research-article

Prime+Count: Novel Cross-world Covert Channels on ARM TrustZone

Authors:

Choong-Hoon Lee,

Gail-Joon AhnAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 441 - 452

https://doi.org/10.1145/3274694.3274704

Published: 03 December 2018 Publication History

Abstract

The security of ARM TrustZone relies on the idea of splitting system-on-chip hardware and software into two worlds, namely normal world and secure world. In this paper, we report cross-world covert channels, which exploit the world-shared cache in the TrustZone architecture. We design a Prime+Count technique that only cares about how many cache sets or lines have been occupied. The coarser-grained approach significantly reduces the noise introduced by the pseudo-random replacement policy and world switching. Using our Prime+Count technique, we build covert channels in single-core and cross-core scenarios in the TrustZone architecture. Our results demonstrate that Prime+Count is an effective technique for enabling cross-world covert channels on ARM TrustZone.

References

[1]

Onur Acıiçmez and Werner Schindler. 2008. A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on OpenSSL. In Proceedings of the Cryptographer's Track at the RSA Conference (CT-RSA). 256--273.

Digital Library

[2]

ARM. 2012. ARM Architecture Reference Manual, ARMv7-A and ARMv7-R edition. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0406c/index.html. (2012).

[3]

ARM. 2012. ARMv6-M Architecture Reference Manual. https://silver.arm.com/download/download.tm?pv=1102513. (2012).

[4]

ARM. 2016. ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0487a.k/index.html. (2016).

[5]

ARM. 2016. SMC CALLING CONVENTION System Software on ARM Platforms. http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf. (2016).

[6]

ARM. 2017. ARM Trusted Firmware. https://github.com/ARM-software/arm-trusted-firmware. (2017).

[7]

Billy Bob Brumley and Risto M Hakala. 2009. Cache-timing template attacks. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. 667--684.

Digital Library

[8]

Serdar Cabuk, Carla E Brodley, and Clay Shields. 2004. IP covert timing channels: design and detection. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). Washington, DC, 178--187.

Digital Library

[9]

Yue Chen, Yulong Zhang, Zhi Wang, and Tao Wei. 2017. Downgrade Attack on TrustZone. arXiv preprint arXiv:1707.05082 (2017).

[10]

Marco Chiappetta, Erkay Savas, and Cemal Yilmaz. 2016. Real time detection of cache-based side-channel attacks using hardware performance counters. Applied Soft Computing 49 (2016), 1162--1174.

Digital Library

[11]

Marc Green, Leandro Rodrigues-Lima, Andreas Zankl, Gorka Irazoqui, Johann Heyszl, and Thomas Eisenbarth. 2017. AutoLock: Why Cache Attacks on ARM Are Harder Than You Think. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada, 1075--1091.

Digital Library

[12]

Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. Flush+ Flush: a fast and stealthy cache attack. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 279--299.

Digital Library

[13]

Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. 2015. ache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In Proceedings of the 24th USENIX Security Symposium (Security). Washington, DC, 897--912.

Digital Library

[14]

Berk Gülmezoğlu, Mehmet Sinan Inci, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. 2015. A faster and more realistic flush+ reload attack on AES. In Proceedings of the International Workshop on Constructive Side-Channel Analysis and Secure Design. 111--126.

Digital Library

[15]

Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. 2015. S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing--and Its Application to AES. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA, 591--604.

Digital Library

[16]

Gorka Irazoqui, Mehmet Sinan IncI, Thomas Eisenbarth, and Berk Sunar. 2015. Know thy neighbor: crypto library detection in cloud. Proceedings on Privacy Enhancing Technologies 2015, 1 (2015), 25--40.

[17]

Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar. 2016. Lucky 13 strikes back. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). Singapore, 85--96.

Digital Library

[18]

Jinsoo Jang, Sunjune Kong, Minsu Kim, Daegyeong Kim, and Brent Byunghoon Kang. 2015. SeCReT: Secure Channel between Rich Execution Environment and Trusted Execution Environment. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[19]

laginimaineb. 2016. Exploit that extracts Qualcomm's KeyMaster keys using CVE-2015--6639. https://github.com/laginimaineb/ExtractKeyMaster. (2016).

[20]

laginimaineb. 2016. Qualcomm TrustZone kernel privilege escalation using CVE-2016--2431. https://github.com/laginimaineb/cve-2016--2431. (2016).

