Skip to main content
SpringerLink
Log in

Time’s a Thief of Memory

Breaking Multi-tenant Isolation in TrustZones Through Timing Based Bidirectional Covert Channels

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13820))

  • 359 Accesses

Abstract

ARM TrustZone is a system-on-chip security solution that provides hardware guarantees to isolate the untrusted applications running in the normal world from sensitive computation and data by placing them in the secure world. In a multi-tenant scenario, such isolation is paramount to protect tenants from each other and is guaranteed by partitioning resources (memory, peripherals, etc.) between the tenants. Several third-party defence mechanisms add to this isolation through techniques like statically whitelisting communication channels. Consequently, two tenants cannot communicate with each other except using two legitimate channels: (1) shared memory and (2) legitimate API calls. However, we show that seemingly simple covert channels can be created to break this isolation and create a third illegitimate channel. We use simple thread counters and TrustZone configurations to demonstrate a break in Trustzone’s isolation through a non-root, cross-core, cross-user, bidirectional (secure to normal world and vice-versa), cross-world covert channel on OP-TEE implementation on ARM TrustZone that, by design, places no limit on channel capacity. Our channel bypasses the established defence mechanisms (which mainly target cache occupancy measurements and performance monitoring units) in ARM TrustZone, achieves a maximum bandwidth of 130 KBps with a 2.5% error rate, and allows arbitrary code execution in the secure world leading to denial-of-service attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The current ARM version used in a majority of processors is ARMv8.

  2. 2.

    BusyBox is a software suite providing Unix utilities in a single executable file.

  3. 3.

    We demonstrate a practical denial of service, leading to a system stall, in Sect. 6.

  4. 4.

    This is a legitimate syscall that a non-privileged TA can use to access REE clock.

  5. 5.

    https://github.com/teesec-research/optee_examples.

References

  1. Apertis: Integration of OP-TEE in Apertis. https://www.apertis.org/concepts/op-tee/

  2. ARM: ARM TrustZone. https://www.arm.com/technologies/trustzone-for-cortex-m

  3. Arnautov, S., et al.: Scone: secure Linux containers with Intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 689–703 (2016)

    Google Scholar 

  4. Banerjee, S., et al.: Sesame: software defined enclaves to secure inference accelerators with multi-tenant execution. arXiv preprint arXiv:2007.06751 (2020)

  5. Benhani, E.M., Bossuet, L.: DVFS as a security failure of TrustZone-enabled heterogeneous SoC. In: 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS), pp. 489–492. IEEE (2018)

    Google Scholar 

  6. Bernal, A.E., et al.: Methodology for computer security incident response teams into IoT strategy. KSII Trans. Internet Inf. Syst. (TIIS) 15(5), 1909–1928 (2021)

    Google Scholar 

  7. OP-TEE Blog: OP-TEE Blog (2021). https://www.trustedfirmware.org/blog/

  8. Braun, B.A., Jana, S., Boneh, D.: Robust and efficient elimination of cache and timing side channels. arXiv preprint arXiv:1506.00189 (2015)

  9. Busch, M., Westphal, J., Müller, T.: Unearthing the TrustedCore: a critical review on Huawei’s trusted execution environment. In: 14th USENIX Workshop on Offensive Technologies (WOOT 2020) (2020)

    Google Scholar 

  10. Chen, L., et al.: EnclaveCache: a secure and scalable key-value cache in multi-tenant clouds using intel SGX. In: Proceedings of the 20th International Middleware Conference, pp. 14–27 (2019)

    Google Scholar 

  11. Cho, H., et al.: Prime+ count: novel cross-world covert channels on arm TrustZone. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 441–452 (2018)

    Google Scholar 

  12. OTC Documentation: Cryptographic implementation. https://optee.readthedocs.io/en/latest/architecture/crypto.html

  13. F-secure: OP-TEE TrustZone bypass on multiple NXP i.MX models (2021). https://labs.f-secure.com/advisories/op-tee-trustzone-bypass-on-multiple-nxp-i-mx-models/

  14. GlobalPlatform: TEE Client API specification (2010). https://globalplatform.org/specs-library/tee-client-api-specification/

  15. GlobalPlatform: TEE Internal Core API specification (2018). https://globalplatform.org/wp-content/uploads/2016/11/GPD_TEE_Internal_Core_API_Specification_v1.2_PublicRelease.pdf

  16. Green, M., et al.: AutoLock: why cache attacks on arm are harder than you think. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 1075–1091 (2017)

    Google Scholar 

  17. Gruss, D., et al.: Strong and efficient cache side-channel protection using hardware transactional memory. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 217–233 (2017)

