-
36C3 preroll music
-
Herald: Our next speaker is way is paved
with broken trust zones. He's no stranger
-
to breaking ARM's, equipment or crypto
wallets or basically anything he touches.
-
It just dissolves in his fingers. He's one
of Forbes, 30 under 30s in tech. And
-
please give a warm round of applause to
Thomas Roth.
-
Applause.
-
Thomas: Test, okay. Wonderful. Yeah.
Welcome to my talk. TrustZone-M: Hardware
-
attacks on ARMv8-M security features. My
name is Thomas Roth. You can find me on
-
Twitter. I'm @stacksmashing and I'm a
security researcher, consultant and
-
trainer affiliated with a couple of
companies. And yeah, before we can start,
-
I need to to thank some people. So first
off, Josh Datko and Dimitri Nedospasov
-
who've been super helpful at anytime I was
stuck somewhere, or just wanted some
-
feedback. They immediately helped me. And
also Colin O'Flynn, who gave me constant
-
feedback and helped me with some troubles,
gave me tips and so on. And so without
-
these people and many more who paved the
way towards this research, I wouldn't be
-
here. Also, thanks to NXP and Microchip
who I had to work with as part of this
-
talk. And it was awesome. I had a lot of
very bad vendor experiences, but these two
-
were really nice to work with. Also some
prior work. So Colin O'Flynn and Alex
-
Dewar released a paper, I guess last year
or this year "On-Device Power Analysis
-
Across Hardware Security Domains". And
they basically looked at TrustZone from a
-
differential power analysis viewpoint and
otherwise TrustZone-M is pretty new, but
-
lots of work has been done on the big or
real TrustZone and also lots and lots of
-
works on fault injection would be far too
much to list here. So just google fault
-
injection and you'll see what I mean.
Before we start, what is TrustZone-M? So
-
TrustZone-M is the small TrustZone. It's
basically a simplified version of the big
-
TrustZone that you find on Cortex-A
processors. So basically if you have an
-
Android phone, chances are very high that
your phone actually runs TrustZone and
-
that, for example, your key store of
Android is backed by TrustZone. And
-
TrustZone basically splits the CPU into a
secure and a non-secure world. And so, for
-
example, you can say that a certain
peripheral should only be available to the
-
secure world. So, for example, if you have
a crypto accelerator, you might only want
-
to use it in the secure world. It also, if
you're wondering what's the difference to
-
an MPU - it also comes with two MPUs.
Sorry, not MMUs, MPUs. And so last year we
-
gave a talk on bitcoin wallets. And so
let's take those as an example on a
-
bitcoin wallet you often have different
apps, for example, for Bitcoin, Dogecoin
-
or Monaro, and then underneath you have an
operating system. The problem is kind of
-
this operating system is very complex
because it has to handle graphics
-
rendering and so on and so forth. And
chances are high that it gets compromised.
-
And if it gets compromised, all your funds
are gone. And so with TrustZone, you could
-
basically have a second operating system
separated from your normal one that
-
handles all the important stuff like
firmware update, key store attestation and
-
so on and reduces your attack surface. And
the reason I actually looked at
-
TrustZone-M is we got a lot of requests
for consulting on TrustZone-M. So
-
basically, after our talk last year, a lot
of companies reached out to us and said,
-
okay, we want to do this, but more
securely. And a lot of them try to use
-
TrustZone-M for this. And so far there's
been, as far as I know, little public
-
research into TrustZone-M and whether it's
protected against certain types of
-
attacks. And we also have companies that
start using them as secure chips. So, for
-
example, in the automotive industry, I
know somebody who was thinking about
-
putting them into car keys. I know about
some people in the payment industry
-
evaluating this. And as said, hardware
wallets. And one of the terms that come up
-
again and again is this is a secure chip.
But I mean, what is the secure chip
-
without a threat model? There's no such
thing as a secure chip because there are
-
so many attacks and you need to have a
threat model to understand what are you
-
actually protecting against. So, for
example, a chip might have software
-
features or hardware features that make
the software more secure, such as NX bit
-
and so on and so forth. And on the other
hand, you have hardware attacks, for
-
example, debug port side channel attacks
and fault injection. And often the
-
description of a chip doesn't really tell
you what it's protecting you against. And
-
often I would even say it's misleading in
some cases. And so you will see, oh, this
-
is a secure chip and you ask marketing and
they say, yeah, it has the most modern
-
security features. But it doesn't really
specify whether they are, for example,
-
protecting against fault injection attacks
or whether they consider this out of
-
scope. In this talk, we will exclusively
look at hardware attacks and more
-
specifically, we will look at fault
injection attacks on TrustZone-M. And so
-
all of the attacks we're going to see are
local to the device only you need to have
-
it in your hands. And there's no chance,
normally, of remotely exploiting them.
-
Yeah. So this will be our agenda. We will
start with a short introduction of
-
TrustZone-M, which will have a lot of
theory on like memory layouts and so on.
-
We will talk a bit about the fault-
injection setup and then we will start
-
attacking real chips. These 3, as you will
see. So on a Cortex-M processor you have a
-
flat memory map. You don't have a memory
management unit and all your peripherals,
-
your flash, your ram, it's all mapped to a
certain address in memory and TrustZone-M
-
allows you to partition your flash or your
ram into secure and non secure parts. And
-
so, for example, you could have a tiny
secure area because your secret code is
-
very small and a big non secure area. The
same is true for Ram and also for the
-
peripherals. So for example, if you have a
display and a crypto engine and so on. You
-
can decide whether these peripherals
should be secure or non secure. And so
-
let's talk about these two security
states: secure and non secure. Well, if
-
you have code running in secure flash or
you have secure code running, it can call
-
anywhere into the non secure world. It's
basically the highest privilege level you
-
can have. And so there's no protection
there. However, the opposite, if we tried
-
to go from the non secure world and to the
secure world would be insecure because,
-
for example, you could jump to the parts
of the code that are behind certain
-
protections and so on. And so that's why,
if you tried to jump from an unsecured
-
code into a secure code, it will cause an
exception. And to handle that, there's a
-
third memory state which is called non
secure callable. And as the name implies,
-
basically you're non secure code can call
into the non secure callable code. More
-
specifically, it can only call to non
secure callable code addresses where
-
there's an SG instruction which stands for
Secure Gateway. And the idea behind the
-
secure gateway is that if you have a non
secure kernel running, you probably also
-
have a secure kernel of running. And
somehow this secure kernel will expose
-
certain system calls, for example. And so
we want to somehow call from the non
-
secure kernel into these system calls, but
as I've just mentioned, we can't do that
-
because this will unfortunately cause an
exception. And so the way this is handled
-
on TrustZone-M is that you create so-
called secure gateway veneer functions.
-
These are very short functions in the non
secure callable area. And so if we want,
-
for example, to call the load key system
call, we would call the load key veneer
-
function, which in turn would call the
real load key function. And these veneer
-
functions are super short. So if you look
at the disassembly of them, it's like two
-
instructions. It's the secure gateway
instruction and then a branch instruction
-
to what's your real function. And so if we
combine this, we end up with this diagram
-
secure can call into non secure, non
secure, can call into NSC and NSC can call
-
into your secure world. But how do we
manage these memory states? How do we know
-
what security state does an address have?
And so for this in TrustZone-M, we use
-
something called attribution units and
there're by default there are two
-
attribution units available. The first one
is the SAU the Security Attribution Unit,
-
which is standard across chips. It's
basically defined by ARM how you use this.
-
And then there's the IDAU. The
Implementation Defined Attribution Unit,
-
which is basically custom to the silicon
vendor, but can also be the same across
-
several chips. And to get the security
state of an address, the security
-
attribution of both the SAU and the IDAU
are combined and whichever one has the
-
higher privilege level will basically win.
And so let's say our SAU says this address
-
is secure and our IDAU says this address
is non secure the SAU wins because it's
-
the highest privilege level. And basically
our address would be considered secure.
-
This is a short table. If both the SAU and
the IDAU agree, we will be non secure if
-
both say, hey, this is secure, it will be
secure. However, if they disagree and the
-
SAU says, hey, this address is secure the
IDAU says it's non secure, it will still
-
be secure because secure is to have
privilege level. The opposite is true. And
-
with even with non secure callable, secure
is more privileged than NSC. And so secure
-
will win. But if we mix NS and NSC, we get
non-secular callable. Okay. My initial
-
hypothesis when I read all of this was if
we break or disable the attribution units,
-
we probably break the security. And so to
break these, we have to understand them.
-
And so let's look at the SAU the security
attribution unit. It's standardized by
-
ARM. It's not available on all chips. And
it basically allows you to create memory
-
regions with different security states.
So, for example, if the SAU is turned off,
-
everything will be considered secure. And
if we turn it on, but no regions are
-
configured, still, everything will be
secure. We can then go and add, for
-
example, address ranges and make them NSC
or non secure and so on. And this is done
-
very, very easily. You basically have
these five registers. You have the SAU
-
control register where you basically can
turn it on or off. You have the SAU type,
-
which gives you the number of supported
regions on your platform because this can
-
be different across different chips. And
then we have the region number register,
-
which you use to select the region you
want to configure and then you set the
-
base address and the limit address. And
that's basically it. So, for example, if
-
we want to set region zero, we simply set
the RNR register to zero. Then we set the
-
base address to 0x1000. We set the limit
address to 0x1FE0, which is identical to
-
1FFF because there are some other bits
behind there that we don't care about
-
right now. And then we turn on the
security attribution unit and now our
-
memory range is marked as secure if you
want to create a second region we simply
-
change RNR to, for example, 1 again insert
some nice addresses. Turn on the SAU and
-
we have a second region this time from
4000 to 5FFF. So to summarize, we have
-
three memory security states. We have S
secure and we have NSC non secure callable
-
and we have NS non secure. We also have
the two attribution units, the SAU
-
standard by ARM and the IDAU which is
potentially custom we will use SAU and
-
IDAU a lot. So this was very important.
Cool. Let's talk about fault injection. So
-
as I've mentioned, we want to use fault
injection to compromise TrustZone. And the
-
idea behind fault injection or as it's
also called glitching is to introduce
-
faults into a chip. So, for example, you
cut the power for a very short amount of
-
time while you change the period of the
clock signal or even you could go and
-
inject electromagnetic shocks in your
chip. You can also shoot at it with a
-
laser and so on and so forth. Lots of ways
to do this. And the goal of this is to is
-
to cause undefined behavior. And in this
talk, we will specifically look at
-
something called voltage glitching. And so
the idea behind voltage glitching is that
-
we cut the power to the chip for very,
very short amount of time at a very
-
precisely timed moment. And this will
cause some interesting behavior. So
-
basically, if you would look at this on an
oscilloscope, we would basically have a
-
stable voltage, stable voltage, stable
voltage, and then suddenly it drops and
-
immediately returns. And this drop will
only be a couple of nanoseconds long. And
-
so, for example, you can have glitches
that are 10 nanoseconds long or 15
-
nanoseconds long and so on. Depends on
your chip. And yeah. And this allows you
-
to do different things. So, for example, a
glitch can allow you to skip instructions.
-
It can corrupt flash reads or flash
writes. It can corrupt memory registers or
-
register reads and writes. And skipping
instructions for me is always the most
-
interesting one, because it allows you to
directly go from disassembly to
-
understanding what you can potentially
jump over. So, for example, if we have
-
some code, this would be a basic firmware
boot up code. We have an initialized
-
device function. Then we have a function
that basically verifies the firmware
-
that's in flash and then we have this
boolean check whether our firmware was
-
valid. And now if we glitch at just the
right time, we might be able to glitch
-
over this check and boot our potentially
compromised firmware, which is super nice.
-
So how does this relate to TrustZone?
Well, if we manage to glitch over enable
-
TrustZone, we might be able to break
TrustZone. So how do you actually do this?
-
Well, we need something to wait for a
certain delay and generate a pulse at just
-
the right time with very high precision.
We are talking about nano seconds here,
-
and we also need something to drop the
power to the target. And so if you need
-
precise timing and so on, what works very
well is an FPGA. And so, for example, the
-
code that was released as part of this all
runs on the Lattice iCEstick, which is
-
roughly 30 bucks and you need a cheap
MOSFET and so together this is like thirty
-
one dollars of equipment. And on a setup
side, this looks something like this. You
-
would have your FPGA, which has a trigger
input. And so, for example, if you want to
-
glitch something doing the boot up of a
chip, you could connect this to the reset
-
line of the chip. And then we have an
output for the glitch pulse. And then if
-
we hook this all up, we basically have our
power supply to the chip run over a
-
MOSFET. And then if the glitch pulls goes
high, we drop the power to ground and the
-
chip doesn't get power for a couple of
nanoseconds. Let's talk about this power
-
supply, because a chip has a lot of
different things inside of it. So, for
-
example, a microcontroller has a CPU core.
We have a Wi-Fi peripheral. We have GPIO.
-
We might have Bluetooth and so on. And
often these peripherals run at different
-
voltages. And so while our microcontroller
might just have a 3.3 volt input,
-
internally there are a lot of different
voltages at play. And the way these
-
voltages are generated often is using
in-chip regulators. And basically these
-
regulators connect with the 3.3 voltage in
and then generate the different voltages
-
for the CPU core and so on. But what's
nice is that on a lot of chips there are
-
behind the core regulator, so called
bypass capacitors, and these external
-
capacitors are basically there to
stabilize the voltage because regulators
-
tend to have a very noisy output and you
use the capacitor to make it more smooth.
-
But if you look at this, this also gives
us direct access to the CPU core power
-
supply. And so if we just take a heat gun
and remove the capacitor, we actually kind
-
of change the pin out of the processor
because now we have a 3.3 voltage in, we
-
have a point to input the core voltage and
we have ground. So we basically gained
-
direct access to the internal CPU core
voltage rails. The only problem is these
-
capacitors are for a reason. And so if we
remove them, then your chip might stop
-
working. But very easy solution. You just
hook up a power supply to it, set it to
-
1.2 volts or whatever, and then suddenly
it works. And this also allows you to
-
glitch very easily. You just glitch on
your power rail towards the chip. And so
-
this is our current setup. So we have the
Lattice iCEstick. We also use a
-
multiplexer as an analog switch to cut the
power to the entire device. If we want to
-
reboot everything, we have the MOSFET and
we have a power supply. Now hooking this
-
all up on a bread board is fun the first
time, it's okay the second time. But the
-
third time it begins to really, really
suck. And as soon as something breaks with
-
like 100 jumper wires on your desk, the
only way to debug is to start over. And so
-
that's why I decided to design a small
hardware platform that combines all of
-
these things. So it has an FPGA on it. It
has analog input and it has a lot of
-
glitch circuitry and it's called the Mark
Eleven. If you've read William Gibson, you
-
might know where this is from. And it
contains a Lattice iCE40, which has a
-
fully open source toolchain, thanks to
Clifford Wolf and so. And this allows us
-
to very, very quickly develop new
triggers, develop new glitched code and so
-
on. And it makes compilation and
everything really really fast. It also
-
comes with three integrated power
supplies. So we have a 1.2 watt power
-
supply, 3.3, 5 volts and so on, and you
can use it for DPA. And this is based
-
around some existing devices. So, for
example, the FPGA part is based on the
-
1BitSquared iCEBreaker. The analog front
end, thanks to Colin O'Flynn, is based on
-
the ChipWhisperer Nano. And then the
glitch circuit is basically what we've
-
been using on bread boards for quite a
while. Just combined on a single device.
-
And so unfortunately, as always with
hardware production takes longer than you
-
might assume. But if you drop me a message
on Twitter, I'm happy to send you a PCB as
-
soon as they work well. And the BOM is
around 50 bucks. Cool. So now that we are
-
ready to have to actually attack chips,
let's look at an example. So the very
-
first chip that I encountered that used
TrustZone-M was the Microchip SAM 11. And
-
so this chip was released in June 2018.
And it's kind of it's a small, slow chip.
-
It's runs at 32 megahertz. It has up to 64
kilobytes of flash and 16 kilobytes of
-
SRAM, but it's super cheap. It's like one
dollar eighty at quantity one. And so it's
-
really nice, really affordable. And we had
people come up to us and suggest, hey, I
-
want to build a TPM on top of this or I
want to build a hardware wallet on top of
-
this. And so on and so forth. And if we
look at the website of this chip. It has a
-
lot of security in it, so it's the best
contribution to IOT security winner of
-
2018. And if you just type secure into the
word search, you get like 57 hits. So this
-
chip is 57 secure. laughter And even on
the website itself, you have like chip
-
level security. And then if you look at
the first of the descriptions, you have a
-
robust chip level security include chip
level, tamper resistance, active shield
-
protects against physical attacks and
resists micro probing attacks. And even in
-
the datasheet, where I got really worried
because I said I do a lot with a core
-
voltage it has a brown-out detector that
has been calibrated in production and must
-
not be changed and so on. Yeah. To be
fair, when I talked to my microchip, they
-
mentioned that they absolutely want to
communicate that this chip is not hardened
-
against hardware attacks, but I can see
how somebody who looks at this would get
-
the wrong impression given all the terms
and so on. Anyway, so let's talk about the
-
TrustZone in this chip. So the SAM L11
does not have a security attribution unit.
