understanding the security of arm debugging features
play

Understanding the Security of ARM Debugging Features Zhenyu Ning and - PowerPoint PPT Presentation

Feb 06, 2024 •399 likes •1.03k views

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles in

  1. Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1

  2. Outline ◮ Introduction ◮ Obstacles in Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 2

  3. Outline ◮ Introduction ◮ Obstacles for Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 3

  4. Introduction Modern processors are equipped with hardware-based debugging features to facilitate on-chip debugging process. - e.g. debug registers, debug exceptions and hardware-based trace. - It normally requires JTAG [1] connection to make use of these features. Understanding the Security of ARM Debugging Features, S&P 19 4

  5. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 5

  6. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 6

  7. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 7

  8. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 8

  9. Introduction What makes it secure? ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Do these obstacles work? Understanding the Security of ARM Debugging Features, S&P 19 9

  10. Introduction What makes it secure? ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Do these obstacles work? Understanding the Security of ARM Debugging Features, S&P 19 10

  11. Outline ◮ Introduction ◮ Obstacles for Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 11

  12. Obstacles for Traditional Debugging Model It is due to two general assumptions: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Does it really require physical access? Understanding the Security of ARM Debugging Features, S&P 19 12

  13. Inter-Processor Debugging We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging . ◮ Memory-mapped debugging registers. - Introduced since ARMv7. ◮ No JTAG, No physical access. Understanding the Security of ARM Debugging Features, S&P 19 13

  14. Obstacles for Traditional Debugging Model It is due to two general assumptions: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Does debug authentication work as expected? Understanding the Security of ARM Debugging Features, S&P 19 14

  15. ARM Debug Authentication TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... TARGET is executing instructions pointed by pc Understanding the Security of ARM Debugging Features, S&P 19 15

  16. ARM Debug Authentication TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Non-invasive Debugging : Monitoring without control Understanding the Security of ARM Debugging Features, S&P 19 16

  17. ARM Debug Authentication TARGET (Debug State) ... MOV x3, #3 pc x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Invasive Debugging : Control and change status Understanding the Security of ARM Debugging Features, S&P 19 17

  18. ARM Debug Authentication TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Debug Authentication Signal : Whether debugging is allowed Understanding the Security of ARM Debugging Features, S&P 19 18

  19. ARM Debug Authentication TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Four signals for: Secure/Non-secure, Invasive/Non-invasive Understanding the Security of ARM Debugging Features, S&P 19 19

  20. ARM Ecosystem ARM SoC Vendor OEM User ◮ ARM licenses technology to the SoC Vendors. - e.g., ARM architectures and Cortex processors ◮ Defines the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 20

  21. ARM Ecosystem ARM SoC Vendor OEM User ◮ The SoC Vendors develop chips for the OEMs. - e.g., Qualcomm Snapdragon SoCs ◮ Implement the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 21

  22. ARM Ecosystem ARM SoC Vendor OEM User ◮ The OEMs produce devices for the users. - e.g., Samsung Galaxy Series and Huawei Mate Series ◮ Configure the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 22

  23. ARM Ecosystem ARM SoC Vendor OEM User ◮ Finally, the User can enjoy the released devices. - Tablets, smartphones, and other devices ◮ Learn the status debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 23

  24. Debug Authentication Signals ◮ What is the status of the signals in real-world device? ◮ How to manage the signals in real-world device? Understanding the Security of ARM Debugging Features, S&P 19 24

  25. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 25

  26. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 26

  27. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 27

  28. Debug Authentication Signals How to manage the signals in real-world device? ◮ For both development boards with manual, we cannot fully control the debug authentication signals. - Signals in i.MX53 QSB can be enabled by JTAG. - The DBGEN and NIDEN in ARM Juno board cannot be disabled. ◮ In some mobile phones, we find that the signals are controlled by One-Time Programmable (OTP) fuse. For all the other devices, nothing is publicly available. Understanding the Security of ARM Debugging Features, S&P 19 28

  29. Obstacles for Traditional Debugging Model To summarize, ◮ We don’t need physical access to debug a processor. ◮ The debug authentication also allows us to debug the processor. Understanding the Security of ARM Debugging Features, S&P 19 29

  30. Outline ◮ Introduction ◮ Obstacles for Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 30

  31. Nailgun Attack Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Understanding the Security of ARM Debugging Features, S&P 19 31

  32. Nailgun Attack Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Understanding the Security of ARM Debugging Features, S&P 19 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles for

679 views • 65 slides
Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good idea to know what they are Special variables with key information Special functions/libraries that can be used Special options that can be

422 views • 7 slides
Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview

451 views • 28 slides
CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and disassembling programs Today: General debugging for C with GDB 2 scanf and sscanf() Lab 2 uses sscanf ( s tring scan f ormat), which parses

430 views • 16 slides
Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15.

