Advanced Covert-Channels in Modern SoCs

Abstract

Modern SoCs can be protected against software attacks under the paradigm of secure enclaves, which are built employing technologies like ARM TrustZone. These protections are meant to enforce access policies so that the interaction between untrusted/trusted applications and hardware components is limited. However, the possibility of creating covert channels within the SoC threatens these isolation models. Among other approaches, it has been shown that it is possible to create covert channels by exploiting the frequency-modulation technology available in these platforms. These attacks are devastating, since digital circuits generally use a single power distribution network. This provides the medium for the implementation of such covertchannels. Heterogeneous SoCs are particularly vulnerable in this regard, as under these platforms multiple operating ecosystems coalesce. The problem is exacerbated because these systems have become more prevalent with each new generation. In this paper, we explore the implementation of frequency-based covert-channels using Zynq Ultrascale+SoCs as case study. Our findings demonstrate that it is possible to exchange information between Linux-based applications, bare metal applications, and hardware modules, achieving transmission rates up to 750 Kbps.