Nailgun: Breaking the Privilege Isolation on ARM
Zhenyu Ning
COMPASS LabWayne State University
Sep 23, 2019
Nailgun: Breaking the Privilege Isolation on ARM 1
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 2
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 3
Background
Breaking the Privilege Isolation on ARM
Nailgun: Breaking the Privilege Isolation on ARM 4
Background
Breaking the Privilege Isolation on ARM
Nailgun: Breaking the Privilege Isolation on ARM 5
Background
Breaking the Privilege Isolation on ARM
Nailgun: Breaking the Privilege Isolation on ARM 6
ARM
What is ARM?
I In Dictionary: Hands, or weapons.
I Company: ARM was a British semiconductor company, nowowned by SoftBank.
I Architecture: ARM is a processor architecture designed byARM company.
Nailgun: Breaking the Privilege Isolation on ARM 7
ARM
What is ARM?
I In Dictionary: Hands, or weapons.
I Company: ARM was a British semiconductor company, nowowned by SoftBank.
I Architecture: ARM is a processor architecture designed byARM company.
Nailgun: Breaking the Privilege Isolation on ARM 8
ARM
What is ARM?
I In Dictionary: Hands, or weapons.
I Company: ARM was a British semiconductor company, nowowned by SoftBank.
I Architecture: ARM is a processor architecture designed byARM company.
Nailgun: Breaking the Privilege Isolation on ARM 9
ARM
What is ARM?
I In Dictionary: Hands, or weapons.
I Company: ARM was a British semiconductor company, nowowned by SoftBank.
I Architecture: ARM is a processor architecture designed byARM company.
Nailgun: Breaking the Privilege Isolation on ARM 10
ARM
What is ARM?
I In Dictionary: Hands, or weapons.
I Company: ARM was a British semiconductor company, nowowned by SoftBank.
I Architecture: ARM is a processor architecture designed byARM company.
Nailgun: Breaking the Privilege Isolation on ARM 11
Background
Breaking the Privilege Isolation on ARM
Nailgun: Breaking the Privilege Isolation on ARM 12
Privilege Isolation
What is Privilege Isolation?
I Privilege In Dictionary: A special right, advantage, orimmunity granted or available only to a particular person orgroup.
I Isolation In Dictionary: The process or fact of isolating orbeing isolated.
I In Company: CEO is able to view all the classified docs, butcoders can not.
Nailgun: Breaking the Privilege Isolation on ARM 13
Privilege Isolation
What is Privilege Isolation?
I Privilege In Dictionary: A special right, advantage, orimmunity granted or available only to a particular person orgroup.
I Isolation In Dictionary: The process or fact of isolating orbeing isolated.
I In Company: CEO is able to view all the classified docs, butcoders can not.
Nailgun: Breaking the Privilege Isolation on ARM 14
Privilege Isolation
What is Privilege Isolation?
I Privilege In Dictionary: A special right, advantage, orimmunity granted or available only to a particular person orgroup.
I Isolation In Dictionary: The process or fact of isolating orbeing isolated.
I In Company: CEO is able to view all the classified docs, butcoders can not.
Nailgun: Breaking the Privilege Isolation on ARM 15
Privilege Isolation
What is Privilege Isolation?
I Privilege In Dictionary: A special right, advantage, orimmunity granted or available only to a particular person orgroup.
I Isolation In Dictionary: The process or fact of isolating orbeing isolated.
I In Company: CEO is able to view all the classified docs, butcoders can not.
Nailgun: Breaking the Privilege Isolation on ARM 16
Privilege Isolation
Exception Levels in ARM:
I Exception: is used to divert the normal execution controlflow, to allow the processor to handle internal or externalevents.
I Exception Levels: are used to specify di↵erent privileges inARM processor.
Nailgun: Breaking the Privilege Isolation on ARM 17
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 18
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 19
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 20
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 21
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 22
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 23
Privilege Isolation
Normal Mode
Normal EL0 User-level apps
Normal EL1 OS kernel
Normal EL2 Hypervisors
Secure Mode
Secure EL0
Secure EL1
Secure EL3Gatekeeper
Nailgun: Breaking the Privilege Isolation on ARM 24
Background
Breaking the Privilege Isolation on ARM
Nailgun: Breaking the Privilege Isolation on ARM 25
Background
Breaking the Privilege Isolation on ARM
Figure source: https://www.123rf.com/
Nailgun: Breaking the Privilege Isolation on ARM 26
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 27
Introduction
Modern processors are equipped with hardware-based debuggingfeatures to facilitate on-chip debugging process.
- E.g., hardware breakpoints and hardware-based trace.
- It normally requires cable connection (e.g., JTAG [1]) to makeuse of these features.
Nailgun: Breaking the Privilege Isolation on ARM 28
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 29
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 30
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 31
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 32
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 33
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 34
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Security?
Nailgun: Breaking the Privilege Isolation on ARM 35
Introduction
Security? We have obstacles for attackers!
I Obstacle 1: Physical access.
I Obstacle 2: Debug authentication mechanism.
Do these obstacles work?
Nailgun: Breaking the Privilege Isolation on ARM 36
Introduction
Security? We have obstacles for attackers!
I Obstacle 1: Physical access.
I Obstacle 2: Debug authentication mechanism.
Do these obstacles work?
Nailgun: Breaking the Privilege Isolation on ARM 37
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 38
Obstacles for Misusing the Traditional Debugging
Obstacles for attackers:
I Obstacle 1: Physical access.
I Obstacle 2: Debug authentication mechanism.
Does it really require physical access?
Nailgun: Breaking the Privilege Isolation on ARM 39
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Nailgun: Breaking the Privilege Isolation on ARM 40
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Nailgun: Breaking the Privilege Isolation on ARM 41
Traditional Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
JTAG Interface
Nailgun: Breaking the Privilege Isolation on ARM 42
Traditional Debugging
Use one to debug another one?
Nailgun: Breaking the Privilege Isolation on ARM 43
Inter-Processor Debugging
We can use one processor on the chip to debug another one on thesame chip, and we refer it as inter-processor debugging.
I Memory-mapped debugging registers.- Introduced since ARMv7.
I No JTAG, No physical access.
Nailgun: Breaking the Privilege Isolation on ARM 44
Inter-Processor Debugging
DebugAuthentication
Debug Target(TARGET)
Debug Host(HOST)
Memory-mappedInterface
Nailgun: Breaking the Privilege Isolation on ARM 45
Obstacles for Misusing the Traditional Debugging
Obstacles for attackers:
I Obstacle 1: Physical access.
I Obstacle 2: Debug authentication mechanism.
Does debug authentication work as expected?
Nailgun: Breaking the Privilege Isolation on ARM 46
Processor in Normal State
TARGET is executing instructions pointed by pc
Nailgun: Breaking the Privilege Isolation on ARM 47
Processor in Non-invasive Debugging
Non-invasive Debugging: Monitoring without control
Nailgun: Breaking the Privilege Isolation on ARM 48
Processor in Invasive Debugging
Invasive Debugging: Control and change status
Nailgun: Breaking the Privilege Isolation on ARM 49
ARM Debug Authentication Mechanism
Debug Authentication Signal: Whether debugging is allowed
Nailgun: Breaking the Privilege Isolation on ARM 50
ARM Debug Authentication Mechanism
Four signals for: Secure/Non-secure, Invasive/Non-invasive
Nailgun: Breaking the Privilege Isolation on ARM 51
ARM Ecosystem
ARM SoC Vendor OEM User
Nailgun: Breaking the Privilege Isolation on ARM 52
ARM Ecosystem
ARM SoC Vendor OEM User
I ARM licenses technology to the System-On-Chip (SoC)Vendors.
