At a high level, UntrustZone unveils an attack on secrets stored in on-chip SRAM (e.g., cache) by exploiting the long-term data remanence effect.
The attack illustrates how an adversary can electrically reach the SRAM, rapidly imprint data in the analog domain,
and read it out from a secure memory area, even when hardware-backed security enclaves, such as TrustZone, are enforced during execution.
Our findings demonstrate that relying solely on fully on-chip execution to prevent off-chip memory attacks (e.g., cold boot or NVM probing), even with the backing of hardware-enforced security isolation, is inadequate to defend against the proposed attack.
By revealing the vulnerability in contemporary security measures under our threat model, UntrustZone underscores the need for more robust defenses against these types of potential physical attacks.
The paper "UnTrustZone: Systematic Accelerated Aging to Expose On-chip Secrets," by Jubayer Mahmod & Matthew Hicks, is scheduled to appear in IEEE Security & Privacy'24.
[a version of the paper is updated.]
High-level approach
Our threat model considers an attacker with physical access to a device containing on-chip secrets protected by specific countermeasures (such as TrustZone) against standard hardware and software-level attacks.
We develop threat models tailored to both the target information and the specific System-on-Chip (SoC), representing various unique attack scenarios, all aligning with the broad threat model.
We observe that even complex SoCs allow access to uncontaminated SRAM power-on state and core voltage pins. An attacker can take advantage of these aspects to cause aging in SRAM and directly gain access to the secure data.
This finding guides us to create the UntrustZone attack, where the accuracy of secret retrieval is influenced by the acceleration of the aging process, specifically through voltage and temperature.
The attack starts by locating the appropriate voltage pin(s) and corresponding off-chip power delivery components, then measuring the standard voltage at these pin(s).
With the attack parameters determined through experiments and guided by the publicly available device datasheet, we subject the target device to stress conditions. During the 'burn-in' effect on the victim device, secrets are embedded into the SRAM's analog domain, allowing the revelation of secrets via the power-on state of SRAM.
To highlight the potential risk of long-term data remanence, we carry out the attack on more than a dozen commercial devices, ranging from single-cycle microcontrollers to full-scale processors.
Cryptographic key extraction from TrustZone
In our first demo, we show how UntrustZone can reveal a cryptographic key from a system that relies entirely on on-chip computation secured by TrustZone.
Utilizing a widely-used microcontroller, SAML11, known for its security features, the victim application employs on-chip crypto and hardware crypto accelerators to safeguard a "plaintext".
Despite these security measures, we successfully obtain the key with an accuracy of 97.2% without any post-attack cryptanalysis.
Firmware extraction
Our second demo targets proprietary firmware designed to resist off-chip cloning with TrustZone backing.
Even though the CPU performs the computations entirely on-chip, UntrustZone manages to uncover this firmware's instructions and run-time data from the SRAM, achieving up to 95.82% accuracy.
Stealing Secrets from Cache
In the third scenario, we broaden the attack to target more intricate System-on-Chips (Cortex-A53 and Cortex-A72 from Broadcom) that utilize private caches for nonvolatile secret storage.
We extract secrets from the caches of both a Cortex-A53 and Cortex-A72 processor, achieving an accuracy of 79% and 93%, respectively.
Disclosure
In accordance with the vulnerability disclosure guidelines of Oakland'24, we contacted the manufacturers of the devices against which we validated UntrustZone.
Acknowledgements
The project depicted is sponsored by the Defense Advanced Research Projects Agency. The content of the information does not necessarily reflect the position or the policy of the Government, and no official endorsement should be inferred.
Approved for public release; distribution is unlimited.
1024_1.jpg)
