VoltJockey: Abusing the Processor Voltage to Break Arm TrustZone

GetMobile Mob. Comput. Commun. Pub Date : 2020-09-29 DOI:10.1145/3427384.3427394

Pengfei Qiu, Dongsheng Wang, Yongqiang Lyu, G. Qu

{"title":"VoltJockey: Abusing the Processor Voltage to Break Arm TrustZone","authors":"Pengfei Qiu, Dongsheng Wang, Yongqiang Lyu, G. Qu","doi":"10.1145/3427384.3427394","DOIUrl":null,"url":null,"abstract":"30 Based on the concept of hardware separation, ARM introduced TrustZone to build a trusted execution environment for applications. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side channels. In this article, we propose an innovative software-controlled hardware fault-based attack, VoltJockey, on multi-core processors that adopt dynamic voltage and frequency scaling (DVFS) techniques for energy efficiency. We deliberately manipulate the processor voltage via DVFS to induce hardware faults into the victim cores, and therefore breaking TrustZone. The entire attack process is based on software without any involvement of hardware, which makes VoltJockey stealthy and hard to prevent. We implement VoltJockey on an ARMbased processor from a commodity Android phone and demonstrate how to reveal the AES key from TrustZone and how to breach the RSA-based TrustZone authentication. These results suggest that VoltJockey has a comparable efficiency to side channels in obtaining TrustZone-guarded credentials, as well as the potential of bypassing the RSA-based verification to load untrusted applications into TrustZone. [HIGHLIGHTS]","PeriodicalId":213775,"journal":{"name":"GetMobile Mob. Comput. Commun.","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"GetMobile Mob. Comput. Commun.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3427384.3427394","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

30 Based on the concept of hardware separation, ARM introduced TrustZone to build a trusted execution environment for applications. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side channels. In this article, we propose an innovative software-controlled hardware fault-based attack, VoltJockey, on multi-core processors that adopt dynamic voltage and frequency scaling (DVFS) techniques for energy efficiency. We deliberately manipulate the processor voltage via DVFS to induce hardware faults into the victim cores, and therefore breaking TrustZone. The entire attack process is based on software without any involvement of hardware, which makes VoltJockey stealthy and hard to prevent. We implement VoltJockey on an ARMbased processor from a commodity Android phone and demonstrate how to reveal the AES key from TrustZone and how to breach the RSA-based TrustZone authentication. These results suggest that VoltJockey has a comparable efficiency to side channels in obtaining TrustZone-guarded credentials, as well as the potential of bypassing the RSA-based verification to load untrusted applications into TrustZone. [HIGHLIGHTS]

查看原文本刊更多论文

滥用处理器电压打破手臂的信任区

基于硬件分离的概念，ARM引入了TrustZone，为应用程序建立一个可信的执行环境。它在防御各种软件攻击和迫使攻击者探索接口设计和侧通道中的漏洞方面非常成功。在本文中，我们提出了一种创新的基于软件控制硬件故障的攻击，voljockey，针对采用动态电压和频率缩放(DVFS)技术提高能效的多核处理器。我们故意通过DVFS操纵处理器电压，将硬件故障引入受害核心，从而破坏TrustZone。整个攻击过程是基于软件的，没有任何硬件的参与，这使得voljockey隐形，难以预防。我们在基于arm的处理器上实现了voljockey，并演示了如何从TrustZone泄露AES密钥以及如何破坏基于rsa的TrustZone认证。这些结果表明，在获取TrustZone保护的凭据方面，voljockey具有与侧通道相当的效率，以及绕过基于rsa的验证以将不受信任的应用程序加载到TrustZone的潜力。(强调)

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

GetMobile Mob. Comput. Commun.

自引率

0.00%

发文量