YouTube

Got a YouTube account?

New: enable viewer-created translations and captions on your YouTube channel!

34C3 - TrustZone is not enough

Get Embed Code
1 Language

https://media.ccc.de/v/34c3-8831-trustzone_is_not_enough

Hijacking debug components for embedded security

This talk deals with embedded systems security and ARM processors architecture. Most of us know that we can perform security with the ARM TrustZone framework. I will show that most ARM processors include debug components (aka CoreSight components) that can be used to create efficient security mechanisms.

Embedded security is still a hot topic. For several years, ARM have proposed its TrustZone framework. With some colleagues, we have studied how we could use debug components available in most ARM processors to create security mechanisms targeting a wide range of attacks (buffer overflows, ROPs…) with minimal performance overheads.
We use CoreSight debug components in with a technique called dynamic information flow tracking (aka DIFT) which allow us to monitor the execution of an application at runtime. Compared to existing works, we show that there’s no need to modify the main processor (existing binaries will be compatible!). Furthermore, we used a coprocessor implemented in reconfigurable logic (FPGA chip) to speedup the DIFT process.
This ARM/FPGA combo is up to 90% faster than related techniques in terms of instrumentation time. Furthermore, as the ARM CPU has not been modified (while existing works do modify it…), the final user doesn’t have to recompile all his/her programs to be compatible with our approach.
We will also show a few clues to indicate how we could target multi-threaded/multi-processor architectures as it is the case of most embedded systems by now.

Pascal Cotret

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8831.html