Nailgun: Breaking the Privilege Isolation on ARM Zhenyu Ning - - PowerPoint PPT Presentation

Nailgun: Breaking the Privilege Isolation on ARM

Zhenyu Ning

COMPASS Lab Wayne State University

Sep 23, 2019

Nailgun: Breaking the Privilege Isolation on ARM 1

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 2

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 3

Background Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 4

Background Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 5

Background Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 6

ARM

What is ARM?

I In Dictionary: Hands, or weapons. I Company: ARM was a British semiconductor company, now

• wned by SoftBank.

I Architecture: ARM is a processor architecture designed by

ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 7

ARM

What is ARM?

I In Dictionary: Hands, or weapons. I Company: ARM was a British semiconductor company, now

• wned by SoftBank.

I Architecture: ARM is a processor architecture designed by

ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 8

ARM

What is ARM?

I In Dictionary: Hands, or weapons. I Company: ARM was a British semiconductor company, now

• wned by SoftBank.

I Architecture: ARM is a processor architecture designed by

ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 9

ARM

What is ARM?

I In Dictionary: Hands, or weapons. I Company: ARM was a British semiconductor company, now

• wned by SoftBank.

I Architecture: ARM is a processor architecture designed by

ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 10

ARM

What is ARM?

I In Dictionary: Hands, or weapons. I Company: ARM was a British semiconductor company, now

• wned by SoftBank.

I Architecture: ARM is a processor architecture designed by

ARM company.

Nailgun: Breaking the Privilege Isolation on ARM 11

Background Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 12

Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or

immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or

being isolated.

I In Company: CEO is able to view all the classified docs, but

coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 13

Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or

immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or

being isolated.

I In Company: CEO is able to view all the classified docs, but

coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 14

Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or

immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or

being isolated.

I In Company: CEO is able to view all the classified docs, but

coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 15

Privilege Isolation

What is Privilege Isolation?

I Privilege In Dictionary: A special right, advantage, or

immunity granted or available only to a particular person or group.

I Isolation In Dictionary: The process or fact of isolating or

being isolated.

I In Company: CEO is able to view all the classified docs, but

coders can not.

Nailgun: Breaking the Privilege Isolation on ARM 16

Privilege Isolation

Exception Levels in ARM:

I Exception: is used to divert the normal execution control

flow, to allow the processor to handle internal or external events.

I Exception Levels: are used to specify different privileges in

ARM processor.

Nailgun: Breaking the Privilege Isolation on ARM 17

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 18

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 19

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 20

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 21

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 22

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 23

Privilege Isolation Normal Mode

Normal EL0 User-level apps Normal EL1 OS kernel Normal EL2 Hypervisors

Secure Mode

Secure EL0 Secure EL1 Secure EL3 Gatekeeper

Nailgun: Breaking the Privilege Isolation on ARM 24

Background Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM 25

Background Breaking the Privilege Isolation on ARM

Figure source: https://www.123rf.com/ Nailgun: Breaking the Privilege Isolation on ARM 26

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 27

Introduction

Modern processors are equipped with hardware-based debugging features to facilitate on-chip debugging process.

• E.g., hardware breakpoints and hardware-based trace.
• It normally requires cable connection (e.g., JTAG [1]) to make

use of these features.

Nailgun: Breaking the Privilege Isolation on ARM 28

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 29

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 30

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 31

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 32

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 33

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 34

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Security?

Nailgun: Breaking the Privilege Isolation on ARM 35

Introduction Security? We have obstacles for attackers!

I Obstacle 1: Physical access. I Obstacle 2: Debug authentication mechanism.

Do these obstacles work?

Nailgun: Breaking the Privilege Isolation on ARM 36

Introduction Security? We have obstacles for attackers!

I Obstacle 1: Physical access. I Obstacle 2: Debug authentication mechanism.

Do these obstacles work?

Nailgun: Breaking the Privilege Isolation on ARM 37

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 38

Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1: Physical access. I Obstacle 2: Debug authentication mechanism.

Does it really require physical access?

Nailgun: Breaking the Privilege Isolation on ARM 39

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Nailgun: Breaking the Privilege Isolation on ARM 40

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Nailgun: Breaking the Privilege Isolation on ARM 41

Traditional Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) JTAG Interface

Nailgun: Breaking the Privilege Isolation on ARM 42

Traditional Debugging

Use one to debug another one?

Nailgun: Breaking the Privilege Isolation on ARM 43

Inter-Processor Debugging

We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging.

I Memory-mapped debugging registers.

• Introduced since ARMv7.

I No JTAG, No physical access.

Nailgun: Breaking the Privilege Isolation on ARM 44

Inter-Processor Debugging

Debug Authentication Debug Target (TARGET) Debug Host (HOST) Memory-mapped Interface

Nailgun: Breaking the Privilege Isolation on ARM 45

Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1: Physical access. I Obstacle 2: Debug authentication mechanism.

Does debug authentication work as expected?

Nailgun: Breaking the Privilege Isolation on ARM 46

Processor in Normal State

TARGET is executing instructions pointed by pc

Nailgun: Breaking the Privilege Isolation on ARM 47

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Normal State) pc

animation by animate[2015/03/11]

Processor in Non-invasive Debugging

Non-invasive Debugging: Monitoring without control

Nailgun: Breaking the Privilege Isolation on ARM 48

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Normal State) pc

animation by animate[2015/03/11]

Processor in Invasive Debugging

Invasive Debugging: Control and change status

Nailgun: Breaking the Privilege Isolation on ARM 49

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Debug State) pc

animation by animate[2015/03/11]

ARM Debug Authentication Mechanism

Debug Authentication Signal: Whether debugging is allowed

Nailgun: Breaking the Privilege Isolation on ARM 50

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Normal State) pc Debug Disabled

animation by animate[2015/03/11]

ARM Debug Authentication Mechanism

Four signals for: Secure/Non-secure, Invasive/Non-invasive

Nailgun: Breaking the Privilege Isolation on ARM 51

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Normal State) pc Debug Disabled

animation by animate[2015/03/11]

ARM Ecosystem

ARM SoC Vendor OEM User

Nailgun: Breaking the Privilege Isolation on ARM 52

ARM Ecosystem

ARM SoC Vendor OEM User

I ARM licenses technology to the System-On-Chip (SoC)

Vendors.

• E.g., ARM architectures and Cortex processors

I Defines the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 53

ARM Ecosystem

ARM SoC Vendor OEM User

I The SoC Vendors develop chips for Original Equipment

Manufacturers (OEMs).

• E.g., Qualcomm Snapdragon SoCs

I Implement the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 54

ARM Ecosystem

ARM SoC Vendor OEM User

I The OEMs produce devices for the users.

• E.g., Samsung Galaxy Series and Huawei Mate Series

I Configure the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 55

ARM Ecosystem

ARM SoC Vendor OEM User

I Finally, the User can enjoy the released devices.

• Tablets, smartphones, and other devices

I Learn the status of debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 56

Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1: Physical access. I Obstacle 2: Debug authentication mechanism.

Does debug authentication work as expected?

Nailgun: Breaking the Privilege Isolation on ARM 57

Debug Authentication Signals

I What is the status of the signals in real-world device? I How to manage the signals in real-world device?

Nailgun: Breaking the Privilege Isolation on ARM 58

Debug Authentication Signals

Table: Debug Authentication Signals on Real Devices.

Category Platform / Device Debug Authentication Signals DBGEN NIDEN SPIDEN SPNIDEN Development Boards ARM Juno r1 Board 4 4 4 4 NXP i.MX53 QSB 6 4 6 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 Cloud Platforms 64-bit ARM miniNode 4 4 4 4 Packet Type 2A Server 4 4 4 4 Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 6 4 6 6 Samsung Galaxy Note 2 4 4 6 6 Mobile Devices Huawei Mate 7 4 4 4 4 Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4

Nailgun: Breaking the Privilege Isolation on ARM 59

Debug Authentication Signals

Table: Debug Authentication Signals on Real Devices.

Category Platform / Device Debug Authentication Signals DBGEN NIDEN SPIDEN SPNIDEN Development Boards ARM Juno r1 Board 4 4 4 4 NXP i.MX53 QSB 6 4 6 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 Cloud Platforms 64-bit ARM miniNode 4 4 4 4 Packet Type 2A Server 4 4 4 4 Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 6 4 6 6 Samsung Galaxy Note 2 4 4 6 6 Mobile Devices Huawei Mate 7 4 4 4 4 Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4

Nailgun: Breaking the Privilege Isolation on ARM 60

Debug Authentication Signals

Table: Debug Authentication Signals on Real Devices.

Category Platform / Device Debug Authentication Signals DBGEN NIDEN SPIDEN SPNIDEN Development Boards ARM Juno r1 Board 4 4 4 4 NXP i.MX53 QSB 6 4 6 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 Cloud Platforms 64-bit ARM miniNode 4 4 4 4 Packet Type 2A Server 4 4 4 4 Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 6 4 6 6 Samsung Galaxy Note 2 4 4 6 6 Mobile Devices Huawei Mate 7 4 4 4 4 Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4

Nailgun: Breaking the Privilege Isolation on ARM 61

Debug Authentication Signals

How to manage the signals in real-world device?

I For both development boards with manual, we cannot fully

control the debug authentication signals.

• Signals in i.MX53 QSB can be enabled by JTAG.
• The DBGEN and NIDEN in ARM Juno board cannot be

disabled.

I In some mobile phones, we find that the signals are controlled

by One-Time Programmable (OTP) fuse.

For all the other devices, nothing is publicly available.

Nailgun: Breaking the Privilege Isolation on ARM 62

Obstacles for Misusing the Traditional Debugging

Obstacles for attackers:

I Obstacle 1: Physical access.

We don’t need physical access to debug a processor.

I Obstacle 2: Debug authentication mechanism.

The debug authentication mechanism allows us to debug the processor.

Nailgun: Breaking the Privilege Isolation on ARM 63

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 64

Inter-processor Debugging

Debug Target (TARGET) Debug Host (HOST) Memory-mapped Interface

Nailgun: Breaking the Privilege Isolation on ARM 65

Inter-processor Debugging

Debug Target (TARGET) Debug Host (HOST) Memory-mapped Interface

Nailgun: Breaking the Privilege Isolation on ARM 66

Nailgun Attack

A Multi-processor SoC System

TARGET (Normal State) (High Privilege) HOST (Normal State) (High Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Privilege Escalation Request

An example SoC system:

I Two processors as HOST and TARGET, respectively. I Low-privilege and High-privilege resource.

Nailgun: Breaking the Privilege Isolation on ARM 67

Nailgun Attack

A Multi-processor SoC System

TARGET (Normal State) (High Privilege) HOST (Normal State) (High Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Privilege Escalation Request

I Low-privilege refers to non-secure kernel-level privilege I High-privilege refers to any other higher privilege

Nailgun: Breaking the Privilege Isolation on ARM 68

Nailgun Attack

A Multi-processor SoC System

TARGET (Normal State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Request

Both processors are only access low-privilege resource.

I Normal state I Low-privilege mode

Nailgun: Breaking the Privilege Isolation on ARM 69

Nailgun Attack

A Multi-processor SoC System

TARGET (Normal State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Request

HOST sends a Debug Request to TARGET,

I TARGET checks its authentication signal. I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 70

Nailgun Attack

A Multi-processor SoC System

TARGET (Normal State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Request

HOST sends a Debug Request to TARGET,

I TARGET checks its authentication signal. I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 71

Nailgun Attack

A Multi-processor SoC System

TARGET (Normal State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Request

Implication: A low-privilege processor can make an arbitrary proces- sor (even a high-privilege processor) enter the debug state.

Nailgun: Breaking the Privilege Isolation on ARM 72

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Request

TARGET turns to Debug State according to the request.

I Low-privilege mode I No access to high-privilege resource

Nailgun: Breaking the Privilege Isolation on ARM 73

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Privilege Escalation Request

HOST sends a Privilege Escalation Request to TARGET,

I E.g., executing DCPS series instructions. I The instructions can be executed at any privilege level.

Nailgun: Breaking the Privilege Isolation on ARM 74

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (Low Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Privilege Escalation Request

Implication: The privilege escalation instructions enable a processor running in the debug state to gain a high privilege without restric- tion.

Nailgun: Breaking the Privilege Isolation on ARM 75

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (High Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Privilege Escalation Request

TARGET turns to High-privilege Mode according to the request.

I Debug state, high-privilege mode I Gained access to high-privilege resource

Nailgun: Breaking the Privilege Isolation on ARM 76

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (High Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Resource Access Request

HOST sends a Resource Access Request to TARGET,

I E.g., accessing secure RAM/register/peripheral. I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 77

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (High Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Resource Access Request

Implication: The instruction execution and resource access in TARGET does not take the privilege of HOST into account.

Nailgun: Breaking the Privilege Isolation on ARM 78

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (High Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Response

TARGET return the result to HOST,

I i.e., content of the high-privilege resource. I Privilege of HOST is ignored.

Nailgun: Breaking the Privilege Isolation on ARM 79

Nailgun Attack

A Multi-processor SoC System

TARGET (Debug State) (High Privilege) HOST (Normal State) (Low Privilege) High-privilege Resource (Secure RAM/Register/Peripheral) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Debug Response

HOST gains access to the high-privilege resource while running in,

I Normal state I Low-privilege mode

Nailgun: Breaking the Privilege Isolation on ARM 80

Nailgun Attack

Nailgun: Break the privilege isolation of ARM platform.

I Achieve access to high-privilege resource via misusing the

ARM debugging features.

I Can be used to craft different attacks.

Nailgun: Breaking the Privilege Isolation on ARM 81

Attack Scenarios

I Implemented Attack Scenarios:

• Inferring AES keys from TrustZone.
• Read Secure Configuration Register (SCR).
• Arbitrary payload execution in TrustZone.

I Covered Architectures:

• ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.

I Vulnerable Devices:

• Development boards, IoT devices, cloud platforms, mobile

devices.

Nailgun: Breaking the Privilege Isolation on ARM 82

Attack Scenarios

I Implemented Attack Scenarios:

• Inferring AES keys from TrustZone.
• Read Secure Configuration Register (SCR).
• Arbitrary payload execution in TrustZone.

I Covered Architectures:

• ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.

I Vulnerable Devices:

• Development boards, IoT devices, cloud platforms, mobile

devices.

Nailgun: Breaking the Privilege Isolation on ARM 83

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory mov X0, #1 ... ... ... eret b handler ...

DLR EL0 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I DLR EL0 points to the debug return address. I VBAR EL3 points to the exception vector in EL3.

Nailgun: Breaking the Privilege Isolation on ARM 84

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory mov X0, #1 ... ... ... ... b handler ...

payload: DLR EL0 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I With Nailgun, we can directly copy the payload to the secure

memory.

Nailgun: Breaking the Privilege Isolation on ARM 85

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... ... b handler ...

payload: DLR EL0 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I Modify the instruction pointed by DLR EL0 to get into

TrustZone.

Nailgun: Breaking the Privilege Isolation on ARM 86

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... ... b payload ...

payload: DLR EL0 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I Manipulate the exception vector to execute the payload while

the SMC exception is routed to EL3.

Nailgun: Breaking the Privilege Isolation on ARM 87

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... eret b payload ...

payload: DLR EL0 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I The last instruction of the payload should be eret.

Nailgun: Breaking the Privilege Isolation on ARM 88

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... eret b payload ...

payload: PC VBAR EL3 + 0x400 VBAR EL3 + 0x400

I Make TARGET exit the debug state.

Nailgun: Breaking the Privilege Isolation on ARM 89

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... eret b payload ...

payload: ELR EL3 PC VBAR EL3 + 0x400

I ELR EL3 points to the exception return address.

Nailgun: Breaking the Privilege Isolation on ARM 90

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... eret b payload ...

payload: PC ELR EL3 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I The payload get executed.

Nailgun: Breaking the Privilege Isolation on ARM 91

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory smc #0 ... ... ... eret b handler ...

payload: PC ELR EL3 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I In the payload, we first restore the exception vector.

Nailgun: Breaking the Privilege Isolation on ARM 92

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory mov X0, #1 ... ... ... eret b handler ...

payload: PC ELR EL3 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I Roll back the ELR EL3 register. I Revert the modified instruction.

Nailgun: Breaking the Privilege Isolation on ARM 93

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory mov X0, #1 ... ... ... eret b handler ...

payload: PC ELR EL3 VBAR EL3 + 0x400 VBAR EL3 + 0x400

I The eret instruction will finish the exception handle process.

Nailgun: Breaking the Privilege Isolation on ARM 94

Arbitrary Code Execution in TrustZone

Non-secure Memory Secure Memory mov X0, #1 ... ... ... eret b handler ...

payload: PC VBAR EL3 + 0x400 VBAR EL3 + 0x400

I After that, everything goes back to the original state.

Nailgun: Breaking the Privilege Isolation on ARM 95

Nailgun Attack

Fingerprint extraction in commercial mobile phone.

I Deivce: Huawei Mate 7 (MT-L09) I Firmware: MT7-L09V100R001C00B121SP05 I Fingerprint sensor: FPC1020

We choose this phone because the manual and driver of the fingerprint sensor is publicly available. Similar attack can be demonstrated on other devices with enabled debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM 96

Nailgun Attack

I Step 1: Learn the location of fingerprint data in secure RAM.

• Achieved by reverse engineering.

I Step 2: Extract the data.

• With the inter-processor debugging in Nailgun.

I Step 3: Restore fingerprint image from the extracted data.

• Read the publicly available sensor manual.

Nailgun: Breaking the Privilege Isolation on ARM 97

Nailgun Attack

I The right part of the image is blurred for privacy concerns. I Source code: https://compass.cs.wayne.edu/nailgun/ I The issue has been fixed in Huawei devices.

Nailgun: Breaking the Privilege Isolation on ARM 98

Nailgun Attack

Disclosure

March 2018 Preliminary findings are reported to ARM August 2018 Report to ARM and related OEMs with enriched result October 2018 Issue is reported to MITRE February 2019 PoCs and demos are released April 2019 CVE-2018-18068 is released

Nailgun: Breaking the Privilege Isolation on ARM 100

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 101

Mitigations

Simply disable the signals?

Nailgun: Breaking the Privilege Isolation on ARM 102

Mitigations

Simply disable the authentication signals?

I Existing tools rely on the debug authentication signals.

• E.g., [2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

I Unavailable management mechanisms. I OTP feature, cost, and maintenance.

Nailgun: Breaking the Privilege Isolation on ARM 103

Mitigations

We suggest a comprehensive defense across different roles in the ARM ecosystem.

I For ARM, additional restriction in inter-processor debugging

model.

I For SoC vendors, refined signal management and

hardware-assisted access control to debug components.

I For OEMs and cloud providers, software-based access control.

Nailgun: Breaking the Privilege Isolation on ARM 104

Outline

I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion

Nailgun: Breaking the Privilege Isolation on ARM 105

Conclusion

I We present a study on the security of hardware debugging

features on ARM platform.

I “Safe” components in legacy systems may be vulnerable in

advanced systems.

I We suggest a comprehensive rethink on the security of legacy

mechanisms.

Nailgun: Breaking the Privilege Isolation on ARM 106

References I

[1] IEEE, “Standard for test access port and boundary-scan architecture,” https://standards.ieee.org/findstds/standard/1149.1-2013.html. [2]

• D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, “An

experience in testing the security of real-world electronic voting systems,” IEEE Transactions on Software Engineering, 2010. [3]

• S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze, “Why (special agent) johnny

(still) can’t encrypt: A security analysis of the APCO project 25 two-way radio system,” in Proceedings of the 20th USENIX Security Symposium (USENIX Security’11), 2011. [4]

• L. Cojocar, K. Razavi, and H. Bos, “Off-the-shelf embedded devices as platforms for security research,” in

Proceedings of the 10th European Workshop on Systems Security (EuroSec’17), 2017. [5]

• N. Corteggiani, G. Camurati, and A. Francillon, “Inception: System-wide security testing of real-world

embedded systems software,” in Proceedings of the 27th USENIX Security Symposium (USENIX Security’18), 2018. [6]

• L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mohammed, and S. A. Zonouz, “Hey, my

malware knows physics! Attacking PLCs with physical model aware rootkit,” in Proceedings of 24th Network and Distributed System Security Symposium (NDSS’17), 2017. [7]

• K. Koscher, T. Kohno, and D. Molnar, “SURROGATES: Enabling near-real-time dynamic analyses of

embedded systems,” in Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT’15), 2015. [8]

• Y. Lee, I. Heo, D. Hwang, K. Kim, and Y. Paek, “Towards a practical solution to detect code reuse attacks
• n ARM mobile devices,” in Proceedings of the 4th Workshop on Hardware and Architectural Support for

Security and Privacy (HASP’15), 2015. [9]

• S. Mazloom, M. Rezaeirad, A. Hunter, and D. McCoy, “A security analysis of an in-vehicle infotainment and

app platform,” in Proceedings of the 10th USENIX Workshop on Offensive Technologies (WOOT’16), 2016. Nailgun: Breaking the Privilege Isolation on ARM 107

References II

[10]

• Z. Ning and F. Zhang, “Ninja: Towards transparent tracing and debugging on ARM,” in Proceedings of the

26th USENIX Security Symposium (USENIX Security’17), 2017. [11]

• J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti et al., “AVATAR: A framework to support dynamic security

analysis of embedded systems’ firmwares,” in Proceedings of 21st Network and Distributed System Security Symposium (NDSS’14), 2014. Nailgun: Breaking the Privilege Isolation on ARM 108

Thank you!

Questions?

zhenyu.ning@wayne.edu http://compass.cs.wayne.edu

Nailgun: Breaking the Privilege Isolation on ARM 109

Backup Slides

Backup Slides

Nailgun: Breaking the Privilege Isolation on ARM 110

Nailgun in different ARM architecture

I 64-bit ARMv8 architecture: ARM Juno r1 board.

• Embedded Cross Trigger (ECT) for debug request.
• Binary instruction to Instruction Transfer Register (ITR).

I 32-bit ARMv8 architecture: Raspberry PI Model 3 B+.

• Embedded Cross Trigger (ECT) for debug request.
• First and last half of binary instruction should be reversed in

ITR.

I ARMv7 architecture: Huawei Mate 7.

• Use Debug Run Control Register for debug request.
• Binary instruction to Instruction Transfer Register (ITR).

Nailgun: Breaking the Privilege Isolation on ARM 111

Instruction Execution in Debug State

In normal state, TARGET is executing instructions pointed by pc

Nailgun: Breaking the Privilege Isolation on ARM 112

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Normal State) pc

animation by animate[2015/03/11]

Instruction Execution in Debug State

In debug state, TARGET stops executing the instruction at pc

Nailgun: Breaking the Privilege Isolation on ARM 113

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Debug State) pc Binary Instruction ITR

animation by animate[2015/03/11]

Instruction Execution in Debug State

In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM 114

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Debug State) pc Binary Instruction ITR MOV x4, #0

animation by animate[2015/03/11]

Instruction Execution in Debug State

In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM 115

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Debug State) pc Binary Instruction ITR MOV x4, #0 0xB20003E4

animation by animate[2015/03/11]

Instruction Execution in Debug State

In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM 116

MOV x0, x3 MOV x1, x4 LDR pc, [pc, #-0x10] ... MOV x4, #4 MOV x3, #3 ... TARGET (Debug State) pc 0xB20003E4 ITR MOV x4, #0 0xB20003E4

animation by animate[2015/03/11]