ABSTRACT
FPGA-SoCs are heterogeneous computing systems consisting of reconfigurable hardware and high performance processing units. This combination enables a flexible design methodology for embedded systems. However, the sharing of resources between these heterogeneous systems opens the door to attacks from one system on the other. This work considers Direct Memory Access attacks from a malicious hardware block inside the reconfigurable logic on the CPU. Previous works have shown similar attacks on FPGA-SoCs containing no memory isolation between the FPGA and the CPU. Our work studies the same idea on a system based on the Xilinx Zynq Ultrascale+ architecture. This platform contains memory isolation mechanisms such as a system memory management unit, memory protection units and supports ARM TrustZone technology. Despite the existence of these protection mechanisms, the two attacks presented in this work show that a malicious hardware block can still interfere with a security critical task executed on the CPU inside ARM TrustZone
- ARM. 2009. ARM System Memory Management Unit Architecture Specification - SMMU architecture version 2.0. Issue C.Google Scholar
- ARM. 2014. ARM Cortex-A53 MPCore Processor Technical Reference Manual. revision r0p2.Google Scholar
- ARM. 2016. ARM Security Technology - Build a Secure System using TrustZone Technology. Issue D.c.Google Scholar
- Sumanta Chaudhuri. 2018. A Security Vulnerability Analysis of SoCFPGA Architectures. In Proceedings of the 55th Annual Design Automation Conference (DAC '18). ACM, New York, NY, USA, Article 139, 6 pages. https://doi.org/10.1145/ 3195970.3195979Google ScholarDigital Library
- Patrick Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal de Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting Data on Smartphones and Tablets from Memory Attacks. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '15). ACM, New York, NY, USA, 177--189. https://doi.org/10. 1145/2694344.2694380Google ScholarDigital Library
- D. Aumaitre et al. 2010. Subverting Windows 7 x64 kernel with DMA attacks. In HITBSecConf Amsterdam.Google Scholar
- M. Becher et al. 2005. FireWire: all your memory are belong to us. In Proceedings of CanSecWest.Google Scholar
- J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 5 (May 2009), 91--98. https://doi.org/10.1145/1506409.1506429Google ScholarDigital Library
- A. Ionescu. 2017. Getting Physical With USB Type-C. In Recon Brussels.Google Scholar
- Nisha Jacob, Johann Heyszl, Andreas Zankl, Carsten Rolfes, and Georg Sigl. 2017. How to Break Secure Boot on FPGA SoCs Through Malicious Hardware. In Cryptographic Hardware and Embedded Systems âĂş CHES 2017 (Lecture Notes in Computer Science), Vol. 10529. Springer, 425--442. https://doi.org/10.1007/ 978-3-319-66787-4_21Google Scholar
- Antoine Joux. 2006. Authentication failures in NIST version of GCM. (01 2006).Google Scholar
- Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. SIGARCH Comput. Archit. News 42, 3 (June 2014), 361--372. https://doi.org/10. 1145/2678373.2665726Google ScholarDigital Library
- Jonas Krautter, Dennis Gnad, and Mehdi Tahoori. 2018. FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES. IACR Transactions on Cryptographic Hardware and Embedded Systems 2018, 3 (Aug. 2018), 44--68. https://doi.org/10.13154/tches.v2018.i3.44--68Google Scholar
- Letitia W. Li, Guillaume Duc, and Renaud Pacalet. 2015. Hardware-assisted Memory Tracing on New SoCs Embedding FPGA Fabrics. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, New York, NY, USA, 461--470. https://doi.org/10.1145/2818000.2818030Google ScholarDigital Library
- Linaro. 2019. OP-TEE: Open Portable Trusted Execution Environment. https: //github.com/OP-TEE.Google Scholar
- L. E. Olson, J. Power, M. D. Hill, and D. A. Wood. 2015. Border control: Sandboxing accelerators. In 2015 48th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). 470--481. https://doi.org/10.1145/2830772.2830819Google Scholar
- Global Platform. 2018. Introduction to Trusted Execution Environments.Google Scholar
- Snare and Rzn. April 2014. Thunderbolts and Lightning - very, very frightening. In Proceedings of SyScan Singapore.Google Scholar
- Xilinx. 2019. AR 72654 Zynq UltraScale+ MPSoC/RFSoC: ACP Usage with XMPU / XPPU / TrustZone Isolation. https://www.xilinx.com/support/answers/72654. html.Google Scholar
- Xilinx. 2019. Zynq Ultrascale+ Device Technical Reference Manual. ug1085(v1.9).Google Scholar
- Lester Sanders (Xilinx). 2017. Isolation Methods in Zynq Ultrascale+ MPSoCs. XAPP1320 (v1.0).Google Scholar
- N. Zhang, K. Sun, W. Lou, and Y. T. Hou. 2016. CaSE: Cache-Assisted Secure Execution on ARM Processors. In 2016 IEEE Symposium on Security and Privacy (SP). 72--90. https://doi.org/10.1109/SP.2016.13Google Scholar
- M. Zhao and G. E. Suh. 2018. FPGA-Based Remote Power Side-Channel Attacks. In 2018 IEEE Symposium on Security and Privacy (SP). 229--244. https://doi.org/ 10.1109/SP.2018.00049Google Scholar
Index Terms
- Breaking TrustZone Memory Isolation through Malicious Hardware on a Modern FPGA-SoC
Recommendations
Enhancing the Security of FPGA-SoCs via the Usage of ARM TrustZone and a Hybrid-TPM
Isolated execution is a concept commonly used for increasing the security of a computer system. In the embedded world, ARM TrustZone technology enables this goal and is currently used on mobile devices for applications such as secure payment or biometric ...
Keystone: an open framework for architecting trusted execution environments
EuroSys '20: Proceedings of the Fifteenth European Conference on Computer SystemsTrusted execution environments (TEEs) see rising use in devices from embedded sensors to cloud servers and encompass a range of cost, power constraints, and security threat model choices. On the other hand, each of the current vendor-specific TEEs makes ...
Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane
SOSR '18: Proceedings of the Symposium on SDN ResearchExisting software dataplanes that run network functions inside VMs or containers can provide either performance (by dedicating CPU cores) or multiplexing (by context switching), but not both at once. Function-based dataplane architectures by replacing ...
Comments