- E.g., ARM architectures and Cortex processors
I Defines the debug authentication signals.
Nailgun: Breaking the Privilege Isolation on ARM 53
ARM Ecosystem
ARM SoC Vendor OEM User
I The SoC Vendors develop chips for Original EquipmentManufacturers (OEMs).
- E.g., Qualcomm Snapdragon SoCs
I Implement the debug authentication signals.
Nailgun: Breaking the Privilege Isolation on ARM 54
ARM Ecosystem
ARM SoC Vendor OEM User
I The OEMs produce devices for the users.- E.g., Samsung Galaxy Series and Huawei Mate Series
I Configure the debug authentication signals.
Nailgun: Breaking the Privilege Isolation on ARM 55
ARM Ecosystem
ARM SoC Vendor OEM User
I Finally, the User can enjoy the released devices.- Tablets, smartphones, and other devices
I Learn the status of debug authentication signals.
Nailgun: Breaking the Privilege Isolation on ARM 56
Obstacles for Misusing the Traditional Debugging
Obstacles for attackers:
I Obstacle 1: Physical access.
I Obstacle 2: Debug authentication mechanism.
Does debug authentication work as expected?
Nailgun: Breaking the Privilege Isolation on ARM 57
Debug Authentication Signals
I What is the status of the signals in real-world device?
I How to manage the signals in real-world device?
Nailgun: Breaking the Privilege Isolation on ARM 58
Debug Authentication Signals
Table: Debug Authentication Signals on Real Devices.
Category Platform / DeviceDebug Authentication Signals
DBGEN NIDEN SPIDEN SPNIDEN
DevelopmentBoards
ARM Juno r1 Board 4 4 4 4
NXP i.MX53 QSB 6 4 6 6
IoT Devices Raspberry PI 3 B+ 4 4 4 4
CloudPlatforms
64-bit ARM miniNode 4 4 4 4
Packet Type 2A Server 4 4 4 4
Scaleway ARM C1 Server 4 4 4 4
Google Nexus 6 6 4 6 6
Samsung Galaxy Note 2 4 4 6 6MobileDevices Huawei Mate 7 4 4 4 4
Motorola E4 Plus 4 4 4 4
Xiaomi Redmi 6 4 4 4 4
Nailgun: Breaking the Privilege Isolation on ARM 59
Debug Authentication Signals
Table: Debug Authentication Signals on Real Devices.
Category Platform / DeviceDebug Authentication Signals
DBGEN NIDEN SPIDEN SPNIDEN
DevelopmentBoards
ARM Juno r1 Board 4 4 4 4
NXP i.MX53 QSB 6 4 6 6
IoT Devices Raspberry PI 3 B+ 4 4 4 4
CloudPlatforms
64-bit ARM miniNode 4 4 4 4
Packet Type 2A Server 4 4 4 4
Scaleway ARM C1 Server 4 4 4 4
Google Nexus 6 6 4 6 6
Samsung Galaxy Note 2 4 4 6 6MobileDevices Huawei Mate 7 4 4 4 4
Motorola E4 Plus 4 4 4 4
Xiaomi Redmi 6 4 4 4 4
Nailgun: Breaking the Privilege Isolation on ARM 60
Debug Authentication Signals
Table: Debug Authentication Signals on Real Devices.
Category Platform / DeviceDebug Authentication Signals
DBGEN NIDEN SPIDEN SPNIDEN
DevelopmentBoards
ARM Juno r1 Board 4 4 4 4
NXP i.MX53 QSB 6 4 6 6
IoT Devices Raspberry PI 3 B+ 4 4 4 4
CloudPlatforms
64-bit ARM miniNode 4 4 4 4
Packet Type 2A Server 4 4 4 4
Scaleway ARM C1 Server 4 4 4 4
Google Nexus 6 6 4 6 6
Samsung Galaxy Note 2 4 4 6 6MobileDevices Huawei Mate 7 4 4 4 4
Motorola E4 Plus 4 4 4 4
Xiaomi Redmi 6 4 4 4 4
Nailgun: Breaking the Privilege Isolation on ARM 61
Debug Authentication Signals
How to manage the signals in real-world device?