    Google Scholar 

  18. Hua, Z., et al.: VTZ: virtualizing arm TrustZone. In: 26th USENIX Security Symposium, pp. 541–556 (2017)

    Google Scholar 

  19. Huang, H., et al.: Detection of and countermeasure against thermal covert channel in many-core systems. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 41, 252–265 (2021)

    Article  Google Scholar 

  20. iWave: Securing Edge IoT devices with OP-TE. https://www.iwavesystems.com/news/securing-edge-iot-devices-with-op-tee/

  21. Jang, J.S., et al.: Secret: secure channel between rich execution environment and trusted execution environment. In: NDSS, pp. 1–15 (2015)

    Google Scholar 

  22. Jang, J., Kang, B.B.: Securing a communication channel for the trusted execution environment. Comput. Secur. 83, 79–92 (2019)

    Article  Google Scholar 

  23. Lee, S., et al.: Fine-grained access control-enabled logging method on arm TrustZone. IEEE Access 8, 81348–81364 (2020)

    Article  Google Scholar 

  24. Lee, S., Choi, W., Jo, H.J., Lee, D.H.: How to securely record logs based on arm TrustZone. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 664–666 (2019)

    Google Scholar 

  25. Liang, Q., Shenoy, P., Irwin, D.: AI on the edge: characterizing AI-based IoT applications using specialized edge architectures. In: 2020 IEEE International Symposium on Workload Characterization (IISWC), pp. 145–156. IEEE (2020)

    Google Scholar 

  26. Lipp, M., et al.: ARMageddon: cache attacks on mobile devices. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 549–564 (2016)

    Google Scholar 

  27. Liu, N., Yu, M., Zang, W., Sandhu, R.S.: Cost and effectiveness of TrustZone defense and side-channel attack on arm platform. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 11(4), 1–15 (2020)

    Google Scholar 

  28. Machiry, A., et al.: BOOMERANG: exploiting the semantic gap in trusted execution environments. In: NDSS (2017)

    Google Scholar 

  29. Masti, R.J., et al.: Thermal covert channels on multi-core platforms. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 865–880 (2015)

    Google Scholar 

  30. Novković, B., Božić, A., Golub, M., Groš, S.: Confidential computing as an attempt to secure service provider’s confidential client data in a multi-tenant cloud environment. In: 2021 44th International Convention on Information, Communication and Electronic Technology (MIPRO), pp. 1213–1218. IEEE (2021)

    Google Scholar 

  31. Stoyanova, M., et al.: A survey on the internet of things (IoT) forensics: challenges, approaches, and open issues. IEEE Commun. Surv. Tutor. 22(2), 1191–1221 (2020)

    Article  Google Scholar 

  32. Wang, H., et al.: Mitigating cache-based side-channel attacks through randomization: a comprehensive system and architecture level analysis. In: 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1414–1419 (2020)

    Google Scholar 

  33. Zeitouni, S., Dessouky, G., Sadeghi, A.R.: SoK: on the security challenges and risks of multi-tenant FPGAs in the cloud. arXiv preprint arXiv:2009.13914 (2020)

  34. Zhang, N., et al.: TruSpy: cache side-channel information leakage from the secure world on arm devices. Cryptology ePrint Archive (2016)

    Google Scholar 

  35. Zhang, N., et al.: TruSense: information leakage from TrustZone. In: IEEE Conference on Computer Communications, IEEE INFOCOM 2018, pp. 1097–1105 (2018)

    Google Scholar 

  36. Zhang, X., Xiao, Y., Zhang, Y.: Return-oriented flush-reload side channels on arm and their implications for Android devices. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 858–870 (2016)

    Google Scholar 

Download references

Acknowledgements

The work is partially supported by the project entitled ‘Development of Secured Hardware And Automotive Systems’ from the iHub-NTIHAC Foundation, IIT Kanpur. The authors would also like to thank MeitY, India for the grant for ‘Centre on Hardware Security - Hardware Security Entrepreneurship Research and Development (HERD)’.

Author information

Authors and Affiliations

  1. Indian Institute of Technology, Kharagpur, India

    Nimish Mishra, Anirban Chakraborty & Debdeep Mukhopadhyay

  2. Indian Institute of Technology, Kanpur, India

    Urbi Chatterjee

Authors
  1. Nimish Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anirban Chakraborty
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Urbi Chatterjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Debdeep Mukhopadhyay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nimish Mishra .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Ileana Buhan

  2. NXP Semiconductors, Gratkorn, Austria

    Tobias Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mishra, N., Chakraborty, A., Chatterjee, U., Mukhopadhyay, D. (2023). Time’s a Thief of Memory. In: Buhan, I., Schneider, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2022. Lecture Notes in Computer Science, vol 13820. Springer, Cham. https://doi.org/10.1007/978-3-031-25319-5_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25319-5_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25318-8

  • Online ISBN: 978-3-031-25319-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation