ABSTRACT
ARM TrustZone builds a trusted execution environment based on the concept of hardware separation. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side channels. The recently reported CLKscrew attack breaks TrustZone through software by overclocking CPU to generate hardware faults. However, overclocking makes the processor run at a very high frequency, which is relatively easy to detect and prevent, for example by hardware frequency locking. In this paper, we propose an innovative software-controlled hardware fault-based attack, VoltJockey, on multi-core processors that adopt dynamic voltage and frequency scaling (DVFS) techniques for energy efficiency. Unlike CLKscrew, we manipulate the voltages rather than the frequencies via DVFS unit to generate hardware faults on the victim cores, which makes VoltJockey stealthier and harder to prevent than CLKscrew. We deliberately control the fault generation to facilitate differential fault analysis to break TrustZone. The entire attack process is based on software without any involvement of hardware. We implement VoltJockey on an ARM-based Krait processor from a commodity Android phone and demonstrate how to reveal the AES key from TrustZone and how to breach the RSA-based TrustZone authentication. These results suggest that VoltJockey has a comparable efficiency to side channels in obtaining TrustZone-guarded credentials, as well as the potential of bypassing the RSA-based verification to load untrusted applications into TrustZone. We also discuss both hardware-based and software-based countermeasures and their limitations.
Supplemental Material
- Jean Arlat, Martine Aguera, Louis Amat, Yves Crouzet, J-C Fabre, J-C Laprie, Eliane Martins, and David Powell. 1990. Fault injection for dependability validation: a methodology and some applications. IEEE Transactions on Software Engineering, Vol. 16, 2 (Feb 1990), 166--182. https://doi.org/10.1109/32.44380Google ScholarDigital Library
- A ARM. 2009. Security technology building a secure system using trustzone technology (white paper). ARM.Google Scholar
- Feng Bao, Robert H Deng, Yongfei Han, A Jeng, A Desai Narasimhalu, and T Ngair. 1997. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In International Workshop on Security Protocols. Springer, Berlin, Heidelberg, 115--124.Google Scholar
- Alessandro Barenghi, Guido Bertoni, Emanuele Parrinello, and Gerardo Pelosi. 2009. Low Voltage Fault Attacks on the RSA Cryptosystem. In 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE Computer Society Press, Lausanne, Switzerland, 23--31. https://doi.org/10.1109/FDTC.2009.30Google Scholar
- Alessandro Barenghi, Guido M Bertoni, Luca Breveglieri, Mauro Pellicioli, and Gerardo Pelosi. 2010a. Fault attack on AES with single-bit induced faults. In 2010 Sixth International Conference on Information Assurance and Security. IEEE, Atlanta, GA, USA, 167--172. https://doi.org/10.1109/ISIAS.2010.5604061Google ScholarCross Ref
- A. Barenghi, G. M. Bertoni, L. Breveglieri, M. Pellicioli, and G. Pelosi. 2010b. Low voltage fault attacks to AES. In 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). IEEE, Anaheim, CA, USA, 7--12.Google Scholar
- Alessandro Barenghi, Guido M Bertoni, Luca Breveglieri, and Gerardo Pelosi. 2013. A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA. Journal of Systems and Software, Vol. 86, 7 (2013), 1864--1878.Google ScholarDigital Library
- Alessandro Barenghi, Luca Breveglieri, Israel Koren, and David Naccache. 2012. Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures. Proc. IEEE, Vol. 100, 11 (Nov 2012), 3056--3076.Google ScholarCross Ref
- Eli Biham and Adi Shamir. 1997. Differential fault analysis of secret key cryptosystems. In Advances in Cryptology -- CRYPTO '97, Burton S. Kaliski (Ed.). Springer, Berlin, Heidelberg, 513--525.Google Scholar
- Eli Biham and Adi Shamir. 2012. Differential cryptanalysis of the data encryption standard .Springer Science & Business Media, Berlin/Heidelberg, Germany.Google ScholarDigital Library
- Johannes Blömer and Jean-Pierre Seifert. 2003. Fault Based Cryptanalysis of the Advanced Encryption Standard (AES). In Financial Cryptography. Springer, Berlin, Heidelberg, 162--181.Google Scholar
- Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. 1997. On the Importance of Checking Cryptographic Protocols for Faults. In Advances in Cryptology -- EUROCRYPT '97, Walter Fumy (Ed.). Springer, Berlin, Heidelberg, 37--51.Google Scholar
- Klug Brian and Lal Shimpi Anand. 2011. Qualcomm's New Snapdragon S4: MSM8960 & Krait Architecture Explored. Qualcomm. https://www.anandtech.com/show/4940/qualcomm-new-snapdragon-s4-msm8960-krait-architectureGoogle Scholar
- Aaron Carroll and Gernot Heiser. 2010. An Analysis of Power Consumption in a Smartphone. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference (USENIXATC'10). USENIX Association, Berkeley, CA, USA, 21--21. http://dl.acm.org/citation.cfm?id=1855840.1855861Google ScholarDigital Library
- Yue Chen, Yulong Zhang, Zhi Wang, and Tao Wei. 2017. Downgrade Attack on TrustZone. arXiv preprint arXiv, Vol. 1707.05082 (2017), 26.Google Scholar
- Haehyun Cho, Penghui Zhang, Donguk Kim, Jinbum Park, Choong-Hoon Lee, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn. 2018. PrimeGoogle Scholar
- Count: Novel Cross-world Covert Channels on ARM TrustZone. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC '18). ACM, New York, NY, USA, 441--452. https://doi.org/10.1145/3274694.3274704Google Scholar
- Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive, Vol. 2016, 086 (2016), 1--118.Google Scholar
- Franck Courbon, Philippe Loubet-Moundi, Jacques J. A. Fournier, and Assia Tria. 2014. Adjusting Laser Injections for Fully Controlled Faults. In Constructive Side-Channel Analysis and Secure Design, Emmanuel Prouff (Ed.). Springer International Publishing, Cham, 229--242.Google Scholar
- Blandine Debraize and Irene Marquez Corbella. 2009. Fault Analysis of the Stream Cipher Snow 3G. In 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, Lausanne, Switzerland, 103--110. https://doi.org/10.1109/FDTC.2009.33Google ScholarDigital Library
- Amine Dehbaoui, Jean-Max Dutertre, Bruno Robisson, and Assia Tria. 2012. Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES. In 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography(FDTC), Vol. 00. IEEE, Leuven, Belgium, 7--15. https://doi.org/10.1109/FDTC.2012.15Google ScholarDigital Library
- Jeroen Delvaux and Ingrid Verbauwhede. 2014. Fault Injection Modeling Attacks on 65 nm Arbiter and RO Sum PUFs via Environmental Changes. IEEE Transactions on Circuits and Systems I: Regular Papers, Vol. 61, 6 (June 2014), 1701--1713.Google ScholarCross Ref
- ZB Du, Zhen WU, Min WANG, and JT Rao. 2015. Improved chosen-plaintext power analysis attack against SM4 at the round-output. Journal on Communications, Vol. 36, 10 (2015), 85--91.Google Scholar
- Pierre Dusart, Gilles Letourneux, and Olivier Vivolo. 2003. Differential Fault Analysis on A.E.S. In Applied Cryptography and Network Security, Jianying Zhou, Moti Yung, and Yongfei Han (Eds.). Springer, Berlin, Heidelberg, 293--306.Google Scholar
- Jan-Erik Ekberg, Kari Kostiainen, and N Asokan. 2013. Trusted execution environments on mobile devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, ACM, Berlin, Germany, 1497--1498.Google ScholarDigital Library
- Sho Endo, Takeshi Sugawara, Naofumi Homma, Takafumi Aoki, and Akashi Satoh. 2011. An on-chip glitchy-clock generator for testing fault injection attacks. Journal of Cryptographic Engineering, Vol. 1, 4 (21 Oct 2011), 265. https://doi.org/10.1007/s13389-011-0022-yGoogle ScholarCross Ref
- Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh, and Sergey Gorbunov. 2017. Iron: functional encryption using Intel SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, ACM, Dallas, Texas, USA, 765--782.Google ScholarDigital Library
- Peter Folkesson, Sven Svensson, and Johan Karlsson. 1998. A comparison of simulation based and scan chain implemented fault injection. In Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224). IEEE, Munich, Germany, Germany, 284--293. https://doi.org/10.1109/FTCS.1998.689479Google ScholarDigital Library
- Aurélien Francillon and Claude Castelluccia. 2008. Code Injection Attacks on Harvard-architecture Devices. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 15--26. https://doi.org/10.1145/1455770.1455775Google ScholarDigital Library
- Christophe Giraud. 2005. DFA on AES. In Advanced Encryption Standard -- AES, Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa (Eds.). Springer, Berlin, Heidelberg, 27--41.Google Scholar
- Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. 2016. FlushGoogle Scholar
- Flush: A Fast and Stealthy Cache Attack. In Detection of Intrusions and Malware, and Vulnerability Assessment, Juan Caballero, Urko Zurutuza, and Ricardo J. Rodríguez (Eds.). Springer International Publishing, Cham, 279--299.Google Scholar
- Inki Hong, Darko Kirovski, Gang Qu, Miodrag Potkonjak, and Mani B Srivastava. 1999. Power optimization of variable-voltage core-based systems. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 18, 12 (Dec 1999), 1702--1714. https://doi.org/10.1109/43.811318Google ScholarDigital Library
- Michael Hutter and Jörn-Marc Schmidt. 2013. The temperature side channel and heating fault attacks. In International Conference on Smart Card Research and Advanced Applications. Springer, Cham, 219--235.Google Scholar
- Philipp Jovanovic. 2013. Differential fault analysis framework for AES128. Github. https://github.com/Daeinar/dfa-aesGoogle Scholar
- Jonathan Katz, Alfred J Menezes, Paul C Van Oorschot, and Scott A Vanstone. 1996. Handbook of applied cryptography .CRC press, Boca Raton, FL.Google ScholarDigital Library
- Sebastian Krieter, Tobias Thiem, and Thomas Leich. 2019. Using Dynamic Software Product Lines to Implement Adaptive SGX-enabled Systems. In Proceedings of the 13th International Workshop on Variability Modelling of Software-Intensive Systems. ACM, ACM, Leuven, Belgium, 9.Google ScholarDigital Library
- Dongwoo Lee and Jongwhoa Na. 2009. A Novel Simulation Fault Injection Method for Dependability Analysis. IEEE Design Test of Computers, Vol. 26, 6 (Nov 2009), 50--61. https://doi.org/10.1109/MDT.2009.135Google ScholarCross Ref
- Hendrik W Lenstra Jr. 1987. Factoring integers with elliptic curves. Annals of mathematics, Vol. 126, 3 (1987), 649--673.Google ScholarCross Ref
- Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Toshinori Fukunaga, Junko Takahashi, and Kazuo Ohta. 2010. Fault sensitivity analysis. In International Workshop on Cryptographic Hardware and Embedded Systems. Springer, Springer, Berlin, Heidelberg, 320--334.Google ScholarCross Ref
- Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. 2016. ARMageddon: Cache Attacks on Mobile Devices. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 549--564. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lippGoogle ScholarDigital Library
- Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In 2015 IEEE Symposium on Security and Privacy. IEEE, San Jose, CA, USA, 605--622. https://doi.org/10.1109/SP.2015.43Google ScholarDigital Library
- Huasong Meng, Vrizlynn L.L. Thing, Yao Cheng, Zhongmin Dai, and Li Zhang. 2018. A survey of Android exploits in the wild. Computers & Security, Vol. 76 (2018), 71 -- 91. https://doi.org/10.1016/j.cose.2018.02.019Google ScholarCross Ref
- Thomas S. Messerges. 2000. Using Second-Order Power Analysis to Attack DPA Resistant Software. In Cryptographic Hardware and Embedded Systems -- CHES 2000, cC etin K. Kocc and Christof Paar (Eds.). Springer, Berlin, Heidelberg, 238--251.Google ScholarCross Ref
- Gilles Piret and Jean-Jacques Quisquater. 2003. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad. In Cryptographic Hardware and Embedded Systems - CHES 2003, Colin D. Walter, cC etin K. Kocc, and Christof Paar (Eds.). Springer, Berlin, Heidelberg, 77--88.Google ScholarCross Ref
- Pengfei Qiu, Yongqiang Lyu, Jiliang Zhang, Dongsheng Wang, and Gang Qu. 2018. Control flow integrity based on lightweight encryption architecture. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 37, 7 (2018), 1358--1369.Google ScholarCross Ref
- Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 1--18.Google ScholarDigital Library
- Matthieu Rivain. 2012. Differential Fault Analysis of DES .Springer, Berlin, Heidelberg, 37--54.Google Scholar
- Dan Rosenberg. 2014. Qsee trustzone kernel integer over flow vulnerability. In Black Hat conference. Blackhat, Las Vegas, NV, USA, 26.Google Scholar
- Majid Sabbagh, Yunsi Fei, Thomas Wahl, and A Adam Ding. 2018. SCADET: A Side-Channel Attack Detection Tool for Tracking Prime-Probe. In 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, IEEE, San Diego, CA, USA, 1--8.Google ScholarDigital Library
- Dhiman Saha, Debdeep Mukhopadhyay, and Dipanwita Roy Chowdhury. 2009. A Diagonal Fault Attack on the Advanced Encryption Standard. IACR Cryptology ePrint Archive, Vol. 2009 (01 2009), 581.Google Scholar
- Santanu Sarkar, Subhadeep Banik, and Subhamoy Maitra. 2015. Differential Fault Attack against Grain Family with Very Few Faults and Minimal Assumptions. IEEE Trans. Comput., Vol. 64, 6 (June 2015), 1647--1657. https://doi.org/10.1109/TC.2014.2339854Google ScholarDigital Library
- Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat, Vol. 15 (2015), 71.Google Scholar
- Norbert Seifert, Vinod Ambrose, B Gill, Q Shi, R Allmon, C Recchia, S Mukherjee, N Nassif, J Krause, J Pickholtz, et al. 2010. On the radiation-induced soft error performance of hardened sequential elements in advanced bulk CMOS technologies. In 2010 IEEE International Reliability Physics Symposium. Blackhat, Anaheim, CA, USA, 188--197. https://doi.org/10.1109/IRPS.2010.5488831Google ScholarCross Ref
- Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger. 2008. Practical Setup Time Violation Attacks on AES. In 2008 Seventh European Dependable Computing Conference. Blackhat, Kaunas, Lithuania, 91--96.Google Scholar
- Di Shen. 2015. Exploiting Trustzone on Android. Black Hat USA, Vol. 1, 1--7 (2015), 7.Google Scholar
- Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2017. CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1057--1074.Google Scholar
- C Josh Thomas and Nathan Keltner. 2014. Reflections on Trusting TrustZone. In Black Hat conference. Blackhat, Las Vegas, NV, USA, 33.Google Scholar
- Michael Tunstall, Debdeep Mukhopadhyay, and Subidh Ali. 2011. Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault. In Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication. Springer, Berlin, Heidelberg, 224--233.Google Scholar
- Qian Wang, An Wang, Gang Qu, and Guoshuang Zhang. 2017. New Methods of Template Attack Based on Fault Sensitivity Analysis. IEEE Transactions on Multi-Scale Computing Systems, Vol. 3, 2 (April 2017), 113--123. https://doi.org/10.1109/TMSCS.2016.2643638Google ScholarCross Ref
- Qian Wang, An Wang, Liji Wu, Gang Qu, and Guoshuang Zhang. 2015. Template attack on masking AES based on fault sensitivity analysis. In 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Vol. 00. Blackhat, Washington, DC, USA, 96--99. https://doi.org/10.1109/HST.2015.7140245Google ScholarCross Ref
- Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 719--732. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yaromGoogle ScholarDigital Library
Index Terms
- VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies
Recommendations
Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm's TrustZone
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityTrusted Execution Environments (TEEs) such as ARM TrustZone are in widespread use in both mobile and embedded devices, and they are used to protect sensitive secrets while often sharing the same computational hardware as untrusted code. Although there ...
VoltJockey: Abusing the Processor Voltage to Break Arm TrustZone
Based on the concept of hardware separation, ARM introduced TrustZone to build a trusted execution environment for applications. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities ...
Constructing software countermeasures against instruction manipulation attacks: an approach based on vulnerability evaluation using fault simulator
AbstractFault injection attacks (FIA), which cause information leakage by injecting intentional faults into the data or operations of devices, are one of the most powerful methods compromising the security of confidential data stored on these devices. ...
Comments