understanding the security of arm debugging features
play

Understanding the Security of ARM Debugging Features Zhenyu Ning and - PowerPoint PPT Presentation

Feb 13, 2024 •29 likes •679 views

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles for

  1. Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1

  2. Outline ◮ Introduction ◮ Obstacles for Attacking the Traditional Debugging ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 2

  3. Outline ◮ Introduction ◮ Obstacles for Attacking the Traditional Debugging ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 3

  4. Introduction Modern processors are equipped with hardware-based debugging features to facilitate on-chip debugging process. - E.g., hardware breakpoints and hardware-based trace. - It normally requires cable connection (e.g., JTAG [1]) to make use of these features. Understanding the Security of ARM Debugging Features, S&P 19 4

  5. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) Security? Understanding the Security of ARM Debugging Features, S&P 19 5

  6. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) Security? Understanding the Security of ARM Debugging Features, S&P 19 6

  7. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) Security? Understanding the Security of ARM Debugging Features, S&P 19 7

  8. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) Security? Understanding the Security of ARM Debugging Features, S&P 19 8

  9. Introduction Security? We have obstacles for attackers! ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication mechanism. Do these obstacles work? Understanding the Security of ARM Debugging Features, S&P 19 9

  10. Introduction Security? We have obstacles for attackers! ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication mechanism. Do these obstacles work? Understanding the Security of ARM Debugging Features, S&P 19 10

  11. Outline ◮ Introduction ◮ Obstacles for Attacking the Traditional Debugging ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 11

  12. Obstacles for Attacking the Traditional Debugging Obstacles for attackers: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication mechanism. Does it really require physical access? Understanding the Security of ARM Debugging Features, S&P 19 12

  13. Inter-Processor Debugging We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging . ◮ Memory-mapped debugging registers. - Introduced since ARMv7. ◮ No JTAG, No physical access. Understanding the Security of ARM Debugging Features, S&P 19 13

  14. Obstacles for Attacking the Traditional Debugging Obstacles for attackers: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication mechanism. Does debug authentication work as expected? Understanding the Security of ARM Debugging Features, S&P 19 14

  15. Processor in Normal State TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... TARGET is executing instructions pointed by pc Understanding the Security of ARM Debugging Features, S&P 19 15

  16. Processor in Non-invasive Debugging TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Non-invasive Debugging : Monitoring without control Understanding the Security of ARM Debugging Features, S&P 19 16

  17. Processor in Invasive Debugging TARGET (Debug State) ... MOV x3, #3 pc x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Invasive Debugging : Control and change status Understanding the Security of ARM Debugging Features, S&P 19 17

  18. ARM Debug Authentication Mechanism TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Debug Authentication Signal : Whether debugging is allowed Understanding the Security of ARM Debugging Features, S&P 19 18

  19. ARM Debug Authentication Mechanism TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Four signals for: Secure/Non-secure, Invasive/Non-invasive Understanding the Security of ARM Debugging Features, S&P 19 19

  20. ARM Ecosystem ARM SoC Vendor OEM User ◮ ARM licenses technology to the SoC Vendors. - E.g., ARM architectures and Cortex processors ◮ Defines the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 20

  21. ARM Ecosystem ARM SoC Vendor OEM User ◮ The SoC Vendors develop chips for the OEMs. - E.g., Qualcomm Snapdragon SoCs ◮ Implement the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 21

  22. ARM Ecosystem ARM SoC Vendor OEM User ◮ The OEMs produce devices for the users. - E.g., Samsung Galaxy Series and Huawei Mate Series ◮ Configure the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 22

  23. ARM Ecosystem ARM SoC Vendor OEM User ◮ Finally, the User can enjoy the released devices. - Tablets, smartphones, and other devices ◮ Learn the status of debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 23

  24. Obstacles for Attacking the Traditional Debugging Obstacles for attackers: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication mechanism. Does debug authentication work as expected? Understanding the Security of ARM Debugging Features, S&P 19 24

  25. Debug Authentication Signals ◮ What is the status of the signals in real-world device? ◮ How to manage the signals in real-world device? Understanding the Security of ARM Debugging Features, S&P 19 25

  26. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 26

  27. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 27

  28. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 28

  29. Debug Authentication Signals How to manage the signals in real-world device? ◮ For both development boards with manual, we cannot fully control the debug authentication signals. - Signals in i.MX53 QSB can be enabled by JTAG. - The DBGEN and NIDEN in ARM Juno board cannot be disabled. ◮ In some mobile phones, we find that the signals are controlled by One-Time Programmable (OTP) fuse. For all the other devices, nothing is publicly available. Understanding the Security of ARM Debugging Features, S&P 19 29

  30. Obstacles for Attacking the Traditional Debugging Obstacles for attackers: ◮ Obstacle 1 : Physical access. We don’t need physical access to debug a processor. ◮ Obstacle 2 : Debug authentication mechanism. The debug authentication mechanism allows us to debug the processor. Understanding the Security of ARM Debugging Features, S&P 19 30

  31. Outline ◮ Introduction ◮ Obstacles for Attacking the Traditional Debugging ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles in

1.03k views • 63 slides
Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good idea to know what they are Special variables with key information Special functions/libraries that can be used Special options that can be

422 views • 7 slides
Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview

451 views • 28 slides
CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and disassembling programs Today: General debugging for C with GDB 2 scanf and sscanf() Lab 2 uses sscanf ( s tring scan f ormat), which parses

430 views • 16 slides
Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15.

772 views • 28 slides
Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia

Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia

Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia Fazzini, and Alessandro Orso Understanding a Program & its Features Debugging Refactoring Debloating Testing Documentation Functionality

637 views • 40 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image features are useful descriptions of local or global image properties designed to accomplish a certain task You may want to choose different features

1.09k views • 71 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image features are useful descriptions of local or global image properties designed (or learned!) to accomplish a certain task You may want to choose di ff

941 views • 70 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing Program State Incremental interactive unfolding (DDD) Visual Memory Abstract representations (traversal-based) Debugging Focusing: memory

433 views • 5 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination. Will also talk about the ddd gui for gdb (lots of value added to gdb). First, debugging in the abstract: Program state is a snapshot

475 views • 20 slides
AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text

AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text

AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text features are defined as the elements that stand out in a text because the passage uses a tool to emphasize them. Several purposes for text features include

391 views • 3 slides
ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene

ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene

ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene bgreene@isc.org Agenda ccTLD Security is not new Cybercriminal Toolkit Understanding why security people are irritated might help to provide

751 views • 46 slides
RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope

RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope

RA RACE CE A softw A softwar are e fr framew amewor ork k for inter or interope operable, ble, plug-and plug and-play play, , distributed r distributed robotic obotic sys systems tems-of of-sys systems tems Robert Skilton

382 views • 19 slides
Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David Houngninou Southern Methodist University Table of content 1. Target device: MCBSTM32C 2. References 3. GPIO ports: registers and pins 4. Interfacing

585 views • 31 slides
A common high-dimensional linear model of representational spaces in human cortex Jim Haxby Center

A common high-dimensional linear model of representational spaces in human cortex Jim Haxby Center

A common high-dimensional linear model of representational spaces in human cortex Jim Haxby Center for Cognitive Neuroscience, Dartmouth College Center for Mind/Brain Sciences (CIMeC), University of Trento Supported by NSF CRCNS German-US

542 views • 25 slides
Paper number: 136 A deep learning approach to segmentation of the developing cortex in fetal

Paper number: 136 A deep learning approach to segmentation of the developing cortex in fetal

Paper number: 136 A deep learning approach to segmentation of the developing cortex in fetal brain MRI with minimal manual labeling AE Fetit , A Alansary, L Cordero-Grande, J Cupitt, AB Davidson, AD Edwards, JV Hajnal, E Hughes, K Kamnitsas, V

676 views • 11 slides
Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public

692 views • 55 slides
Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

890 views • 87 slides
Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial line (PAL) Quantitative assessment Neural canal width (NCW) Basion-axial interval (BAI) Basion Defined for our purposes as the most

334 views • 11 slides
Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural Networks Fully-connected layers im2col+GEMM algorithm for convolution 1x1 convolutional layers Android CPU Landscape Overview of CPU

449 views • 17 slides

More recommend