survey on the internet of things (IoT) forensics: challenges, approaches, and open issues. IEEE Commun. Surv. Tutor. 22(2), 1191–1221 (2020)
Wang, H., et al.: Mitigating cache-based side-channel attacks through randomization: a comprehensive system and architecture level analysis. In: 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1414–1419 (2020)
Zeitouni, S., Dessouky, G., Sadeghi, A.R.: SoK: on the security challenges and risks of multi-tenant FPGAs in the cloud. arXiv preprint arXiv:2009.13914 (2020)
Zhang, N., et al.: TruSpy: cache side-channel information leakage from the secure world on arm devices. Cryptology ePrint Archive (2016)
Zhang, N., et al.: TruSense: information leakage from TrustZone. In: IEEE Conference on Computer Communications, IEEE INFOCOM 2018, pp. 1097–1105 (2018)
Zhang, X., Xiao, Y., Zhang, Y.: Return-oriented flush-reload side channels on arm and their implications for Android devices. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 858–870 (2016)
Acknowledgements
The work is partially supported by the project entitled ‘Development of Secured Hardware And Automotive Systems’ from the iHub-NTIHAC Foundation, IIT Kanpur. The authors would also like to thank MeitY, India for the grant for ‘Centre on Hardware Security - Hardware Security Entrepreneurship Research and Development (HERD)’.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mishra, N., Chakraborty, A., Chatterjee, U., Mukhopadhyay, D. (2023). Time’s a Thief of Memory. In: Buhan, I., Schneider, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2022. Lecture Notes in Computer Science, vol 13820. Springer, Cham. https://doi.org/10.1007/978-3-031-25319-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-25319-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25318-8
Online ISBN: 978-3-031-25319-5
eBook Packages: Computer ScienceComputer Science (R0)