[21]

Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. 2016. ARMageddon: Cache attacks on mobile devices. In Proceedings of the 25th USENIX Security Symposium (Security). Austin, TX, 549--564.

Digital Library

[22]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Lastlevel cache side-channel attacks are practical. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA, 605--622.

Digital Library

[23]

Aravind Machiry, Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. 2017. BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[24]

Clémentine Maurice, Christoph Neumann, Olivier Heen, and Aurélien Francillon. 2015. C5: cross-cores cache covert channel. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 46--64.

Digital Library

[25]

Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, and Kay Römer. 2017. Hello from the other side: SSH over robust cache covert channels in the cloud. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[26]

MITRE. 2013. CVE-2013-3051 Detail. https://nvd.nist.gov/vuln/detail/CVE-2013-3051. (2013).

[27]

Zhenyu Ning, Fengwei Zhang, Weisong Shi, and Weidong Shi. 2017. Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments. In Proceedings of the Hardware and Architectural Support for Security and Privacy.

Digital Library

[28]

OP-TEE. 2017. OP-TEE Trusted OS Documentation. https://www.op-tee.org/. (2017).

[29]

Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: the case of AES. In Proceedings of the Cryptographer's Track at the RSA Conference (CT-RSA). 1--20.

Digital Library

[30]

Irving S Reed and Gustave Solomon. 1960. Polynomial codes over certain finite fields. Journal of the society for industrial and applied mathematics 8, 2 (1960), 300--304.

[31]

Jan Reineke, Daniel Grund, Christoph Berg, and Reinhard Wilhelm. 2007. Timing predictability of cache replacement policies. Real-Time Systems 37, 2 (2007), 99--122.

Digital Library

[32]

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS). Chicago, IL, 199--212.

Digital Library

[33]

Dan Rosenberg. 2013. Unlock the Motorola Bootloader. http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html. (2013).

[34]

Gaurav Shah, Andres Molina, Matt Blaze, et al. 2006. Keyboards and Covert Channels. In Proceedings of the 15th USENIX Security Symposium (Security). Vancouver, Canada, 59--75.

Digital Library

[35]

Venkatanathan Varadarajan, Yinqian Zhang, Thomas Ristenpart, and Michael Swift. 2015. A Placement Vulnerability Study in Multi-Tenant Public Clouds. In Proceedings of the 24th USENIX Security Symposium (Security). Washington, DC, 913--928.

Digital Library

[36]

Zhenghong Wang and Ruby B Lee. 2006. Covert and side channels due to processor architecture. In Proceedings of the 22nd Computer Security Applications Conference (ACSAC). 473--482.

Digital Library

[37]

Zhenyu Wu, Zhang Xu, and Haining Wang. 2012. Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud. In Proceedings of the 21st USENIX Security Symposium (Security). Bellevue, WA, 159--173.

Digital Library

[38]

Yunjing Xu, Michael Bailey, Farnam Jahanian, Kaustubh Joshi, Matti Hiltunen, and Richard Schlichting. 2011. An exploration of L2 cache covert channels in virtualized environments. In Proceedings of the 3rd ACM workshop on Cloud computing security workshop. 29--40.

Digital Library

[39]

Yongcheol Yang, Jiyoung Moon, Kiuhae Jung, and Jeik Kim. 2018. Downloadable trusted applications on Tizen TV: TrustWare Extension: As a downloadable application framework. In Proceedings of the 2018 IEEE International Conference on Consumer Electronics (ICCE). Las Vegas, NV.

[40]

Yuval Yarom and Naomi Benger. 2014. Recovering OpenSSL ECDSA Nonces Using the FLUSH+ RELOAD Cache Side-channel Attack. IACR Cryptology ePrint Archive 2014 (2014), 140.

[41]

Yuval Yarom and Katrina Falkner. 2014. Flush+reload: a high resolution, low noise, L3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium (Security). San Diego, CA, 719--732.

Digital Library

[42]

Ning Zhang, Kun Sun, Deborah Shands, Wenjing Lou, and Y Thomas Hou. 2016. TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices. https://eprint.iacr.org/2016/980.pdf. (2016).

[43]

Xiaokuan Zhang, Yuan Xiao, and Yinqian Zhang. 2016. Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). Vienna, Austria, 858--870.

Digital Library

[44]

Yinqian Zhang, Ari Juels, Alina Oprea, and Michael K. Reiter. 2011. HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland). Oakland, CA, 313--328.

Digital Library

[45]

Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract private keys. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). Raleigh, NC, 305--316.

Digital Library

[46]

Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). Scottsdale, Arizona, 990--1003.

Digital Library

[47]

YongBin Zhou and DengGuo Feng. 2005. Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. IACR Cryptology ePrint Archive 2005 (2005), 388.

Cited By

Chen YPashrashid AWu YCarlson T(2024)Prime+Reset: Introducing A Novel Cross-World Covert-Channel Through Comprehensive Security Analysis on ARM TrustZone2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546531(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546531
Shepherd CKalbantner JSemal BMarkantonakis K(2024)A Side-Channel Analysis of Sensor Multiplexing for Covert Channels and Application Profiling on Mobile DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332373221:4(3141-3152)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3323732
Mahmod JHicks M(2024)UnTrustZone: Systematic Accelerated Aging to Expose On-chip Secrets2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00069(4107-4124)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00069
Show More Cited By

Index Terms

Prime+Count: Novel Cross-world Covert Channels on ARM TrustZone
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures
  2. Systems security
    1. Operating systems security
      1. Mobile platform security
      2. Trusted computing

Recommendations

Research on Arm TrustZone and Understanding the Security Vulnerability in Its Cache Architecture
Security, Privacy, and Anonymity in Computation, Communication, and Storage
Abstract
Arm TrustZone technology is the most widely used system-level security framework, which provides a trusted execution environment (TEE) for embedded system SoC. This paper introduces the technical principle of TrustZone in detail, explains how to ...
A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels
IH&MMSec '16: Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security

New viewpoints of covert channels are presented in this work. First, the origin of covert channels is traced back to acc ess control and a new class of covert channel, air-gap covert channels, is presented. Second, we study the design of covert channels ...
Secure Block Device -- Secure, Flexible, and Efficient Data Storage for ARM TrustZone Systems
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01

Recent years have seen a flurry of activity in the area of efficient and secure file systems for cloud storage, and also in the area of memory protection for secure processors. Both scenarios use cryptographic methods for data protection. Here, we ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
457
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)9

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen YPashrashid AWu YCarlson T(2024)Prime+Reset: Introducing A Novel Cross-World Covert-Channel Through Comprehensive Security Analysis on ARM TrustZone2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546531(1-6)Online publication date: 25-Mar-2024
https://doi.org/10.23919/DATE58400.2024.10546531
Shepherd CKalbantner JSemal BMarkantonakis K(2024)A Side-Channel Analysis of Sensor Multiplexing for Covert Channels and Application Profiling on Mobile DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332373221:4(3141-3152)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3323732
Mahmod JHicks M(2024)UnTrustZone: Systematic Accelerated Aging to Expose On-chip Secrets2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00069(4107-4124)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00069
Xu TDing AFei Y(2024)TrustZoneTunnel: A Cross-World Pattern History Table-Based Microarchitectural Side-Channel Attack2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)10.1109/HOST55342.2024.10545376(01-11)Online publication date: 6-May-2024
https://doi.org/10.1109/HOST55342.2024.10545376
Song JJo EKim J(2024)DTA: Run TrustZone TAs Outside the Secure World for Security TestingIEEE Access10.1109/ACCESS.2024.335861212(16715-16727)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3358612
Miao XChang RZhao JZhao YCao SWei TJiang LRen K(2023)CVTEE: A Compatible Verified TEE Architecture With Enhanced SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313357620:1(377-391)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133576
Roy PEshete BSu P(2023)Designing Secure Performance Metrics for Last Level Cache2023 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW59300.2023.00069(383-392)Online publication date: May-2023
https://doi.org/10.1109/IPDPSW59300.2023.00069
Song MSuh TKoo G(2023)Vizard: Passing Over Profiling-Based Detection by Manipulating Performance CountersIEEE Access10.1109/ACCESS.2023.326017911(48099-48112)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3260179
Mishra NChakraborty AChatterjee UMukhopadhyay D(2023)Time’s a Thief of MemorySmart Card Research and Advanced Applications10.1007/978-3-031-25319-5_1(3-24)Online publication date: 29-Jan-2023
https://doi.org/10.1007/978-3-031-25319-5_1
Li XTyagi A(2022)Cross-World Covert Channel on ARM Trustzone through PMUSensors10.3390/s2219735422:19(7354)Online publication date: 28-Sep-2022
https://doi.org/10.3390/s22197354
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents