who we are eshard embedded security company software
play

Who we are Eshard - Embedded Security Company Software & - PowerPoint PPT Presentation

Feb 17, 2024 •206 likes •752 views

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

  1. Who we are Eshard - Embedded Security Company ● Software & Hardware Security What do we do: @eshardNews ● Tools: Side Channel / Code Analysis ● Consultancy https://www.eshard.com Audit ● contact@eshard.com ● Training Bordeaux + Marseille 1

  2. Attack TrustZone with Rowhammer GreHack 2017 Pierre Carru - eshard pierre.carru@eshard.com 2

  3. Presentation Summary 1. Rowhammer → Corrupt Mem 2. TrustZone → Secure enclave ~25 min 3. Attack : Corrupt TrustZone Mem 4. Questions 3

  4. Context - Existing Rowhammer-based Exploitations Intel ● ○ clflush instruction (2014 original attack) ○ cache eviction (rowhammer.js 2015) ○ non-temporal instructions (2016) one location hammering (few days ago) ○ ● Mobile (arm): no direct way for unprivileged user ○ Drammer (end 2016) uses uncached memory region → exploit gains root privilege ○ No cache eviction method working yet → not enough access/second (yet)? 4

  5. Context - Existing TrustZone Attacks ● Software Bugs in Qualcomm’s TEE , and Widevine TA: ○ Dan Rosenberg (2014): Integer overflow No exploitation ○ Gal Beniamini (2015 - 2016): 1. Missing parameter validation in Secure Kernel Call → Shellcode execution in Secure Kernel ⇒ Few TrustZone Attack 2. Buffer Overflow in Widevine TA → Shellcode execution in TA, and then in Secure Kernel CLKSCREW (Tang 2017): ● Faults in microarchitecture using frequency and voltage scaling → Retrieve private key, Load self-signed TA Other ARM Plaforms: undisclosed / unknown? ● 5

  6. Rowhammer attack against TrustZone NS S Assumption: Linx Kernel TEE Kernel ● Rowhammer vulnerable device ● Kernel Privilege in Normal OS Objectives: User TEE User ● Corrupt Memory marked Secure If possible, exploit corruptions in order to gain more privileges ● We focus on the Secure / Non-Secure border → We use maximum privilege in Non-Secure Side 6

  7. Realization - Example Exploitation Platform: Any Cortex-A based ARM Development board with TrustZone Support ● Linux in Non-Secure Side ● Custom Trusty based TEE PoC attack: 1. TEE provides an RSA-CRT signing mechanism 2. Secret Key stored in S Memory 3. Linux uses Rowhammer to fault the Secret Key (crosses the TrustZone border) 4. Linux uses faulty signature to recover Secret Key “Bellcore” ( Boneh, DeMillo, Lipton ) 7

  8. Exploitation Principle (1) Non-Secure World Secure World “NS” “S” Linux TEE Please sign m=“Hello” Compute using RSA key c ← RSA-CRT(key, m) Return signature c=0x24A96… and public key (n,e) RSA key • public: n, e • private: d, p, q • precomputed private: d p ,d q , qInv 8

  9. Exploitation Principle (2) Non-Secure World Secure World “NS” “S” Linux TEE Rowhammer attack Faults d p — its value is now d p ’ targeted at key area RSA key • public: n, e • private: d, p, q • precomputed private: d p ’ , d q , qInv Please sign m=“Hello” Compute using RSA key Return signature c’ =0x68F6… c’ ← RSA-CRT( key’ , m) and public key (n,e) Recovers private RSA key Using m and c’ values 9

  10. Rowhammer 10

  11. System Architecture SoC Processor DRAM Chip Processor Processor AXI AXI L1 L2 DRAM Processor Cache Cache Controller DRAM Chip DDR Protocol usually only 1 PoP Need to Go through the caches! May reorder on mobile accesses 11

  12. How to generate faults in DRAM 12

  13. DRAM Storage Cell Capacitor as storage mechanism Capacitor either: charged → logic 1 ● ● discharged → logic 0 Capacitors lose their charge over time ⇒ have to be recharged periodically “refreshed” 13

  14. A DRAM Chip contains multiple Banks Usually on Mobile: 1 PoP LPDDR3/4 Chip Image: Onur Mutlu 14

  15. x8 DRAM Bank 15 Image: Memory Systems - Cache, DRAM, Disk

  16. DRAM Array Bitline ACTIVATE Cell Open Row Row 3 → Row Buffer Row Decoder MS Row 2 Address READ/WRITE Row 1 R or W Column LS (in buffer) Row 0 Wordline PRECHARGE Row Buffer Close Row Sense Amplifier Column Decoder REFRESH Data Out 16

  17. Row Access Access to an opened row: ● No need to ACTIVATE ● Just READ/WRITE to access row buffer Access to a closed row: ● PRECHARGE current row ACTIVATE new row ● ● READ/WRITE 17

  18. Simple-Sided Rowhammer Need to ACTIVATE two distinct Rows in the same Array Because accessing the same Row consecutively ⇒ hit the row buffer ROW 4 May generate ROW 3 ROW 2 0 → 1 or 1 → 0 flips ROW 1 ROW BUFFER 18

  19. Double-Sided Rowhammer Hammer rows adjacent to the target Row → generates more flips ROW n+1 Flips are reproducible on ROW n a particular RAM chip → due to manufacturing? ROW n-1 ROW BUFFER 19

  20. How to address rows from CPU 20

  21. Memory Mapping - How to address adjacent rows (1) 4 Banks, x8 Bus Width No Bank Interleaving Bank 0 Bank 1 . . . s y a Byte [n_col] r r A 8 Byte [0x01] Byte [n_col - 1] Bottom and Top rows can’t Byte [0x00] be attacked with double Row 0 Col 0: 8 bits sided technique (1 bit per Array) 21

  22. Memory Mapping - How to address adjacent rows (2) 4 Banks, x8 Bus Width With Bank Interleaving Bank 0 Bank 1 . . . s y a Byte r r A [n_col×n_banks] 8 Byte [0x01] Byte [n_col] Byte [n_col - 1] Byte [0x00] Row 0 Col 0: 8 bits (1 bit per Array) 22

  23. Deduce Memory Characterics & Configuration using Timing Characterization Pseudo code (simplified) base = 0x…; for (i = start; i < end; i += step) { ts = start () read_at (base) read_at (i) time[i] = end (ts) } Can be crossed checked with datasheets if DRAM Chip is identified 23

  24. Rowhammer Implementation (2) NS S Need to map region around target physical location Kernel TEE → ioremap [target_pa - Δ, target_pa + Δ] Kernel Need to bypass the caches: “uncacheable” region User TEE User → ioremap_nocache SoC Processor DMC DRAM Processor Processor Processor L1 L2 Timer 24

  25. Rowhammer Implementation (1) In Kernel Module for simplicity Code Simplified: /* row before */ addrs[0] = target_va - (mem->n_banks * mem->row_size); /* row after */ addrs[1] = target_va + (mem->n_banks * mem->row_size); for ( int j = 0; j < iterations; j++) { *row_before = pattern; /* write or read */ *row_after = pattern; } 25

  26. TrustZone 26

  27. TrustZone Rationale Want: Secure processor runs OS with manageable Security ● ≠ Android ● Some hardware resources only accessible to Secure OS Do not want to: ● Waste silicon space on separate processor ● Hardware duplication → TrustZone: ● Time sharing of processor, ≈ virtually 2 distinct processors ● Some resources available only to the Secure processor 27

  28. System Bus - AXI Masters: ex: DMA Controller, AXI interface CPU ● Read from slaves Modem, ... ● Write to slaves NS read to TrustZone Introduces a new S read to 0x1234 0x1234 transaction attribute: NS ∈ {0, 1} DRAM Controller Image: ARM 28

  29. Adaptations to IPs AXI slave responsible to enforce S/NS logic L1, L2 Caches Memory controller Touchscreen DMA controller MMU Interrupt controller … Existing devices can be modified to become aware of TrustZone Or an extra adapter IP can wrap a device to provide S/NS logic 29

  30. ARM Gadget2008 30

  31. ARM Procesor Architecture extensions Principles: Only “secure software” can make S transactions. NS OS calls “secure software” which checks if call request is legal Implementation: New state dimension: NS is {0, 1} New processor mode : monitor (in addition to usr, svc, …) PL1 New instruction: SMC , similar to SVC but for: PL1 → monitor New system controls (SCR, …), CP15 Register banking 31

  32. Modes, privilege levels, Security States (Simplified, ARMv7-A) 32

  33. Modes, privilege levels, Security States (Simplified, ARMv7-A) SVC ERET ERET SVC SMC SMC ERET ERET 33

  34. Execution Non-Secure Secure In one state at a time Startup (per core) Bootloader Time TEE OS Init Start linux Context Switches through monitor Linux Offer services to linux 34 S Interrupt

  35. Attack 35

  36. RSA-CRT - Fast implementation of the RSA signature based on CRT Signature s of the message m is defined as: Some constants precalculated at key generation The signature can be calculated: exponents and modulus are smaller ⇒ faster 36

  37. RSA-CRT Fault Attack - “Bellcore” On the Importance of Checking Cryptographic Protocols for Faults Boneh, DeMillo, Lipton 1997 If d q is faulted and becomes d q ’ The signature calculation become s’ instead of s p can then be calculated and is: The whole private key can then be derived 37

  38. PoC - Implemented System Overview Trusty generates random RSA key in secure memory at boot NS S Offers signature mechanism to Linux Shared mem Linux Trusty + context switch “ row ” module used to generate faults to a row target address using Rowhammer ioctl sign “ sign ” tool uses Trusty’s signature service userspace tool and calculates gcd 38

  39. Memory Setup Board physical address space 0 0x1000_0000 0x5000_0000 0xFFFF_FFFF U G A DRAM I R C T 1G DRAM Physical addresses 0x4800_0000 0x1000_0000 0x5000_0000 0x2000_0000 0x3000_0000 0x4000_0000 Linux Unused Trusty Keys Offset in 0 256M 512M 768M 1G DRAM 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A c c e l e r a t e y o u r d e v e l o p m e n t Real Embedded company; 150 employees

A c c e l e r a t e y o u r d e v e l o p m e n t Real Embedded company; 150 employees

A c c e l e r a t e y o u r d e v e l o p m e n t Real Embedded company; 150 employees 120+ embedded software developers 20+ FPGA designers 10+ board designers Founded in 1996, privately owned Dutch based company, with

140 views • 13 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Presented by: Joris Jonkers Both &amp; Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

524 views • 37 slides
1 How are embedded systems different Timing and Concurrency than traditional software? Fire

1 How are embedded systems different Timing and Concurrency than traditional software? Fire

What is an Embedded System? Definition of an embedded computer system: Embedded Systems is a digital system. Introduction uses a microprocessor (usually). runs software for some or all of its functions. frequently used as a

158 views • 3 slides
Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim

Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim

Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurlien Francillon (EURECOM) 08/15/18 Embedded Systems Are Everywhere [1]

911 views • 65 slides
embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt Gierlichs KU Leuven, COSIC IACR Summer school 2015 Chia Laguna, Italy Attack on channel between communicating parties Encryption and

412 views • 6 slides
Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group Grace Hopper 1947 2 Overview Debugging techniques Debugging a distributed system Preparation for the exam Debugging Write good code!

733 views • 45 slides
Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Development of Embedded System Courses with implementation of Innovative Virtual approaches for integration of Research, Education and Production in UA, GE, AM Pilot Teaching Implementation Software for Embedded Systems Galyna Tabunshchyk

397 views • 14 slides
Embedded Software R&amp;D at ETRI: Qplus, Esto, and Nano Qplus Heung-Nam Kim Embedded S/W

Embedded Software R&amp;D at ETRI: Qplus, Esto, and Nano Qplus Heung-Nam Kim Embedded S/W

Embedded Software R&amp;D at ETRI: Qplus, Esto, and Nano Qplus Heung-Nam Kim Embedded S/W Research Division Electronics and Telecommunications Research Institute, KOREA hnkim@etri.re.kr Abstract It is said that embedded software technology

339 views • 4 slides
SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given property

957 views • 33 slides
Embedded Software Streaming Embedded Software Streaming via Block Stream via Block Stream A

Embedded Software Streaming Embedded Software Streaming via Block Stream via Block Stream A

Embedded Software Streaming Embedded Software Streaming via Block Stream via Block Stream A Dissertation by Pramote Kucharoen Dissertation Advisor Professor Vincent J. Mooney III 7 April 2004 Outline Outline Introduction Related

1.1k views • 75 slides
Embedded C/C++ Programming using Software Components Evgueni Driouk Principal Software Engineer

Embedded C/C++ Programming using Software Components Evgueni Driouk Principal Software Engineer

Enhanced Project Management for Embedded C/C++ Programming using Software Components Evgueni Driouk Principal Software Engineer MCU Development Tools 1 Outline Introduction Challenges of embedded software development What is

360 views • 19 slides
Accessing Middleware from Qt, QML or HTML5 basysKom... introducing ourselves l Embedded Software

Accessing Middleware from Qt, QML or HTML5 basysKom... introducing ourselves l Embedded Software

Accessing Middleware from Qt, QML or HTML5 basysKom... introducing ourselves l Embedded Software Engineering Partner for the development of innovative quality products l Expertise in... Embedded R&amp;D Embedded architecture design,

588 views • 33 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Soteria: Offline Software Protection within Low-cost Embedded Devices Johannes Gtzfried ,

Soteria: Offline Software Protection within Low-cost Embedded Devices Johannes Gtzfried ,

Dagstuhl16: Adaptive Isolation for Predictability and Security Wadern, Germany Soteria: Offline Software Protection within Low-cost Embedded Devices Johannes Gtzfried , Tilo Mller , Ruan de Clercq , Pieter Maene , Felix

581 views • 20 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Consensus: Paxos Haobin Ni Oct 22, 2018 What is consensus? A group of people go to the same

Consensus: Paxos Haobin Ni Oct 22, 2018 What is consensus? A group of people go to the same

Consensus: Paxos Haobin Ni Oct 22, 2018 What is consensus? A group of people go to the same place for the same meal. A set of nodes have the same value for the same variable. X=7 X=7 X=7 Why is it important? In state machine replication

1.1k views • 46 slides
Nested T ransactions in a Logical Language fo r Active Rules Bertram Lud ascher

Nested T ransactions in a Logical Language fo r Active Rules Bertram Lud ascher

Nested T ransactions in a Logical Language fo r Active Rules Bertram Lud ascher W olfgang Ma y Geo rg Lausen Institut f ur Info rmatik Universit at F reiburg Germany Overview Intro duction

314 views • 16 slides
The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger

The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger

The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger University of Washington CRYPTO 2020 Concrete security theorems: resources 1 0 resources Traditionally: time

402 views • 29 slides
BOMB: OUR ROLE AS EDUCATORS Ken Shain November 16, 2019 PRESENTOR Ken enneth eth S. Sha hain

BOMB: OUR ROLE AS EDUCATORS Ken Shain November 16, 2019 PRESENTOR Ken enneth eth S. Sha hain

DEFUSING THE RACE BOMB: OUR ROLE AS EDUCATORS Ken Shain November 16, 2019 PRESENTOR Ken enneth eth S. Sha hain Teacher &amp; PD Facilitator, Minneapolis School District Teacher of the Year Nominee, 2017 MFT Local 59, Executive

946 views • 58 slides
Autovectorization with LLVM Hal Finkel April 12, 2012 The LLVM Compiler Infrastructure 2012

Autovectorization with LLVM Hal Finkel April 12, 2012 The LLVM Compiler Infrastructure 2012

Autovectorization with LLVM Hal Finkel April 12, 2012 The LLVM Compiler Infrastructure 2012 European Conference Hal Finkel (Argonne National Laboratory) Autovectorization with LLVM April 12, 2012 1 / 29 1 Introduction 2 Basic-Block

426 views • 29 slides
Execution Integrity Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Execution Integrity Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Execution Integrity Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Expected vs. Abnormal Execution Behavior 2 A programs execution should follow some expected behavior by its developers Expected

558 views • 41 slides
h s i l a c o L Distributed Models for Statistical Data Privacy Adam Smith Based on

h s i l a c o L Distributed Models for Statistical Data Privacy Adam Smith Based on

h s i l a c o L Distributed Models for Statistical Data Privacy Adam Smith Based on L. Reyzin, A. Smith, S. Yakoubov BU Computer Science https://eprint.iacr.org/2018/997 PPML 2018 Workshop A. Cheu, A. Smith, J. Ullman, D.

711 views • 48 slides
Achieving Correctness in Fair Rational Secret Sharing Sourya Joyee De &amp; Asim K Pal

Achieving Correctness in Fair Rational Secret Sharing Sourya Joyee De &amp; Asim K Pal

Achieving Correctness in Fair Rational Secret Sharing Sourya Joyee De &amp; Asim K Pal sjoyeede@gmail.com,asim@iimcal.ac.in Indian Institute of Management Calcutta 12th International Conference on Cryptology and Network Security November 20,

417 views • 22 slides

More recommend