I For both development boards with manual, we cannot fullycontrol the debug authentication signals.
- Signals in i.MX53 QSB can be enabled by JTAG.
- The DBGEN and NIDEN in ARM Juno board cannot bedisabled.
I In some mobile phones, we find that the signals are controlledby One-Time Programmable (OTP) fuse.
For all the other devices, nothing is publicly
available.
Nailgun: Breaking the Privilege Isolation on ARM 62
Obstacles for Misusing the Traditional Debugging
Obstacles for attackers:
I Obstacle 1: Physical access.We don’t need physical access to debug a processor.
I Obstacle 2: Debug authentication mechanism.The debug authentication mechanism allows us to debug theprocessor.
Nailgun: Breaking the Privilege Isolation on ARM 63
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 64
Inter-processor Debugging
Debug Target(TARGET)
Debug Host(HOST)
Memory-mappedInterface
Nailgun: Breaking the Privilege Isolation on ARM 65
Inter-processor Debugging
Debug Target(TARGET)
Debug Host(HOST)
Memory-mappedInterface
Nailgun: Breaking the Privilege Isolation on ARM 66
Nailgun Attack
A Multi-processor SoC System
TARGET(Normal State)
(High Privilege)
HOST(Normal State)
(High Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
PrivilegeEscalationRequest
An example SoC system:
I Two processors as HOST and TARGET, respectively.
I Low-privilege and High-privilege resource.
Nailgun: Breaking the Privilege Isolation on ARM 67
Nailgun Attack
A Multi-processor SoC System
TARGET(Normal State)
(High Privilege)
HOST(Normal State)
(High Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
PrivilegeEscalationRequest
I Low-privilege refers to non-secure kernel-level privilege
I High-privilege refers to any other higher privilege
Nailgun: Breaking the Privilege Isolation on ARM 68
Nailgun Attack
A Multi-processor SoC System
TARGET(Normal State)(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugRequest
Both processors are only access low-privilege resource.
I Normal state
I Low-privilege mode
Nailgun: Breaking the Privilege Isolation on ARM 69
Nailgun Attack
A Multi-processor SoC System
TARGET(Normal State)(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugRequest
HOST sends a Debug Request to TARGET,
I TARGET checks its authentication signal.
I Privilege of HOST is ignored.
Nailgun: Breaking the Privilege Isolation on ARM 70
Nailgun Attack
A Multi-processor SoC System
TARGET(Normal State)(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugRequest
HOST sends a Debug Request to TARGET,
I TARGET checks its authentication signal.
I Privilege of HOST is ignored.
Nailgun: Breaking the Privilege Isolation on ARM 71
Nailgun Attack
A Multi-processor SoC System
TARGET(Normal State)(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugRequest
Implication: A low-privilege processor can make an arbitrary proces-sor (even a high-privilege processor) enter the debug state.
Nailgun: Breaking the Privilege Isolation on ARM 72
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugRequest
TARGET turns to Debug State according to the request.
I Low-privilege mode
I No access to high-privilege resource
Nailgun: Breaking the Privilege Isolation on ARM 73
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
PrivilegeEscalationRequest
HOST sends a Privilege Escalation Request to TARGET,
I E.g., executing DCPS series instructions.
I The instructions can be executed at any privilege level.
Nailgun: Breaking the Privilege Isolation on ARM 74
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(Low Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
PrivilegeEscalationRequest
Implication: The privilege escalation instructions enable a processorrunning in the debug state to gain a high privilege without restric-tion.
Nailgun: Breaking the Privilege Isolation on ARM 75
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(High Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
PrivilegeEscalationRequest
TARGET turns to High-privilege Mode according to the request.
I Debug state, high-privilege mode
I Gained access to high-privilege resource
Nailgun: Breaking the Privilege Isolation on ARM 76
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(High Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
ResourceAccessRequest
HOST sends a Resource Access Request to TARGET,
I E.g., accessing secure RAM/register/peripheral.
I Privilege of HOST is ignored.
Nailgun: Breaking the Privilege Isolation on ARM 77
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(High Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
ResourceAccessRequest
Implication: The instruction execution and resource access inTARGET does not take the privilege of HOST into account.
Nailgun: Breaking the Privilege Isolation on ARM 78
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(High Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugResponse
TARGET return the result to HOST,
I i.e., content of the high-privilege resource.
I Privilege of HOST is ignored.
Nailgun: Breaking the Privilege Isolation on ARM 79
Nailgun Attack
A Multi-processor SoC System
TARGET(Debug State)
(High Privilege)
HOST(Normal State)(Low Privilege)
High-privilege Resource(Secure RAM/Register/Peripheral)
Low-privilege Resource(Non-Secure RAM/Register/Peripheral)
DebugResponse
HOST gains access to the high-privilege resource while running in,
I Normal state
I Low-privilege mode
Nailgun: Breaking the Privilege Isolation on ARM 80
Nailgun Attack
Nailgun: Break the privilege isolation of ARM platform.
I Achieve access to high-privilege resource via misusing theARM debugging features.
I Can be used to craft di↵erent attacks.
Nailgun: Breaking the Privilege Isolation on ARM 81
Attack Scenarios
I Implemented Attack Scenarios:- Inferring AES keys from TrustZone.
- Read Secure Configuration Register (SCR).
- Arbitrary payload execution in TrustZone.
I Covered Architectures:- ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.
I Vulnerable Devices:- Development boards, IoT devices, cloud platforms, mobiledevices.
Nailgun: Breaking the Privilege Isolation on ARM 82
Attack Scenarios
I Implemented Attack Scenarios:- Inferring AES keys from TrustZone.
- Read Secure Configuration Register (SCR).
- Arbitrary payload execution in TrustZone.
I Covered Architectures:- ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.
I Vulnerable Devices:- Development boards, IoT devices, cloud platforms, mobiledevices.
Nailgun: Breaking the Privilege Isolation on ARM 83
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
mov X0, #1
...
...
...
eret
b handler
...
DLR EL0
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I DLR EL0 points to the debug return address.
I VBAR EL3 points to the exception vector in EL3.
Nailgun: Breaking the Privilege Isolation on ARM 84
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
mov X0, #1
...
...
...
...
b handler
...
payload:
DLR EL0
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I With Nailgun, we can directly copy the payload to the securememory.
Nailgun: Breaking the Privilege Isolation on ARM 85
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
...
b handler
...
payload:
DLR EL0
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I Modify the instruction pointed by DLR EL0 to get intoTrustZone.
Nailgun: Breaking the Privilege Isolation on ARM 86
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
...
b payload
...
payload:
DLR EL0
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I Manipulate the exception vector to execute the payload whilethe SMC exception is routed to EL3.
Nailgun: Breaking the Privilege Isolation on ARM 87
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
eret
b payload
...
payload:
DLR EL0
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I The last instruction of the payload should be eret.
Nailgun: Breaking the Privilege Isolation on ARM 88
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
eret
b payload
...
payload:
PC
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I Make TARGET exit the debug state.
Nailgun: Breaking the Privilege Isolation on ARM 89
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
eret
b payload
...
payload:
ELR EL3
PCVBAR EL3
+ 0x400
I ELR EL3 points to the exception return address.
Nailgun: Breaking the Privilege Isolation on ARM 90
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
eret
b payload
...
payload:
PC
ELR EL3
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I The payload get executed.
Nailgun: Breaking the Privilege Isolation on ARM 91
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
smc #0
...
...
...
eret
b handler
...
payload:
PC
ELR EL3
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I In the payload, we first restore the exception vector.
Nailgun: Breaking the Privilege Isolation on ARM 92
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
mov X0, #1
...
...
...
eret
b handler
...
payload:
PCELR EL3
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I Roll back the ELR EL3 register.
I Revert the modified instruction.
Nailgun: Breaking the Privilege Isolation on ARM 93
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
mov X0, #1
...
...
...
eret
b handler
...
payload:
PC
ELR EL3
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I The eret instruction will finish the exception handle process.
Nailgun: Breaking the Privilege Isolation on ARM 94
Arbitrary Code Execution in TrustZone
Non-secure Memory Secure Memory
mov X0, #1
...
...
...
eret
b handler
...
payload:
PC
VBAR EL3+ 0x400
VBAR EL3+ 0x400
I After that, everything goes back to the original state.
Nailgun: Breaking the Privilege Isolation on ARM 95
Nailgun Attack
Fingerprint extraction in commercial mobile phone.
I Deivce: Huawei Mate 7 (MT-L09)
I Firmware: MT7-L09V100R001C00B121SP05
I Fingerprint sensor: FPC1020
We choose this phone because the manual and driver of thefingerprint sensor is publicly available. Similar attack can bedemonstrated on other devices with enabled debug authenticationsignals.
Nailgun: Breaking the Privilege Isolation on ARM 96
Nailgun Attack
I Step 1: Learn the location of fingerprint data in secure RAM.- Achieved by reverse engineering.
I Step 2: Extract the data.- With the inter-processor debugging in Nailgun.
I Step 3: Restore fingerprint image from the extracted data.- Read the publicly available sensor manual.
Nailgun: Breaking the Privilege Isolation on ARM 97
Nailgun Attack
I The right part of the image is blurred for privacy concerns.
I Source code: https://compass.cs.wayne.edu/nailgun/
I The issue has been fixed in Huawei devices.
Nailgun: Breaking the Privilege Isolation on ARM 98
Nailgun Attack
Nailgun: Breaking the Privilege Isolation on ARM 99
Disclosure
March 2018 Preliminary findings are reported to ARM
August 2018 Report to ARM and related OEMs with enriched result
October 2018 Issue is reported to MITRE
February 2019 PoCs and demos are released
April 2019 CVE-2018-18068 is released
Nailgun: Breaking the Privilege Isolation on ARM 100
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 101
Mitigations
Simply disable the signals?
Nailgun: Breaking the Privilege Isolation on ARM 102
Mitigations
Simply disable the authentication signals?
I Existing tools rely on the debug authentication signals.- E.g., [2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
I Unavailable management mechanisms.
I OTP feature, cost, and maintenance.
Nailgun: Breaking the Privilege Isolation on ARM 103
Mitigations
We suggest a comprehensive defense across di↵erent roles in theARM ecosystem.
I For ARM, additional restriction in inter-processor debuggingmodel.
I For SoC vendors, refined signal management andhardware-assisted access control to debug components.
I For OEMs and cloud providers, software-based access control.
Nailgun: Breaking the Privilege Isolation on ARM 104
Outline
I Background
I Introduction
I Obstacles for Misusing the Traditional Debugging
I Nailgun Attack
I Mitigations
I Conclusion
Nailgun: Breaking the Privilege Isolation on ARM 105
Conclusion
I We present a study on the security of hardware debuggingfeatures on ARM platform.
I “Safe” components in legacy systems may be vulnerable inadvanced systems.
I We suggest a comprehensive rethink on the security of legacymechanisms.
Nailgun: Breaking the Privilege Isolation on ARM 106
References I
[1] IEEE, “Standard for test access port and boundary-scan architecture,”https://standards.ieee.org/findstds/standard/1149.1-2013.html.
[2] D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, “Anexperience in testing the security of real-world electronic voting systems,” IEEE Transactions on SoftwareEngineering, 2010.
