36C3 preroll music
Herald: Our next speaker is way is paved
with broken trust zones. He's no stranger
to breaking ARM's, equipment or crypto
wallets or basically anything he touches.
It just dissolves in his fingers. He's one
of Forbes, 30 under 30s in tech. And
please give a warm round of applause to
Thomas Roth.
Applause.
Thomas: Test, okay. Wonderful. Yeah.
Welcome to my talk. TrustZone-M: Hardware
attacks on ARMv8-M security features. My
name is Thomas Roth. You can find me on
Twitter. I'm @stacksmashing and I'm a
security researcher, consultant and
trainer affiliated with a couple of
companies. And yeah, before we can start,
I need to to thank some people. So first
off, Josh Datko and Dimitri Nedospasov
who've been super helpful at anytime I was
stuck somewhere, or just wanted some
feedback. They immediately helped me. And
also Colin O'Flynn, who gave me constant
feedback and helped me with some troubles,
gave me tips and so on. And so without
these people and many more who paved the
way towards this research, I wouldn't be
here. Also, thanks to NXP and Microchip
who I had to work with as part of this
talk. And it was awesome. I had a lot of
very bad vendor experiences, but these two
were really nice to work with. Also some
prior work. So Colin O'Flynn and Alex
Dewar released a paper, I guess last year
or this year "On-Device Power Analysis
Across Hardware Security Domains". And
they basically looked at TrustZone from a
differential power analysis viewpoint and
otherwise TrustZone-M is pretty new, but
lots of work has been done on the big or
real TrustZone and also lots and lots of
works on fault injection would be far too
much to list here. So just google fault
injection and you'll see what I mean.
Before we start, what is TrustZone-M? So
TrustZone-M is the small TrustZone. It's
basically a simplified version of the big
TrustZone that you find on Cortex-A
processors. So basically if you have an
Android phone, chances are very high that
your phone actually runs TrustZone and
that, for example, your key store of
Android is backed by TrustZone. And
TrustZone basically splits the CPU into a
secure and a non-secure world. And so, for
example, you can say that a certain
peripheral should only be available to the
secure world. So, for example, if you have
a crypto accelerator, you might only want
to use it in the secure world. It also, if
you're wondering what's the difference to
an MPU - it also comes with two MPUs.
Sorry, not MMUs, MPUs. And so last year we
gave a talk on bitcoin wallets. And so
let's take those as an example on a
bitcoin wallet you often have different
apps, for example, for Bitcoin, Dogecoin
or Monaro, and then underneath you have an
operating system. The problem is kind of
this operating system is very complex
because it has to handle graphics
rendering and so on and so forth. And
chances are high that it gets compromised.
And if it gets compromised, all your funds
are gone. And so with TrustZone, you could
basically have a second operating system
separated from your normal one that
handles all the important stuff like
firmware update, key store attestation and
so on and reduces your attack surface. And
the reason I actually looked at
TrustZone-M is we got a lot of requests
for consulting on TrustZone-M. So
basically, after our talk last year, a lot
of companies reached out to us and said,
okay, we want to do this, but more
securely. And a lot of them try to use
TrustZone-M for this. And so far there's
been, as far as I know, little public
research into TrustZone-M and whether it's
protected against certain types of
attacks. And we also have companies that
start using them as secure chips. So, for
example, in the automotive industry, I
know somebody who was thinking about
putting them into car keys. I know about
some people in the payment industry
evaluating this. And as said, hardware
wallets. And one of the terms that come up
again and again is this is a secure chip.
But I mean, what is the secure chip
without a threat model? There's no such
thing as a secure chip because there are
so many attacks and you need to have a
threat model to understand what are you
actually protecting against. So, for
example, a chip might have software
features or hardware features that make
the software more secure, such as NX bit
and so on and so forth. And on the other
hand, you have hardware attacks, for
example, debug port side channel attacks
and fault injection. And often the
description of a chip doesn't really tell
you what it's protecting you against. And
often I would even say it's misleading in
some cases. And so you will see, oh, this
is a secure chip and you ask marketing and
they say, yeah, it has the most modern
security features. But it doesn't really
specify whether they are, for example,
protecting against fault injection attacks
or whether they consider this out of
scope. In this talk, we will exclusively
look at hardware attacks and more
specifically, we will look at fault
injection attacks on TrustZone-M. And so
all of the attacks we're going to see are
local to the device only you need to have
it in your hands. And there's no chance,
normally, of remotely exploiting them.
Yeah. So this will be our agenda. We will
start with a short introduction of
TrustZone-M, which will have a lot of
theory on like memory layouts and so on.
We will talk a bit about the fault-
injection setup and then we will start
attacking real chips. These 3, as you will
see. So on a Cortex-M processor you have a
flat memory map. You don't have a memory
management unit and all your peripherals,
your flash, your ram, it's all mapped to a
certain address in memory and TrustZone-M
allows you to partition your flash or your
ram into secure and non secure parts. And
so, for example, you could have a tiny
secure area because your secret code is
very small and a big non secure area. The
same is true for Ram and also for the
peripherals. So for example, if you have a
display and a crypto engine and so on. You
can decide whether these peripherals
should be secure or non secure. And so
let's talk about these two security
states: secure and non secure. Well, if
you have code running in secure flash or
you have secure code running, it can call
anywhere into the non secure world. It's
basically the highest privilege level you
can have. And so there's no protection
there. However, the opposite, if we tried
to go from the non secure world and to the
secure world would be insecure because,
for example, you could jump to the parts
of the code that are behind certain
protections and so on. And so that's why,
if you tried to jump from an unsecured
code into a secure code, it will cause an
exception. And to handle that, there's a
third memory state which is called non
secure callable. And as the name implies,
basically you're non secure code can call
into the non secure callable code. More
specifically, it can only call to non
secure callable code addresses where
there's an SG instruction which stands for
Secure Gateway. And the idea behind the
secure gateway is that if you have a non
secure kernel running, you probably also
have a secure kernel of running. And
somehow this secure kernel will expose
certain system calls, for example. And so
we want to somehow call from the non
secure kernel into these system calls, but
as I've just mentioned, we can't do that
because this will unfortunately cause an
exception. And so the way this is handled
on TrustZone-M is that you create so-
called secure gateway veneer functions.
These are very short functions in the non
secure callable area. And so if we want,
for example, to call the load key system
call, we would call the load key veneer
function, which in turn would call the
real load key function. And these veneer
functions are super short. So if you look
at the disassembly of them, it's like two
instructions. It's the secure gateway
instruction and then a branch instruction
to what's your real function. And so if we
combine this, we end up with this diagram
secure can call into non secure, non
secure, can call into NSC and NSC can call
into your secure world. But how do we
manage these memory states? How do we know
what security state does an address have?
And so for this in TrustZone-M, we use
something called attribution units and
there're by default there are two
attribution units available. The first one
is the SAU the Security Attribution Unit,
which is standard across chips. It's
basically defined by ARM how you use this.
And then there's the IDAU. The
Implementation Defined Attribution Unit,
which is basically custom to the silicon
vendor, but can also be the same across
several chips. And to get the security
state of an address, the security
attribution of both the SAU and the IDAU
are combined and whichever one has the
higher privilege level will basically win.
And so let's say our SAU says this address
is secure and our IDAU says this address
is non secure the SAU wins because it's
the highest privilege level. And basically
our address would be considered secure.
This is a short table. If both the SAU and
the IDAU agree, we will be non secure if
both say, hey, this is secure, it will be
secure. However, if they disagree and the
SAU says, hey, this address is secure the
IDAU says it's non secure, it will still
be secure because secure is to have
privilege level. The opposite is true. And
with even with non secure callable, secure
is more privileged than NSC. And so secure
will win. But if we mix NS and NSC, we get
non-secular callable. Okay. My initial
hypothesis when I read all of this was if
we break or disable the attribution units,
we probably break the security. And so to
break these, we have to understand them.
And so let's look at the SAU the security
attribution unit. It's standardized by
ARM. It's not available on all chips. And
it basically allows you to create memory
regions with different security states.
So, for example, if the SAU is turned off,
everything will be considered secure. And
if we turn it on, but no regions are
configured, still, everything will be
secure. We can then go and add, for
example, address ranges and make them NSC
or non secure and so on. And this is done
very, very easily. You basically have
these five registers. You have the SAU
control register where you basically can
turn it on or off. You have the SAU type,
which gives you the number of supported
regions on your platform because this can
be different across different chips. And
then we have the region number register,
which you use to select the region you
want to configure and then you set the
base address and the limit address. And
that's basically it. So, for example, if
we want to set region zero, we simply set
the RNR register to zero. Then we set the
base address to 0x1000. We set the limit
address to 0x1FE0, which is identical to
1FFF because there are some other bits
behind there that we don't care about
right now. And then we turn on the
security attribution unit and now our
memory range is marked as secure if you
want to create a second region we simply
change RNR to, for example, 1 again insert
some nice addresses. Turn on the SAU and
we have a second region this time from
4000 to 5FFF. So to summarize, we have
three memory security states. We have S
secure and we have NSC non secure callable
and we have NS non secure. We also have
the two attribution units, the SAU
standard by ARM and the IDAU which is
potentially custom we will use SAU and
IDAU a lot. So this was very important.
Cool. Let's talk about fault injection. So
as I've mentioned, we want to use fault
injection to compromise TrustZone. And the
idea behind fault injection or as it's
also called glitching is to introduce
faults into a chip. So, for example, you
cut the power for a very short amount of
time while you change the period of the
clock signal or even you could go and
inject electromagnetic shocks in your
chip. You can also shoot at it with a
laser and so on and so forth. Lots of ways
to do this. And the goal of this is to is
to cause undefined behavior. And in this
talk, we will specifically look at
something called voltage glitching. And so
the idea behind voltage glitching is that
we cut the power to the chip for very,
very short amount of time at a very
precisely timed moment. And this will
cause some interesting behavior. So
basically, if you would look at this on an
oscilloscope, we would basically have a
stable voltage, stable voltage, stable
voltage, and then suddenly it drops and
immediately returns. And this drop will
only be a couple of nanoseconds long. And
so, for example, you can have glitches
that are 10 nanoseconds long or 15
nanoseconds long and so on. Depends on
your chip. And yeah. And this allows you
to do different things. So, for example, a
glitch can allow you to skip instructions.
It can corrupt flash reads or flash
writes. It can corrupt memory registers or
register reads and writes. And skipping
instructions for me is always the most
interesting one, because it allows you to
directly go from disassembly to
understanding what you can potentially
jump over. So, for example, if we have
some code, this would be a basic firmware
boot up code. We have an initialized
device function. Then we have a function
that basically verifies the firmware
that's in flash and then we have this
boolean check whether our firmware was
valid. And now if we glitch at just the
right time, we might be able to glitch
over this check and boot our potentially
compromised firmware, which is super nice.
So how does this relate to TrustZone?
Well, if we manage to glitch over enable
TrustZone, we might be able to break
TrustZone. So how do you actually do this?
Well, we need something to wait for a
certain delay and generate a pulse at just
the right time with very high precision.
We are talking about nano seconds here,
and we also need something to drop the
power to the target. And so if you need
precise timing and so on, what works very
well is an FPGA. And so, for example, the
code that was released as part of this all
runs on the Lattice iCEstick, which is
roughly 30 bucks and you need a cheap
MOSFET and so together this is like thirty
one dollars of equipment. And on a setup
side, this looks something like this. You
would have your FPGA, which has a trigger
input. And so, for example, if you want to
glitch something doing the boot up of a
chip, you could connect this to the reset
line of the chip. And then we have an
output for the glitch pulse. And then if
we hook this all up, we basically have our
power supply to the chip run over a
MOSFET. And then if the glitch pulls goes
high, we drop the power to ground and the
chip doesn't get power for a couple of
nanoseconds. Let's talk about this power
supply, because a chip has a lot of
different things inside of it. So, for
example, a microcontroller has a CPU core.
We have a Wi-Fi peripheral. We have GPIO.
We might have Bluetooth and so on. And
often these peripherals run at different
voltages. And so while our microcontroller
might just have a 3.3 volt input,
internally there are a lot of different
voltages at play. And the way these
voltages are generated often is using
in-chip regulators. And basically these
regulators connect with the 3.3 voltage in
and then generate the different voltages
for the CPU core and so on. But what's
nice is that on a lot of chips there are
behind the core regulator, so called
bypass capacitors, and these external
capacitors are basically there to
stabilize the voltage because regulators
tend to have a very noisy output and you
use the capacitor to make it more smooth.
But if you look at this, this also gives
us direct access to the CPU core power
supply. And so if we just take a heat gun
and remove the capacitor, we actually kind
of change the pin out of the processor
because now we have a 3.3 voltage in, we
have a point to input the core voltage and
we have ground. So we basically gained
direct access to the internal CPU core
voltage rails. The only problem is these
capacitors are for a reason. And so if we
remove them, then your chip might stop
working. But very easy solution. You just
hook up a power supply to it, set it to
1.2 volts or whatever, and then suddenly
it works. And this also allows you to
glitch very easily. You just glitch on
your power rail towards the chip. And so
this is our current setup. So we have the
Lattice iCEstick. We also use a
multiplexer as an analog switch to cut the
power to the entire device. If we want to
reboot everything, we have the MOSFET and
we have a power supply. Now hooking this
all up on a bread board is fun the first
time, it's okay the second time. But the
third time it begins to really, really
suck. And as soon as something breaks with
like 100 jumper wires on your desk, the
only way to debug is to start over. And so
that's why I decided to design a small
hardware platform that combines all of
these things. So it has an FPGA on it. It
has analog input and it has a lot of
glitch circuitry and it's called the Mark
Eleven. If you've read William Gibson, you
might know where this is from. And it
contains a Lattice iCE40, which has a
fully open source toolchain, thanks to
Clifford Wolf and so. And this allows us
to very, very quickly develop new
triggers, develop new glitched code and so
on. And it makes compilation and
everything really really fast. It also
comes with three integrated power
supplies. So we have a 1.2 watt power
supply, 3.3, 5 volts and so on, and you
can use it for DPA. And this is based
around some existing devices. So, for
example, the FPGA part is based on the
1BitSquared iCEBreaker. The analog front
end, thanks to Colin O'Flynn, is based on
the ChipWhisperer Nano. And then the
glitch circuit is basically what we've
been using on bread boards for quite a
while. Just combined on a single device.
And so unfortunately, as always with
hardware production takes longer than you
might assume. But if you drop me a message
on Twitter, I'm happy to send you a PCB as
soon as they work well. And the BOM is
around 50 bucks. Cool. So now that we are
ready to have to actually attack chips,
let's look at an example. So the very
first chip that I encountered that used
TrustZone-M was the Microchip SAM 11. And
so this chip was released in June 2018.
And it's kind of it's a small, slow chip.
It's runs at 32 megahertz. It has up to 64
kilobytes of flash and 16 kilobytes of
SRAM, but it's super cheap. It's like one
dollar eighty at quantity one. And so it's
really nice, really affordable. And we had
people come up to us and suggest, hey, I
want to build a TPM on top of this or I
want to build a hardware wallet on top of
this. And so on and so forth. And if we
look at the website of this chip. It has a
lot of security in it, so it's the best
contribution to IOT security winner of
2018. And if you just type secure into the
word search, you get like 57 hits. So this
chip is 57 secure. laughter And even on
the website itself, you have like chip
level security. And then if you look at
the first of the descriptions, you have a
robust chip level security include chip
level, tamper resistance, active shield
protects against physical attacks and
resists micro probing attacks. And even in
the datasheet, where I got really worried
because I said I do a lot with a core
voltage it has a brown-out detector that
has been calibrated in production and must
not be changed and so on. Yeah. To be
fair, when I talked to my microchip, they
mentioned that they absolutely want to
communicate that this chip is not hardened
against hardware attacks, but I can see
how somebody who looks at this would get
the wrong impression given all the terms
and so on. Anyway, so let's talk about the
TrustZone in this chip. So the SAM L11
does not have a security attribution unit.
Instead, it only has the implementation
defined attribution unit. And the
configuration for this implementation
defined attribution unit is stored in the
user row, which is basically the
configuration flash. It's also called
fuses in the data sheet sometimes, but
it's really I think it's flash based. I
haven't checked, but I am pretty sure it
is because you can read it, write it,
change it and so on. And then the IDAU,
once you've configured it, will be
configured by the boot ROM during the
start of the chip. And the idea behind the
IDAU is that all your flash is partitioned
into two parts of the bootloader part and
the application part, and both of these
can be split into secure, non secure
callable and non secure. So you can have a
bootloader, a secure and a non secure one,
and you can have an application, a secure
and a non secure one. And the size of
these regions is controlled by these five
registers. And for example, if we want to
change our non secure application to be
bigger and make our secure application a
bit smaller, we just fiddle with these
registers and the sizes will adjust and
the same with the bootloader. So this is
pretty simple. How do we attack it? My
goal initially was I want to somehow read
data from the secure world while running
code in the non secret world. So jump the
security gap. My code in non secure should
be able to, for example, extract keys from
the secure world and my attack path for
that was well, I glitched the boot ROM
code that loads the IDAU you
configuration. But before we can actually
do this, we need to understand, is this
chip actually glitchable and can we? Is it
susceptible to glitches or do we
immediately get get thrown out? And so I
used a very simple setup where just had a
firmware and tried to glitch out of the
loop and enable an LED. And I had success
in less than five minutes and super stable
glitches almost immediately. Like when I
saw this, I was 100 percent sure that I
messed up my setup or that the compiler
optimized out my loop or that I did
something wrong because I never glitch to
chip in five minutes. And so this was
pretty awesome, but I also spend another
two hours verifying my setup. So. OK.
Cool, we know that ship is glitchable, so
let's glitch it. What do we glitch? Well,
if we think about it somewhere during the
boot ROM, these registers are red from
flash and then some hardware is somehow
configured. We don't know how because we
can't dump the boot from we don't know
what's going on in the chip. And the
datasheet has a lot of pages. And I'm a
millennial. So, yeah, I read what I have
to read and that's it. But my basic idea
is if we somehow manage to glitch the
point where it tries to read the value of
the AS Register, we might be able to set
it to zero because most chip peripherals
will initialize to zero. And if we glitch
with the instruction that reads AS, maybe
we can make our non secure application
bigger so that we, that actually we can
read the secure application data because
now it's considered non secure. But.
Problem 1 The boot ROM is not dumpable. So
we cannot just disassemble it and figure
out when does it roughly do this. And the
problem 2 is that we don't know when
exactly this read occures and our glitch
needs to be instruction precise. We need
to hit just the right instruction to make
this work. And the solution is brute
force. But I mean like nobody has time for
that. Right? So if the chip boots for 2
milliseconds. That's a long range we have
to search for glitches. And so very easy
solution power analysis. And it turns out
that, for example, a riscure has done this
before where basically they tried to
figure out where in time a JTAG lock is
set by comparing the power consumption.
And so the idea is, we basically write
different values to the AS register, then
we collect a lot of power traces and then
we look for the differences. And this is
relatively simple to do. If you have a
ChipWhisperer. So. This was my rough
setup. So we just have the ChipWhisperer-
Lite. We have a breakout with the chip we
want to attack and a programmer. And then
we basically collect a couple of traces.
And in my case, even just 20 traces are
enough, which takes, I don't know, like
half a second to run. And if you have 20
traces in unsecure mode, 20 traces in
secure mode and you compare them, you can
see that there are clear differences in
the power consumption starting at a
certain point. And so I wrote a script
that does some more statistics on it and
so on. And that basically told me the best
glitch candidate starts at 2.18
milliseconds. And this needs to be so
precise because I said we're in the milli
and the nano seconds range. And so we want
to make sure that we at the right point in
time. Now, how do you actually configure?
How do you build the setup where you
basically you get a success indication
once you broke this? For this, I needed to
write a firmware that basically attempts
to read secure data. And then if it's
successful, enabled the GPIO. And if it
fails, it does nothing. And I just reset
and try again. And so I know I knew my
rough delay and I was triggering of the
reset of the chip that I just tried. Any
delay after it and tried different glitch
pulse length and so on. And eventually I
had a success. And these glitches you will
see with the glitcher which we released a
while back is super easy to write because
all you have is like 20 lines of Python.
You basically set up a loop delay from
delay to your setup, the pulse length. You
iterate over a range of pulses. And then
in this case you just check whether your
GPIO is high or low. That's all it takes.
And then once you have this running in a
stable fashion, it's amazing how fast it
works. So this is now a recorded video of
a life glitch, of a real glitch,
basically. And you can see we have like 20
attempts per second. And after a couple of
seconds, we actually get a success
indication we just broke a chip. Sweet.
But one thing I moved to a part of Germany
to the very south is called the
Schwabenland. And I mean, 60 bucks. We are
known to be very cheap and 60 bucks
translates to like six beers at
Oktoberfest. Just to convert this to the
local currency, that's like 60 Club Mate.
Unacceptable. We need to go cheaper, much
cheaper, and so.
laughter and applause
What if we take a chip that is 57 secure
and we tried to break it with the smallest
chip. And so this is an ATTiny which
costs, I don't know, a a euro or two euro.
We combine it with a MOSFET to keep the
comparison that's roughly 3 Club Mate and
we hook it all up on a jumper board and
turns out: This works like you can have a
relatively stable glitch, a glitcher with
like 120 lines of assembly running all the
ATTiny and this will glitch your chip
successfully and can break TrustZone on
the SAM L11. The problem is chips are very
complex and it's always very hard to do an
attack on a chip that you configured
yourself because as you will see, chances
are very high that you messed up the
configuration and for example, missed a
security bit, forgot to set something and
so on and so forth. But luckily, in the
case of the SAM L11, there's a version of
this chip which is already configured and
only ships in non secure mode. And so this
is called the SAM L11 KPH. And so it comes
pre provisioned with a key and it comes
pre provisioned with a trusted execution
environment already loaded into the secure
part of the chips and ships completely
secured and the customer can write and
debug non secure code only. And also you
can download the SDK for it and write your
own trustlets and so on. But I couldn't
because it requires you to agree to their
terms and conditions so which exclude
reverse engineering. So no chance,
unfortunately. But anyway, this is the
perfect example to test our attack. You
can buy these chips on DigiKey and then
try to break into the secure world because
these chips are hopefully decently secured
and have everything set up and so on. And
yeah. So this was the setup. We designed
our own breakout port for the SAM L11,
which makes it a bit more accessible, has
JTAG and has no capacitors in the way. So
you get access to all the core voltages
and so on and you have the FPGA on the top
left the super cheap 20 bucks power supply
and the programmer. And then we just
implemented a simple function that uses
openOCD to try to read an address that we
normally can't read. So we basically we
glitch. Then we start OpenOCD, which uses
the JTAG adapter to try to read secure
memory. And so I hooked it all up, wrote a
nice script and let it rip. And so after a
while or in well, a couple of seconds
immediately again got successful, I got a
successful attack on the chip and more and
more. And you can see just how stable you
can get these glitches and how well you
can attack this. Yeah. So sweet hacked. We
can compromise the root of trust and the
trusted execution environment. And this is
perfect for supply chain attacks. Right.
Because if you can compromise a part of
the chip that the customer will not be
able to access, he will never find you.
But the problem with supply chain attacks
is, they're pretty hard to scale and they
are only for sophisticated actors normally
and far too expensive is what most people
will tell you, except if you hack the
distributor. And so as I guess last year
or this year, I don't know, I actually
found a vulnerability in DigiKey, which
allowed me to access any invoice on
DigiKey, including the credentials you
need to actually change the invoice. And
so basically the bug is that they did not
check when you basically requested an
invoice, they did not check whether you
actually had permission to access it. And
you have the web access id on top and the
invoice number. And that's all you need to
call DigiKey and change the delivery,
basically. And so this also is all data
that you need to reroute the shipment. I
disclosed this. It's fixed. It's been
fixed again afterwards. And now hopefully
this should be fine. So I feel good to
talk about it. And so let's walk through
the scenarios. We have Eve and we have
DigiKey and Eve builds this new super
sophisticated IOT toilet and she needs a
secure chip. So she goes to DigiKey and
orders some SAM L11 KPHs and Mallory.
Mallory scans all new invoices on DigiKey.
And as soon as somebody orders a SAM L11,
they talk to DigiKey with the API or via a
phone call to change the delivery address.
And because you know who the chips are
going to, you can actually target this
very, very well. So now the chips get
delivered to Mallory Mallory backdoors the
chips. And then sends the backdoored chips
to Eve who is none the wiser, because it's
the same carrier, it's the same, it looks
the same. You have to be very, very
mindful of these types of attack to
actually recognize them. And even if they
open the chips and they say they open the
package and they try the chip, they scan
everything they can scan the backdoor will
be in the part of the chip that they
cannot access. And so we just supply chain
attacked whoever using an UPS envelope,
basically. So, yeah. Interesting attack
vector. So I talked to microchip and it's
been great. They've been super nice. It
was really a pleasure. I also talked to
Trustonic, who were very open to this and
wanted to understand it. And so it was
great. And they explicitly state that this
chip only protects against software
attacks while it has some hardware
features like tamper ressistant RAM. It is
not built to withstand fault injection
attacks. And even if you compare it now,
different revisions of the data sheet, you
can see that some data sheets, the older
ones they mention some fault injection
resistance and it's now gone from the data
sheet. And they are also asking for
feedback on making it more clear what this
chip protects against, which I think is a
noble goal because we all know marketing
versus technicians is always an
interesting fight. Let's say, cool first
chip broken time for the next one, right?
So the next chip I looked at was the
Nuvoton NuMicro M2351 rolls off the
tongue. It's a Cortex-M23 processor. It
has TrustZone-M. And I was super excited
because this finally has an SAU, a
security attribution unit and an IDAU and
also I talked to the marketing. It
explicitly protects against fault
injection. So that's awesome. I was
excited. Let's see how that turns out.
Let's briefly talk about the TrustZone in
the Nuvoton chip. So as I've mentioned
before, the SAU if it's turned off or
turned on without regions will be to fully
secure. And no matter what the IDAU is,
the most privileged level always wins. And
so if our entire security attribution unit
is secure, our final security state will
also be secure. And so if we now add some
small regions, the final state will also
have the small, non secure regions. I
mean, I saw this looked at how this this
code works. And you can see that at the
very bottom SAU control is set to 1 simple
right. We glitch over the SAU enabling and
all our code will be secure and we'll just
run our code in secret mode, no problem -
is what I fought. And so basically the
secure bootloader starts execution of non
secure code. We disable the SAU by
glitching over the instruction and now
everything is secure. So our code runs in
a secure world. It's easy except read the
fucking manual. So turns out these
thousands of pages of documentation
actually contain useful information and
you need a special instruction to
transition from secure to non secure state
which is called BLXNS, which stands for
branch optionally linked and exchange to
non secure. This is exactly made to
prevent this. It prevents accidentally
jumping into non secure code. It will
cause a secure fault if you try to do it.
And what's interesting is that even if you
use this instruction, it will not always
transition. The state depends on the last
bit in the destination address, whether
the status transition and the way the
bootloader will actually get these
addresses it jumps to is from what's
called the reset table, which is basically
where your reset handlers are, where your
stack pointer, your initial stack pointer
is and so on. And you will notice that the
last bit is always set. And if the last
bit is set, it will jump to secure code.
So somehow they managed to branch to this
address and run it into non secure. So how
do they do this? They use an explicit bit
clear instruction. What do we know about
instructions? We can glitch over them. And
so basically we can with two glitches, we
can glitch over the SAU control enable now
our entire memory is secure and then we
glitch over the bitclear instruction and
then branch linked ex non secure again
rolls off the tongue will run secure code.
And now our normal world code is running
in secure mode. The problem is it works,
but it's very hard to get stable. So, I
mean, this was I somehow got it working,
but it was not very stable and it was a
big pain to to actually make use of. So I
wanted a different vulnerability. And I
read up on the implementation defined
attribution unit of the M2351. And it
turns out that each flash RAM peripheral
and so on is mapped twice into memory. And
so basically once as secure as the address
0x2000 and once as non secure at the
address 0x3000. And so you have the flash
twice and you have the the RAM twice. This
is super important. This is the same
memory. And so I came up with an attack
that I called CroeRBAR because a
vulnerability basically doesn't exist if
it doesn't have a fancy name. And the
basic point of this is that the security
of the system relies on the region
configuration of the SAU. What if we
glitch this initialization combined with
this IDAU layout again with the IDAU
mirrors the memory. Has it once a secure
and once it's not secure. Now let's say we
have at the very bottom of our flash. We
have a secret which is in the secure area.
It will also be in the mirror of this
memory. But again, because our SAU
configuration is fine, it will not be
accessible by the non secure region.
However, the start of this non secret area
is configured by the RBAR register. And so
maybe if we glitch this RBAR being set, we
can increase the size of the non secure
area. And if you check the ARM
documentation on the RBAR register, the
reset values state of this register is
unknown. So unfortunately it doesn't just
say zero, but I tried this on all chips I
had access to and it is zero on all chips
I tested. And so now what we can do is we
glitch over this RBAR and now our final
security state will be bigger and our
secure code is still running in the bottom
half. But then the jump into non secure
will also give us access to the secret and
it works. We get a fully stable glitch,
takes roughly 30 seconds to bypass it. I
should mention that this is what I think
happens. All I know is that I inject a
glitch and I can read the secret. I cannot
tell you exactly what happens, but this is
the best interpretation I have so far. So
wuhu we have an attack with a cool name?
And so I looked at another chip called the
NXP LPC55S69, and this one has 2
Cortex-M33 cores, one of which has
TrustZone-M. The IDAU and the overall
TrustZone layout seem to be very similar
to the NuMicro. And I got the dual glitch
attack working and also the CrowRBAR
attack working. And the vendor response
was amazing. Like holy crap, they called
me and wanted to fully understand it. They
reproduced that. They got me on the phone
with an expert and the expert was super
nice. But what he said came down to was
RTFM. But again, this is a long document,
but it turns out that the example code did
not enable a certain security feature. And
this security feature is helpfully named
Miscellaneous Control Register, basically,
laughter which stands for Secure Control
Register, laughter obviously. And this
register has a bit. If you set it, it
enables secure checking. And if I read
just a couple of sentences first further,
when I read about the TrustZone on the
chip, I would have actually seen this. But
Millennial sorry. Yeah. And so what this
enables is called the memory protection
checkers and this is an additional memory
security check that gives you finer
control over the memory layout. And so it
basically checks if the attribution unit
security state is identical with the
memory protection checker security state.
And so, for example, if our attack code
tries to access memory, the MPC will check
whether this was really a valid request.
So to say and stop you if you are unlucky
as I was. But turns out it's glitchable,
but it's much, much harder to glitch and
you need multiple glitches. And the vendor
response was awesome. They also say
they're working on improving the
documentation for this. So yeah, super
cool. But still like it's not a full
protection against glitching, but it gives
you certain security. And I think that's
pretty awesome. Before we finish. Is
everything broken? No. These chips are not
insecure. They are not protected against a
very specific attack scenario and align
the chips that you want to use with your
threat model. If fault injection is part
of your threat models. So, for example,
you're building a carkey. Maybe you should
protect against glitching. If you're
building a hardware wallet, definitely you
should protect against glitching. Thank
you. Also, by the way, if you want to play
with some awesome fault injection
equipment, I have an EMFI glitcher with me
and so. So just hit me up on Twitter and
I'm happy to show it to you. So thanks a
lot.
applause
Herald: Thank you very much, Thomas. We do
have an awesome 15 minutes for Q and A. So
if you line up, we have three microphones.
Microphone number 3 actually has an
induction loop. So if you're hearing
impaired and have a suitable device, you
can go to microphone 3 and actually hear
the answer. And we're starting off with
our signal angel with questions from the
Internet.
Thomas: Hello, Internet.
Signal Angel: Hello. Are you aware of the
ST Cortex-M4 firewall? And can your
research be somehow related to it? Or
maybe do you have plans to explore it in
the future?
Thomas: I. So, yes, I'm very aware of the
ST M3 and M4. If you watch our talk last
year at CCC called Wallet.fail, we
actually exploited the sister chip, the
STM32 F2. The F4 has this strange firewall
thing which feels very similar to
TrustZone-M. However, I cannot yet share
any research related to that chip,
unfortunately. Sorry.
Signal Angel: Thank you.
Herald: Microphone number 1, please.
Mic 1: Hello. I'm just wondering, have you
tried to replicate this attack on
multicore CPUs with higher frequency such
like 2GHz and others, how would you go
about that?
Thomas: So I have not because there there
are no TrustZone-M chips with this
frequency. However, people have done it on
mobile phones and other equipment. So, for
example, yeah, there's a lot of materials
on glitching higher frequency stuff. But
yeah, it will get expensive really quickly
because the scope, the way you can even
see a two gigahertz clock, that's a nice
car oscilloscope.
Herald: Microphone number 2, please.
Mic 2: Thank you for your talk. Is the
more functionality to go from non-secure
to secure area? Are there same standard
defined functionalities or the proprietory
libraries from NXP?
Thomas: So the the veneer stuff is
standard and you will find ARM documents
basically recommending you to do this. But
all the tool chains, for example, the one
for the SAM L11 will generate the veneers
for you. And so I have to be honest, I
have not looked at how exactly they are
generated.
However, I did some rust stuff to play
around with it. And yeah, it's relatively
simple for the tool chain and it's
standard. So
Herald: the signal angel is signaling.
Signal Angel: Yeah. That's not another
question from the internet but from me and
I wanted to know how important is the
hardware security in comparison to the
software security because you cannot hack
these devices without having physical
access to them except of this supply chain
attack.
Thomas: Exactly. And that depends on your
threat model. So that's basically if you
build a door, if you build a hardware
wallet, you want to have hardware
protection because somebody can steal it
potentially very easily and then... And if
you, for example, look at your phone, you
probably maybe don't want to have anyone
at customs be able to immediately break
into your phone. And that's another point
where hardware security is very important.
And there with a car key, it's the same.
If you rent a car, you hopefully the car
rental company doesn't want you to copy
the key. And interestingly, the more
probably one of the most protected things
in your home is your printer cartridge,
because I can tell you that the vendor
invests a lot of money into you not being
able to clone the printer cartridge. And
so there are a lot of cases where it's
maybe not the user who wants to protect
against hardware attacks, but the vendor
who wants to protect against it.
Herald: Microphone number 1, please.
Mic 1: So thank you again for the amazing
Talk.
Thomas: Thank you.
Mic 1: You mentioned higher order attacks,
I think twice. And for the second chip,
you actually said you you broke it with
two glitches, two exploiteable glitches.
Thomas: Yes.
Mic 1: So what did you do to reduce the
search space or did you just search over
the entire space?
Thomas: So the nice thing about these
chips is that you can actually you can if
you have a security attribution unit, you
can decide when you turn it on, because
you can just, I had the GPIO go up. Then I
enable the SAU. And then I had my search
space very small because I knew it would
be just after I pulled up the GPIO. And so
I was able to very precisely time where I
glitch and I was able because I wrote the
code basically that does it. I could
almost count on the oscilloscope which
instruction I'm hitting.
Mic 1: Thank you.
Herald: Next question from microphone
number 2, please.
Mic 2: Thank you for the talk. I was just
wondering if the vendor was to include the
capacitor directly on the die, howfixed
would you consider it to be?
Thomas: So against voltage glitching? It
might help. It depends. But for example,
on a recent chip, we just used the
negative voltage to suck out the power
from the capacitor. And also, you will
have EMFI glitching as a possibility and
EMFI glitching is awesome because you
don't even have to solder. You just
basically put a small coil on top of your
chip and inject the voltage directly into
it behind any of the capacitors. And so
on. So it it helps, but it's not a. Often
it's not done for security reasons. Let's
see.
Herald: Next question again from our
Signal Angel.
Signal Angel: Did you get to use your own
custom hardware to help you?
Thomas: I partially the part that worked
is the summary.
Herald: Microphone number 1, please.
Mic 1: Hi. Thanks for the interesting
talk. All these vendors pretty much said
this sort of attack is sort of not really
in scope for what they're doing.
Thomas: Yes.
Mic 1: Are you aware of anyone like in
this sort of category of chip actually
doing anything against glitching attacks?
Thomas: Not in this category, but there
are secure elements that explicitly
protect against it. A big problem with
researching those is that it's also to a
large degree security by NDA, at least for
me, because I have no idea what's going
on. I can't buy one to play around with
it. And so I can't tell you how good these
are. But I know from some friends that
there are some chips. Are very good at
protecting against glitches. And
apparently the term you need to look for
it is called glitch monitor. And if you
see that in the data sheet, that tells you
that they at least thought about it
Herald: Microphone number 2, please.
Mic 2: So what about brown-out or
detection? Did microchip say why it didn't
catch your glitching attempts?
Thomas: It's not meet to glitch it at two
to catch glitching attacks. Basically, a
brownout detector is mainly there to keep
your chip stable. And so, for example, if
you're supply voltage drops, you want to
make sure that you notice and don't
accidentally glitch yourself. So, for
example, if it is running on a battery and
your battery goes empty, you want your
chip to run stable, stable, stable off.
And that's the idea behind a brownout
detector is my understanding. But yeah,
they are not made to be fast enough to
catch glitching attacks.
Herald: Do we have any more questions from
the hall?
Thomas: Yes.
Herald: Yes? Where?
Mic ?: Thank you for your amazing talk.
You have shown that it gets very
complicated if you have two consecutive
glitches. So wouldn't it be an easy
protection to just do the stuff twice or
three times and maybe randomize it? Would
you consider this then impossible to be
glitched?
Thomas: So adding randomization to the
point in time where you enable it helps,
but then you can trigger off the power
consumption and so on. And I should add, I
only tried to to trigger once and then use
just a simple delay. But in theory, if you
do it twice, you could also glitch on the
power consumption signature and so on. So
it might help. But somebody very motivated
will still be able to do it. Probably.
Herald: OK. We have another question from
the Internet.
Signal Angel: Is there a mitigation for
such a attack that I can do on PCB level
or it can be addressed only on chip level?
Thomas: Only on chip level, because if you
have a heat, can you just pull the chip
off and do it in a socket or if you do
EMFI glitching, you don't even have to
touch the chip. You just go over it with
the coil and inject directly into the
chip. So the chip needs to be secured
against this type of stuff or you can add
a tamper protection case around your
chips. So, yeah.
Herald: Another question from microphone
number 1.
Mic 1: So I was wondering if you've heard
anything or know anything about the STM32
L5 series?
Thomas: I've heard a lot. I've seen
nothing. So, yes, I've heard about it. But
it doesn't ship yet as far as I know. We
are all eagerly awaiting it.
Mic 1: Thank you.
Herald: Microphone number 2, please
Mic 2: Hey, very good talk. Thank you. Do
you, Will you release all the hardware
design of the board and those scripts?
Thomas: Yes.
Mic 2: Is there anything already
availability even if I understood it's not
all finished?
Thomas: Oh, yes. So on chip.fail. There
are thoughtful domains. It's awesome.
Chip.fail has the source code to our
glitcher. I've also ported it to the
Lattice and I need to push that hopefully
in the next few days. But then all the
hardware would be open sourced also
because it's based on open source hardware
and yeah, I'm not planning to make any
money or anything using it. It's just to
make life easier.
Herald: Microphone number 2, please.
Mic 2: So you said already you don't
really know what happens at the exact
moment of the glitch and you were lucky
that you that you skipped an instruction
maybe. Do you have. Yes. A feeling what is
happening inside the chip at the moment of
the glitch?
Thomas: So I asked this precise question,
what exactly happens to multiple people? I
got multiple answers. But basically my my
understanding is that you basically pull
the voltage that it needs to set, for
example, the register. But I'm it's
absolutely out of my domain to give an
educated comment on this. I'm a breaker,
unfortunately, not a maker when it comes
to chips.
Herald: Microphone number 2, please.
Mic 2: OK. Thank you. You said a lot of
the chip attack. Can you tell us something
about JTAG attacks? So I just have a
connection to JTAG?
Thomas: Yeah. So, for example, the attack
on the KPH version of the chip was
basically a JTAG attack. I used JTAG to
read out the chip, but I did have JTAG in
normal world. However, it's possible on
most - on a lot of chips to reenable JTAG
even if it's locked. And for example,
again, referencing last year's talk, we
were able to re enable JTAG on the STM32F2
and I would assume was something similar
as possible on this chip as well. But I
haven't tried.
Herald: Are there any more questions we
still have a few minutes. I guess not.
Well, a big, warm round of applause for
Thomas Roth.
applause
postroll music
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!