research-article

Breaking TrustZone Memory Isolation through Malicious Hardware on a Modern FPGA-SoC

Authors:
Mathieu Gross

Technical University of Munich, Munich, Germany

Technical University of Munich, Munich, Germany
View Profile

,
Nisha Jacob

Fraunhofer Research Institution AISEC, Garching by Munich, Germany

Fraunhofer Research Institution AISEC, Garching by Munich, Germany
View Profile

,
Andreas Zankl

Fraunhofer Research Institution AISEC, Garching by Munich, Germany

Fraunhofer Research Institution AISEC, Garching by Munich, Germany
View Profile

,
Georg Sigl

Technical University of Munich, Munich, Germany

Technical University of Munich, Munich, Germany
View Profile

ASHES'19: Proceedings of the 3rd ACM Workshop on Attacks and Solutions in Hardware Security WorkshopNovember 2019Pages 3–12https://doi.org/10.1145/3338508.3359568

Published:15 November 2019Publication History

ASHES'19: Proceedings of the 3rd ACM Workshop on Attacks and Solutions in Hardware Security Workshop

Pages 3–12

ABSTRACT

FPGA-SoCs are heterogeneous computing systems consisting of reconfigurable hardware and high performance processing units. This combination enables a flexible design methodology for embedded systems. However, the sharing of resources between these heterogeneous systems opens the door to attacks from one system on the other. This work considers Direct Memory Access attacks from a malicious hardware block inside the reconfigurable logic on the CPU. Previous works have shown similar attacks on FPGA-SoCs containing no memory isolation between the FPGA and the CPU. Our work studies the same idea on a system based on the Xilinx Zynq Ultrascale+ architecture. This platform contains memory isolation mechanisms such as a system memory management unit, memory protection units and supports ARM TrustZone technology. Despite the existence of these protection mechanisms, the two attacks presented in this work show that a malicious hardware block can still interfere with a security critical task executed on the CPU inside ARM TrustZone

References

ARM. 2009. ARM System Memory Management Unit Architecture Specification - SMMU architecture version 2.0. Issue C.Google Scholar
ARM. 2014. ARM Cortex-A53 MPCore Processor Technical Reference Manual. revision r0p2.Google Scholar
ARM. 2016. ARM Security Technology - Build a Secure System using TrustZone Technology. Issue D.c.Google Scholar
Sumanta Chaudhuri. 2018. A Security Vulnerability Analysis of SoCFPGA Architectures. In Proceedings of the 55th Annual Design Automation Conference (DAC '18). ACM, New York, NY, USA, Article 139, 6 pages. https://doi.org/10.1145/ 3195970.3195979Google ScholarDigital Library
Patrick Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal de Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting Data on Smartphones and Tablets from Memory Attacks. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '15). ACM, New York, NY, USA, 177--189. https://doi.org/10. 1145/2694344.2694380Google ScholarDigital Library
D. Aumaitre et al. 2010. Subverting Windows 7 x64 kernel with DMA attacks. In HITBSecConf Amsterdam.Google Scholar
M. Becher et al. 2005. FireWire: all your memory are belong to us. In Proceedings of CanSecWest.Google Scholar
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 5 (May 2009), 91--98. https://doi.org/10.1145/1506409.1506429Google ScholarDigital Library
A. Ionescu. 2017. Getting Physical With USB Type-C. In Recon Brussels.Google Scholar
Nisha Jacob, Johann Heyszl, Andreas Zankl, Carsten Rolfes, and Georg Sigl. 2017. How to Break Secure Boot on FPGA SoCs Through Malicious Hardware. In Cryptographic Hardware and Embedded Systems âĂş CHES 2017 (Lecture Notes in Computer Science), Vol. 10529. Springer, 425--442. https://doi.org/10.1007/ 978-3-319-66787-4_21Google Scholar
Antoine Joux. 2006. Authentication failures in NIST version of GCM. (01 2006).Google Scholar
Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. SIGARCH Comput. Archit. News 42, 3 (June 2014), 361--372. https://doi.org/10. 1145/2678373.2665726Google ScholarDigital Library
Jonas Krautter, Dennis Gnad, and Mehdi Tahoori. 2018. FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES. IACR Transactions on Cryptographic Hardware and Embedded Systems 2018, 3 (Aug. 2018), 44--68. https://doi.org/10.13154/tches.v2018.i3.44--68Google Scholar
Letitia W. Li, Guillaume Duc, and Renaud Pacalet. 2015. Hardware-assisted Memory Tracing on New SoCs Embedding FPGA Fabrics. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, New York, NY, USA, 461--470. https://doi.org/10.1145/2818000.2818030Google ScholarDigital Library
Linaro. 2019. OP-TEE: Open Portable Trusted Execution Environment. https: //github.com/OP-TEE.Google Scholar
L. E. Olson, J. Power, M. D. Hill, and D. A. Wood. 2015. Border control: Sandboxing accelerators. In 2015 48th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). 470--481. https://doi.org/10.1145/2830772.2830819Google Scholar
Global Platform. 2018. Introduction to Trusted Execution Environments.Google Scholar
Snare and Rzn. April 2014. Thunderbolts and Lightning - very, very frightening. In Proceedings of SyScan Singapore.Google Scholar
Xilinx. 2019. AR 72654 Zynq UltraScale+ MPSoC/RFSoC: ACP Usage with XMPU / XPPU / TrustZone Isolation. https://www.xilinx.com/support/answers/72654. html.Google Scholar
Xilinx. 2019. Zynq Ultrascale+ Device Technical Reference Manual. ug1085(v1.9).Google Scholar
Lester Sanders (Xilinx). 2017. Isolation Methods in Zynq Ultrascale+ MPSoCs. XAPP1320 (v1.0).Google Scholar
N. Zhang, K. Sun, W. Lou, and Y. T. Hou. 2016. CaSE: Cache-Assisted Secure Execution on ARM Processors. In 2016 IEEE Symposium on Security and Privacy (SP). 72--90. https://doi.org/10.1109/SP.2016.13Google Scholar
M. Zhao and G. E. Suh. 2018. FPGA-Based Remote Power Side-Channel Attacks. In 2018 IEEE Symposium on Security and Privacy (SP). 229--244. https://doi.org/ 10.1109/SP.2018.00049Google Scholar