[3] S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze, “Why (special agent) johnny(still) can’t encrypt: A security analysis of the APCO project 25 two-way radio system,” in Proceedings ofthe 20th USENIX Security Symposium (USENIX Security’11), 2011.
[4] L. Cojocar, K. Razavi, and H. Bos, “O↵-the-shelf embedded devices as platforms for security research,” inProceedings of the 10th European Workshop on Systems Security (EuroSec’17), 2017.
[5] N. Corteggiani, G. Camurati, and A. Francillon, “Inception: System-wide security testing of real-worldembedded systems software,” in Proceedings of the 27th USENIX Security Symposium (USENIXSecurity’18), 2018.
[6] L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mohammed, and S. A. Zonouz, “Hey, mymalware knows physics! Attacking PLCs with physical model aware rootkit,” in Proceedings of 24th Networkand Distributed System Security Symposium (NDSS’17), 2017.
[7] K. Koscher, T. Kohno, and D. Molnar, “SURROGATES: Enabling near-real-time dynamic analyses ofembedded systems,” in Proceedings of the 9th USENIX Workshop on O↵ensive Technologies (WOOT’15),2015.
[8] Y. Lee, I. Heo, D. Hwang, K. Kim, and Y. Paek, “Towards a practical solution to detect code reuse attackson ARM mobile devices,” in Proceedings of the 4th Workshop on Hardware and Architectural Support forSecurity and Privacy (HASP’15), 2015.
[9] S. Mazloom, M. Rezaeirad, A. Hunter, and D. McCoy, “A security analysis of an in-vehicle infotainment andapp platform,” in Proceedings of the 10th USENIX Workshop on O↵ensive Technologies (WOOT’16), 2016.
Nailgun: Breaking the Privilege Isolation on ARM 107
References II
[10] Z. Ning and F. Zhang, “Ninja: Towards transparent tracing and debugging on ARM,” in Proceedings of the26th USENIX Security Symposium (USENIX Security’17), 2017.
[11] J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti et al., “AVATAR: A framework to support dynamic securityanalysis of embedded systems’ firmwares,” in Proceedings of 21st Network and Distributed System SecuritySymposium (NDSS’14), 2014.
Nailgun: Breaking the Privilege Isolation on ARM 108
Thank you!
http://compass.cs.wayne.edu
Nailgun: Breaking the Privilege Isolation on ARM 109
Backup Slides
Backup Slides
Nailgun: Breaking the Privilege Isolation on ARM 110
Nailgun in di↵erent ARM architecture
I 64-bit ARMv8 architecture: ARM Juno r1 board.- Embedded Cross Trigger (ECT) for debug request.- Binary instruction to Instruction Transfer Register (ITR).
I 32-bit ARMv8 architecture: Raspberry PI Model 3 B+.- Embedded Cross Trigger (ECT) for debug request.- First and last half of binary instruction should be reversed inITR.
I ARMv7 architecture: Huawei Mate 7.- Use Debug Run Control Register for debug request.- Binary instruction to Instruction Transfer Register (ITR).
Nailgun: Breaking the Privilege Isolation on ARM 111
Instruction Execution in Debug State
In normal state, TARGET is executing instructions pointed by pc
Nailgun: Breaking the Privilege Isolation on ARM 112
Instruction Execution in Debug State
In debug state, TARGET stops executing the instruction at pc
Nailgun: Breaking the Privilege Isolation on ARM 113
Instruction Execution in Debug State
In debug state, write binary instruction to ITR for execution
Nailgun: Breaking the Privilege Isolation on ARM 114
Instruction Execution in Debug State
In debug state, write binary instruction to ITR for execution
Nailgun: Breaking the Privilege Isolation on ARM 115
Instruction Execution in Debug State
In debug state, write binary instruction to ITR for execution
Nailgun: Breaking the Privilege Isolation on ARM 116