772 views • 28 slides
Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia

Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia

Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia Fazzini, and Alessandro Orso Understanding a Program & its Features Debugging Refactoring Debloating Testing Documentation Functionality

637 views • 40 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image features are useful descriptions of local or global image properties designed to accomplish a certain task You may want to choose different features

1.09k views • 71 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image features are useful descriptions of local or global image properties designed (or learned!) to accomplish a certain task You may want to choose di ff

941 views • 70 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing Program State Incremental interactive unfolding (DDD) Visual Memory Abstract representations (traversal-based) Debugging Focusing: memory

433 views • 5 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination. Will also talk about the ddd gui for gdb (lots of value added to gdb). First, debugging in the abstract: Program state is a snapshot

475 views • 20 slides
AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text

AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text

AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text features are defined as the elements that stand out in a text because the passage uses a tool to emphasize them. Several purposes for text features include

391 views • 3 slides
ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene

ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene

ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene bgreene@isc.org Agenda ccTLD Security is not new Cybercriminal Toolkit Understanding why security people are irritated might help to provide

751 views • 46 slides
70: Discrete Math and Probability Theory The Truth about CS70 Satish Rao Programming +

70: Discrete Math and Probability Theory The Truth about CS70 Satish Rao Programming +

70: Discrete Math and Probability Theory The Truth about CS70 Satish Rao Programming + Microprocessors Superpower! ...according to me. What are your super powerful programs/processors doing? Its transformative. 21st year at Berkeley.

376 views • 5 slides
Recent Progress in Generative Modeling Ilya Sutskever Goal of OpenAI Make sure that AI is

Recent Progress in Generative Modeling Ilya Sutskever Goal of OpenAI Make sure that AI is

Recent Progress in Generative Modeling Ilya Sutskever Goal of OpenAI Make sure that AI is actually good for humanity Goal of OpenAI Prevent concentration of AI power Build AI to benefit as many people as possible Build AI that

596 views • 55 slides
Cada Da - Welsh Meeting Template Social Language Learning Program - Template - Monday - Dydd

Cada Da - Welsh Meeting Template Social Language Learning Program - Template - Monday - Dydd

Web Meeting SET UP Cada Da - Welsh Meeting Template Social Language Learning Program - Template - Monday - Dydd Llun July 11 - UTC 15:30 [Wales 4:30pm, Argentina 12:30pm, Eastern US 11:30am] Launch Meeting and Countdown Time Zone Converter

1.36k views • 58 slides
Ubiquitous Computing CS 6456 Lecture Gabriel Reyes CS-HCI PhD Student Evolution of Computer

Ubiquitous Computing CS 6456 Lecture Gabriel Reyes CS-HCI PhD Student Evolution of Computer

Ubiquitous Computing CS 6456 Lecture Gabriel Reyes CS-HCI PhD Student Evolution of Computer Hardware o First Generation (1940-1956) o Vacuum Tubes Evolution of Computer Hardware o Second Generation (1956-1963) o Transistors John Bardeen,

717 views • 67 slides
IEEE PES 6 th GENERAL MEETING SIGN IN HERE: tinyurl.com/PES-SignIn6 Last General Meeting for Fall

IEEE PES 6 th GENERAL MEETING SIGN IN HERE: tinyurl.com/PES-SignIn6 Last General Meeting for Fall

IEEE PES 6 th GENERAL MEETING SIGN IN HERE: tinyurl.com/PES-SignIn6 Last General Meeting for Fall 2018 :( But no worries! Well be starting up again next semester! Keep a look-out for rooms and dates in the newsletter (sign in to sign up).

378 views • 24 slides
The Cache Manager Johnny Healey MetaArchive Project Emory University Atlanta, Georgia June 5,

The Cache Manager Johnny Healey MetaArchive Project Emory University Atlanta, Georgia June 5,

Introduction Installation Using the Cache Manager The Cache Manager Johnny Healey MetaArchive Project Emory University Atlanta, Georgia June 5, 2007 Johnny Healey The Cache Manager Introduction Installation Using the Cache Manager What

489 views • 11 slides
Lecture 20: Toolkits David Bindel 8 Nov 2011 Logistics Project 3 Scaling experiments

Lecture 20: Toolkits David Bindel 8 Nov 2011 Logistics Project 3 Scaling experiments

Lecture 20: Toolkits David Bindel 8 Nov 2011 Logistics Project 3 Scaling experiments should vary number of vertices and number of threads / processors Its okay to just use MPI / OpenMP timer routines if you dont like

323 views • 15 slides
Image and Video Coding: Hybrid Video Coding s n 1 [ x , y ] s n [ x , y ] m k = ( m x , m

Image and Video Coding: Hybrid Video Coding s n 1 [ x , y ] s n [ x , y ] m k = ( m x , m

Image and Video Coding: Hybrid Video Coding s n 1 [ x , y ] s n [ x , y ] m k = ( m x , m y ) k x y Hybrid Video Coding Last Lectures: Block-Based Image Coding s k [ x , y ] u k [ x , y ] t k [ x , y ] q k [ x , y ] bitstream scalar

958 views • 42 slides

More recommend