Index Terms

Breaking TrustZone Memory Isolation through Malicious Hardware on a Modern FPGA-SoC
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security
  2. Systems security
    1. Operating systems security
      1. Trusted computing

Recommendations

Enhancing the Security of FPGA-SoCs via the Usage of ARM TrustZone and a Hybrid-TPM
Isolated execution is a concept commonly used for increasing the security of a computer system. In the embedded world, ARM TrustZone technology enables this goal and is currently used on mobile devices for applications such as secure payment or biometric ...
Read More
Keystone: an open framework for architecting trusted execution environments
EuroSys '20: Proceedings of the Fifteenth European Conference on Computer Systems

Trusted execution environments (TEEs) see rising use in devices from embedded sensors to cloud servers and encompass a range of cost, power constraints, and security threat model choices. On the other hand, each of the current vendor-specific TEEs makes ...
Read More
Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane
SOSR '18: Proceedings of the Symposium on SDN Research

Existing software dataplanes that run network functions inside VMs or containers can provide either performance (by dedicating CPU cores) or multiplexing (by context switching), but not both at once. Function-based dataplane architectures by replacing ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASHES'19: Proceedings of the 3rd ACM Workshop on Attacks and Solutions in Hardware Security Workshop
November 2019
114 pages
ISBN:9781450368391
DOI:10.1145/3338508
General Chairs:
Chip Hong Chang
NTU Singapore
,
Ulrich Rührmair
LMU Munich and U Connecticut
,
Program Chairs:
Daniel Holcomb
UMass Amherst
,
Patrick Schaumont
Virginia Tech
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 November 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dma attack
fpga-socs
hardware trojan
memory isolation
trusted execution environment
trustzone
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate6of20submissions,30%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 10
  Total Citations
  View Citations
- 511
  Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Breaking TrustZone Memory Isolation through Malicious Hardware on a Modern FPGA-SoC

ASHES'19: Proceedings of the 3rd ACM Workshop on Attacks and Solutions in Hardware Security Workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

Enhancing the Security of FPGA-SoCs via the Usage of ARM TrustZone and a Hybrid-TPM

Keystone: an open framework for architecting trusted execution environments

Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Breaking TrustZone Memory Isolation through Malicious Hardware on a Modern FPGA-SoC

ASHES'19: Proceedings of the 3rd ACM Workshop on Attacks and Solutions in Hardware Security Workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

Enhancing the Security of FPGA-SoCs via the Usage of ARM TrustZone and a Hybrid-TPM

Keystone: an open framework for architecting trusted execution environments

Hardware-assisted Isolation in a Multi-tenant Function-based Dataplane

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media