Nailgun: Breaking the Privilege Isolation on ARM

Zhenyu Ning

COMPASS Lab Wayne State University

Sep 23, 2019

Nailgun: Breaking the Privilege Isolation on ARM 1 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 2 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 3 Background

Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 4 Background

Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 5 Background

Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 6 ARM

What is ARM?

I In Dictionary: Hands, or weapons.

I Company: ARM was a British semiconductor company, now owned by SoftBank.

I Architecture: ARM is a processor architecture designed by ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 7 ARM

What is ARM?

I In Dictionary: Hands, or weapons.

I Company: ARM was a British semiconductor company, now owned by SoftBank.

I Architecture: ARM is a processor architecture designed by ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 8 ARM

What is ARM?

I In Dictionary: Hands, or weapons.

I Company: ARM was a British semiconductor company, now owned by SoftBank.

I Architecture: ARM is a processor architecture designed by ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 9 ARM

What is ARM?

I In Dictionary: Hands, or weapons.

I Company: ARM was a British semiconductor company, now owned by SoftBank.

I Architecture: ARM is a processor architecture designed by ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 10 ARM

What is ARM?

I In Dictionary: Hands, or weapons.

I Company: ARM was a British semiconductor company, now owned by SoftBank.

I Architecture: ARM is a processor architecture designed by ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 11 Background

Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 12 Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or being isolated.

I In Company:CEOisabletoviewalltheclassifieddocs,but coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 13 Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or being isolated.

I In Company:CEOisabletoviewalltheclassifieddocs,but coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 14 Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or being isolated.

I In Company:CEOisabletoviewalltheclassifieddocs,but coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 15 Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or being isolated.

I In Company:CEOisabletoviewalltheclassifieddocs,but coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 16 Privilege Isolation

Exception Levels in ARM:

I Exception: is used to divert the normal execution control flow, to allow the processor to handle internal or external events.

I Exception Levels:areusedtospecifydi↵erent privileges in ARM processor.

Nailgun: Breaking the Privilege Isolation on ARM 17 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 18 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 19 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 20 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 21 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 22 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 23 Privilege Isolation

Normal Mode Secure Mode

Gatekeeper Secure EL3

Normal EL2 Hypervisors

Normal EL1 OS kernel Secure EL1

Normal EL0 User-level apps Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM 24 Background

Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 25 Background

Breaking the Privilege Isolation on ARM

Figure source: https://www.123rf.com/

Nailgun: Breaking the Privilege Isolation on ARM 26 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 27 Introduction

Modern processors are equipped with hardware-based debugging features to facilitate on-chip debugging process. - E.g., hardware breakpoints and hardware-based trace.

- It normally requires cable connection (e.g., JTAG [1]) to make use of these features.

Nailgun: Breaking the Privilege Isolation on ARM 28 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 29 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 30 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 31 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 32 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 33 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 34 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST) Security?

Nailgun: Breaking the Privilege Isolation on ARM 35 Introduction

Security? We have obstacles for attackers!

I Obstacle 1:Physicalaccess.

I Obstacle 2: Debug authentication mechanism.

Do these obstacles work?

Nailgun: Breaking the Privilege Isolation on ARM 36 Introduction

Security? We have obstacles for attackers!

I Obstacle 1:Physicalaccess.

I Obstacle 2: Debug authentication mechanism.

Do these obstacles work?

Nailgun: Breaking the Privilege Isolation on ARM 37 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 38 Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1:Physicalaccess.

I Obstacle 2: Debug authentication mechanism.

Does it really require physical access?

Nailgun: Breaking the Privilege Isolation on ARM 39 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST)

Nailgun: Breaking the Privilege Isolation on ARM 40 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST)

Nailgun: Breaking the Privilege Isolation on ARM 41 Traditional Debugging

Debug Authentication

JTAG Interface

Debug Target Debug Host (TARGET) (HOST)

Nailgun: Breaking the Privilege Isolation on ARM 42 Traditional Debugging

Use one to debug another one?

Nailgun: Breaking the Privilege Isolation on ARM 43 Inter-Processor Debugging

We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging.

I Memory-mapped debugging registers. - Introduced since ARMv7.

I No JTAG, No physical access.

Nailgun: Breaking the Privilege Isolation on ARM 44 Inter-Processor Debugging

Debug Authentication Memory-mapped Interface

Debug Target Debug Host (TARGET) (HOST)

Nailgun: Breaking the Privilege Isolation on ARM 45 Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1:Physicalaccess.

I Obstacle 2: Debug authentication mechanism.

Does debug authentication work as expected?

Nailgun: Breaking the Privilege Isolation on ARM 46 Processor in Normal State

TARGET is executing instructions pointed by pc

Nailgun: Breaking the Privilege Isolation on ARM 47 Processor in Non-invasive Debugging

Non-invasive Debugging: Monitoring without control

Nailgun: Breaking the Privilege Isolation on ARM 48 Processor in Invasive Debugging

Invasive Debugging: Control and change status

Nailgun: Breaking the Privilege Isolation on ARM 49 ARM Debug Authentication Mechanism

Debug Authentication Signal: Whether debugging is allowed

Nailgun: Breaking the Privilege Isolation on ARM 50 ARM Debug Authentication Mechanism

Four signals for: Secure/Non-secure, Invasive/Non-invasive

Nailgun: Breaking the Privilege Isolation on ARM 51 ARM Ecosystem

ARM SoC Vendor OEM User

Nailgun: Breaking the Privilege Isolation on ARM 52 ARM Ecosystem

ARM SoC Vendor OEM User

I ARM licenses technology to the System-On-Chip (SoC) Vendors. - E.g., ARM architectures and Cortex processors

I Defines the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 53 ARM Ecosystem

ARM SoC Vendor OEM User

I The SoC Vendors develop chips for Original Equipment Manufacturers (OEMs). - E.g., Qualcomm Snapdragon SoCs

I Implement the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 54 ARM Ecosystem

ARM SoC Vendor OEM User

I The OEMs produce devices for the users. - E.g., Galaxy Series and Mate Series

I Configure the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 55 ARM Ecosystem

ARM SoC Vendor OEM User

I Finally, the User can enjoy the released devices. - Tablets, , and other devices

I Learn the status of debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 56 Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1:Physicalaccess.

I Obstacle 2: Debug authentication mechanism.

Does debug authentication work as expected?

Nailgun: Breaking the Privilege Isolation on ARM 57 Debug Authentication Signals

I What is the status of the signals in real-world device?

I How to manage the signals in real-world device?

Nailgun: Breaking the Privilege Isolation on ARM 58 Debug Authentication Signals Table: Debug Authentication Signals on Real Devices.

Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN

Development ARM Juno r1 Board 444 4 Boards NXP i.MX53 QSB 646 6 IoT Devices Raspberry PI 3 B+ 444 4 64-bit ARM miniNode 444 4 Cloud Packet Type 2A Server 444 4 Platforms Scaleway ARM C1 Server 444 4 646 6 Note 2 446 6 Mobile 444 4 Devices Huawei Mate 7 E4 Plus 444 4 6 444 4

Nailgun: Breaking the Privilege Isolation on ARM 59 Debug Authentication Signals Table: Debug Authentication Signals on Real Devices.

Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN

Development ARM Juno r1 Board 444 4 Boards NXP i.MX53 QSB 646 6 IoT Devices Raspberry PI 3 B+ 444 4 64-bit ARM miniNode 444 4 Cloud Packet Type 2A Server 444 4 Platforms Scaleway ARM C1 Server 444 4 6 646 6 Samsung Galaxy Note 2 446 6 Mobile 444 4 Devices Huawei Mate 7 Motorola E4 Plus 444 4 Xiaomi Redmi 6 444 4

Nailgun: Breaking the Privilege Isolation on ARM 60 Debug Authentication Signals Table: Debug Authentication Signals on Real Devices.

Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN

Development ARM Juno r1 Board 4 4 4 4 Boards NXP i.MX53 QSB 646 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 64-bit ARM miniNode 4 4 4 4 Cloud Packet Type 2A Server 4 4 4 4 Platforms Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 646 6 Samsung Galaxy Note 2 446 6 Mobile 4 4 4 4 Devices Huawei Mate 7 Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4

Nailgun: Breaking the Privilege Isolation on ARM 61 Debug Authentication Signals

How to manage the signals in real-world device?

I For both development boards with manual, we cannot fully control the debug authentication signals. - Signals in i.MX53 QSB can be enabled by JTAG.

- The DBGEN and NIDEN in ARM Juno board cannot be disabled.

I In some mobile phones, we find that the signals are controlled by One-Time Programmable (OTP) fuse.

For all the other devices, nothing is publicly available.

Nailgun: Breaking the Privilege Isolation on ARM 62 Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1: Physical access. We don’t need physical access to debug a processor.

I Obstacle 2: Debug authentication mechanism. The debug authentication mechanism allows us to debug the processor.

Nailgun: Breaking the Privilege Isolation on ARM 63 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 64 Inter-processor Debugging

Memory-mapped Interface

Debug Target Debug Host (TARGET) (HOST)

Nailgun: Breaking the Privilege Isolation on ARM 65 Inter-processor Debugging

Memory-mapped Interface

Debug Target Debug Host (TARGET) (HOST)

Nailgun: Breaking the Privilege Isolation on ARM 66 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Privilege Escalation Request TARGET HOST (Normal State) (Normal State) (High Privilege) (High Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

An example SoC system:

I Two processors as HOST and TARGET,respectively.

I Low-privilege and High-privilege resource.

Nailgun: Breaking the Privilege Isolation on ARM 67 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Privilege Escalation Request TARGET HOST (Normal State) (Normal State) (High Privilege) (High Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

I Low-privilege refers to non-secure kernel-level privilege

I High-privilege refers to any other higher privilege

Nailgun: Breaking the Privilege Isolation on ARM 68 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Request HOST (Normal State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

Both processors are only access low-privilege resource.

I Normal state

I Low-privilege mode

Nailgun: Breaking the Privilege Isolation on ARM 69 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Request HOST (Normal State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

HOST sends a Debug Request to TARGET,

I TARGET checks its authentication signal.

I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 70 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Request HOST (Normal State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

HOST sends a Debug Request to TARGET,

I TARGET checks its authentication signal.

I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 71 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Request HOST (Normal State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

Implication: A low-privilege processor can make an arbitrary proces- sor (even a high-privilege processor) enter the debug state.

Nailgun: Breaking the Privilege Isolation on ARM 72 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Request HOST (Debug State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

TARGET turns to Debug State according to the request.

I Low-privilege mode

I No access to high-privilege resource

Nailgun: Breaking the Privilege Isolation on ARM 73 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Privilege Escalation TARGET Request HOST (Debug State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

HOST sends a Privilege Escalation Request to TARGET,

I E.g., executing DCPS series instructions.

I The instructions can be executed at any privilege level.

Nailgun: Breaking the Privilege Isolation on ARM 74 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Privilege Escalation TARGET Request HOST (Debug State) (Normal State) (Low Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

Implication: The privilege escalation instructions enable a processor running in the debug state to gain a high privilege without restric- tion.

Nailgun: Breaking the Privilege Isolation on ARM 75 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Privilege Escalation TARGET Request HOST (Debug State) (Normal State) (High Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

TARGET turns to High-privilege Mode according to the request.

I Debug state, high-privilege mode

I Gained access to high-privilege resource

Nailgun: Breaking the Privilege Isolation on ARM 76 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Resource Access TARGET Request HOST (Debug State) (Normal State) (High Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

HOST sends a Resource Access Request to TARGET,

I E.g., accessing secure RAM/register/peripheral.

I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 77 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Resource Access TARGET Request HOST (Debug State) (Normal State) (High Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

Implication: The instruction execution and resource access in TARGET does not take the privilege of HOST into account.

Nailgun: Breaking the Privilege Isolation on ARM 78 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Response HOST (Debug State) (Normal State) (High Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

TARGET return the result to HOST,

I i.e., content of the high-privilege resource.

I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 79 Nailgun Attack A Multi-processor SoC System

High-privilege Resource (Secure RAM/Register/Peripheral)

Debug TARGET Response HOST (Debug State) (Normal State) (High Privilege) (Low Privilege)

Low-privilege Resource (Non-Secure RAM/Register/Peripheral)

HOST gains access to the high-privilege resource while running in,

I Normal state

I Low-privilege mode

Nailgun: Breaking the Privilege Isolation on ARM 80 Nailgun Attack

Nailgun: Break the privilege isolation of ARM platform.

I Achieve access to high-privilege resource via misusing the ARM debugging features.

I Can be used to craft di↵erent attacks.

Nailgun: Breaking the Privilege Isolation on ARM 81 Attack Scenarios

I Implemented Attack Scenarios: - Inferring AES keys from TrustZone.

- Read Secure Configuration Register (SCR). - Arbitrary payload execution in TrustZone.

I Covered Architectures: - ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.

I Vulnerable Devices: - Development boards, IoT devices, cloud platforms, mobile devices.

Nailgun: Breaking the Privilege Isolation on ARM 82 Attack Scenarios

I Implemented Attack Scenarios: - Inferring AES keys from TrustZone.

- Read Secure Configuration Register (SCR). - Arbitrary payload execution in TrustZone.

I Covered Architectures: - ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.

I Vulnerable Devices: - Development boards, IoT devices, cloud platforms, mobile devices.

Nailgun: Breaking the Privilege Isolation on ARM 83 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

... DLR EL0 mov X0, #1 ...... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I DLR EL0 points to the debug return address.

I VBAR EL3 points to the exception vector in EL3.

Nailgun: Breaking the Privilege Isolation on ARM 84 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... DLR EL0 mov X0, #1 ......

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I With Nailgun, we can directly copy the payload to the secure memory.

Nailgun: Breaking the Privilege Isolation on ARM 85 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... DLR EL0 smc #0 ......

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I Modify the instruction pointed by DLR EL0 to get into TrustZone.

Nailgun: Breaking the Privilege Isolation on ARM 86 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... DLR EL0 smc #0 ......

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ...

I Manipulate the exception vector to execute the payload while the SMC exception is routed to EL3.

Nailgun: Breaking the Privilege Isolation on ARM 87 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... DLR EL0 smc #0 ...... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ...

I The last instruction of the payload should be eret.

Nailgun: Breaking the Privilege Isolation on ARM 88 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... PC smc #0 ...... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ...

I Make TARGET exit the debug state.

Nailgun: Breaking the Privilege Isolation on ARM 89 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ...

smc #0 ... ELR EL3 ... eret

VBAR EL3 PC + 0x400 b payload ...

I ELR EL3 points to the exception return address.

Nailgun: Breaking the Privilege Isolation on ARM 90 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... PC smc #0 ... ELR EL3 ... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ...

I The payload get executed.

Nailgun: Breaking the Privilege Isolation on ARM 91 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... PC smc #0 ... ELR EL3 ... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I In the payload, we first restore the exception vector.

Nailgun: Breaking the Privilege Isolation on ARM 92 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... ELR EL3 PC mov X0, #1 ...... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I Roll back the ELR EL3 register.

I Revert the modified instruction.

Nailgun: Breaking the Privilege Isolation on ARM 93 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... ELR EL3 mov X0, #1 ... PC ... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I The eret instruction will finish the exception handle process.

Nailgun: Breaking the Privilege Isolation on ARM 94 Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory

payload: ... PC mov X0, #1 ...... eret

VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ...

I After that, everything goes back to the original state.

Nailgun: Breaking the Privilege Isolation on ARM 95 Nailgun Attack

Fingerprint extraction in commercial .

I Deivce: Huawei Mate 7 (MT-L09)

I Firmware: MT7-L09V100R001C00B121SP05

I Fingerprint sensor: FPC1020

We choose this phone because the manual and driver of the fingerprint sensor is publicly available. Similar attack can be demonstrated on other devices with enabled debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 96 Nailgun Attack

I Step 1: Learn the location of fingerprint data in secure RAM. - Achieved by reverse engineering.

I Step 2: Extract the data. - With the inter-processor debugging in Nailgun.

I Step 3: Restore fingerprint image from the extracted data. - Read the publicly available sensor manual.

Nailgun: Breaking the Privilege Isolation on ARM 97 Nailgun Attack

I The right part of the image is blurred for privacy concerns.

I Source code: https://compass.cs.wayne.edu/nailgun/

I The issue has been fixed in Huawei devices.

Nailgun: Breaking the Privilege Isolation on ARM 98 Nailgun Attack

Nailgun: Breaking the Privilege Isolation on ARM 99 Disclosure

March 2018 Preliminary findings are reported to ARM

August 2018 Report to ARM and related OEMs with enriched result

October 2018 Issue is reported to MITRE

February 2019 PoCs and demos are released

April 2019 CVE-2018-18068 is released

Nailgun: Breaking the Privilege Isolation on ARM 100 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 101 Mitigations

Simply disable the signals?

Nailgun: Breaking the Privilege Isolation on ARM 102 Mitigations

Simply disable the authentication signals?

I Existing tools rely on the debug authentication signals. - E.g., [2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

I Unavailable management mechanisms.

I OTP feature, cost, and maintenance.

Nailgun: Breaking the Privilege Isolation on ARM 103 Mitigations

We suggest a comprehensive defense across di↵erent roles in the ARM ecosystem.

I For ARM, additional restriction in inter-processor debugging model.

I For SoC vendors, refined signal management and hardware-assisted access control to debug components.

I For OEMs and cloud providers, -based access control.

Nailgun: Breaking the Privilege Isolation on ARM 104 Outline

I Background

I Introduction

I Obstacles for Misusing the Traditional Debugging

I Nailgun Attack

I Mitigations

I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 105 Conclusion

I We present a study on the security of hardware debugging features on ARM platform.

I “Safe” components in legacy systems may be vulnerable in advanced systems.

I We suggest a comprehensive rethink on the security of legacy mechanisms.

Nailgun: Breaking the Privilege Isolation on ARM 106 References I

[1] IEEE, “Standard for test access port and boundary-scan architecture,” https://standards.ieee.org/findstds/standard/1149.1-2013.html.

[2] D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, “An experience in testing the security of real-world electronic voting systems,” IEEE Transactions on Software Engineering, 2010.

[3] S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze, “Why (special agent) johnny (still) can’t encrypt: A security analysis of the APCO project 25 two-way radio system,” in Proceedings of the 20th USENIX Security Symposium (USENIX Security’11), 2011.

[4] L. Cojocar, K. Razavi, and H. Bos, “O↵-the-shelf embedded devices as platforms for security research,” in Proceedings of the 10th European Workshop on Systems Security (EuroSec’17), 2017.

[5] N. Corteggiani, G. Camurati, and A. Francillon, “Inception: System-wide security testing of real-world embedded systems software,” in Proceedings of the 27th USENIX Security Symposium (USENIX Security’18), 2018.

[6] L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mohammed, and S. A. Zonouz, “Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit,” in Proceedings of 24th Network and Distributed System Security Symposium (NDSS’17), 2017.

[7] K. Koscher, T. Kohno, and D. Molnar, “SURROGATES: Enabling near-real-time dynamic analyses of embedded systems,” in Proceedings of the 9th USENIX Workshop on O↵ensive Technologies (WOOT’15), 2015. [8] Y. Lee, I. Heo, D. Hwang, K. Kim, and Y. Paek, “Towards a practical solution to detect code reuse attacks on ARM mobile devices,” in Proceedings of the 4th Workshop on Hardware and Architectural Support for Security and Privacy (HASP’15), 2015.

[9] S. Mazloom, M. Rezaeirad, A. Hunter, and D. McCoy, “A security analysis of an in-vehicle infotainment and app platform,” in Proceedings of the 10th USENIX Workshop on O↵ensive Technologies (WOOT’16), 2016.

Nailgun: Breaking the Privilege Isolation on ARM 107 References II

[10] Z. Ning and F. Zhang, “Ninja: Towards transparent tracing and debugging on ARM,” in Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), 2017.

[11] J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti et al., “AVATAR: A framework to support dynamic security analysis of embedded systems’ firmwares,” in Proceedings of 21st Network and Distributed System Security Symposium (NDSS’14), 2014.

Nailgun: Breaking the Privilege Isolation on ARM 108 Thank you!

Questions? [email protected]

http://compass.cs.wayne.edu

Nailgun: Breaking the Privilege Isolation on ARM 109 Backup Slides

Backup Slides

Nailgun: Breaking the Privilege Isolation on ARM 110 Nailgun in di↵erent ARM architecture

I 64-bit ARMv8 architecture: ARM Juno r1 board. - Embedded Cross Trigger (ECT) for debug request. - Binary instruction to Instruction Transfer Register (ITR).

I 32-bit ARMv8 architecture: Raspberry PI Model 3 B+. - Embedded Cross Trigger (ECT) for debug request. - First and last half of binary instruction should be reversed in ITR.

I ARMv7 architecture: Huawei Mate 7. - Use Debug Run Control Register for debug request. - Binary instruction to Instruction Transfer Register (ITR).

Nailgun: Breaking the Privilege Isolation on ARM 111 Instruction Execution in Debug State

In normal state, TARGET is executing instructions pointed by pc

Nailgun: Breaking the Privilege Isolation on ARM 112 Instruction Execution in Debug State

In debug state, TARGET stops executing the instruction at pc

Nailgun: Breaking the Privilege Isolation on ARM 113 Instruction Execution in Debug State

In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM 114 Instruction Execution in Debug State

In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM 115 Instruction Execution in Debug State

In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM 116