-
Instead, it only has the implementation
defined attribution unit. And the
-
configuration for this implementation
defined attribution unit is stored in the
-
user row, which is basically the
configuration flash. It's also called
-
fuses in the data sheet sometimes, but
it's really I think it's flash based. I
-
haven't checked, but I am pretty sure it
is because you can read it, write it,
-
change it and so on. And then the IDAU,
once you've configured it, will be
-
configured by the boot ROM during the
start of the chip. And the idea behind the
-
IDAU is that all your flash is partitioned
into two parts of the bootloader part and
-
the application part, and both of these
can be split into secure, non secure
-
callable and non secure. So you can have a
bootloader, a secure and a non secure one,
-
and you can have an application, a secure
and a non secure one. And the size of
-
these regions is controlled by these five
registers. And for example, if we want to
-
change our non secure application to be
bigger and make our secure application a
-
bit smaller, we just fiddle with these
registers and the sizes will adjust and
-
the same with the bootloader. So this is
pretty simple. How do we attack it? My
-
goal initially was I want to somehow read
data from the secure world while running
-
code in the non secret world. So jump the
security gap. My code in non secure should
-
be able to, for example, extract keys from
the secure world and my attack path for
-
that was well, I glitched the boot ROM
code that loads the IDAU you
-
configuration. But before we can actually
do this, we need to understand, is this
-
chip actually glitchable and can we? Is it
susceptible to glitches or do we
-
immediately get get thrown out? And so I
used a very simple setup where just had a
-
firmware and tried to glitch out of the
loop and enable an LED. And I had success
-
in less than five minutes and super stable
glitches almost immediately. Like when I
-
saw this, I was 100 percent sure that I
messed up my setup or that the compiler
-
optimized out my loop or that I did
something wrong because I never glitch to
-
chip in five minutes. And so this was
pretty awesome, but I also spend another
-
two hours verifying my setup. So. OK.
Cool, we know that ship is glitchable, so
-
let's glitch it. What do we glitch? Well,
if we think about it somewhere during the
-
boot ROM, these registers are red from
flash and then some hardware is somehow
-
configured. We don't know how because we
can't dump the boot from we don't know
-
what's going on in the chip. And the
datasheet has a lot of pages. And I'm a
-
millennial. So, yeah, I read what I have
to read and that's it. But my basic idea
-
is if we somehow manage to glitch the
point where it tries to read the value of
-
the AS Register, we might be able to set
it to zero because most chip peripherals
-
will initialize to zero. And if we glitch
with the instruction that reads AS, maybe
-
we can make our non secure application
bigger so that we, that actually we can
-
read the secure application data because
now it's considered non secure. But.
-
Problem 1 The boot ROM is not dumpable. So
we cannot just disassemble it and figure
-
out when does it roughly do this. And the
problem 2 is that we don't know when
-
exactly this read occures and our glitch
needs to be instruction precise. We need
-
to hit just the right instruction to make
this work. And the solution is brute
-
force. But I mean like nobody has time for
that. Right? So if the chip boots for 2
-
milliseconds. That's a long range we have
to search for glitches. And so very easy
-
solution power analysis. And it turns out
that, for example, a riscure has done this
-
before where basically they tried to
figure out where in time a JTAG lock is
-
set by comparing the power consumption.
And so the idea is, we basically write
-
different values to the AS register, then
we collect a lot of power traces and then
-
we look for the differences. And this is
relatively simple to do. If you have a
-
ChipWhisperer. So. This was my rough
setup. So we just have the ChipWhisperer-
-
Lite. We have a breakout with the chip we
want to attack and a programmer. And then
-
we basically collect a couple of traces.
And in my case, even just 20 traces are
-
enough, which takes, I don't know, like
half a second to run. And if you have 20
-
traces in unsecure mode, 20 traces in
secure mode and you compare them, you can
-
see that there are clear differences in
the power consumption starting at a
-
certain point. And so I wrote a script
that does some more statistics on it and
-
so on. And that basically told me the best
glitch candidate starts at 2.18
-
milliseconds. And this needs to be so
precise because I said we're in the milli
-
and the nano seconds range. And so we want
to make sure that we at the right point in
-
time. Now, how do you actually configure?
How do you build the setup where you
-
basically you get a success indication
once you broke this? For this, I needed to
-
write a firmware that basically attempts
to read secure data. And then if it's
-
successful, enabled the GPIO. And if it
fails, it does nothing. And I just reset
-
and try again. And so I know I knew my
rough delay and I was triggering of the
-
reset of the chip that I just tried. Any
delay after it and tried different glitch
-
pulse length and so on. And eventually I
had a success. And these glitches you will
-
see with the glitcher which we released a
while back is super easy to write because
-
all you have is like 20 lines of Python.
You basically set up a loop delay from
-
delay to your setup, the pulse length. You
iterate over a range of pulses. And then
-
in this case you just check whether your
GPIO is high or low. That's all it takes.
-
And then once you have this running in a
stable fashion, it's amazing how fast it
-
works. So this is now a recorded video of
a life glitch, of a real glitch,
-
basically. And you can see we have like 20
attempts per second. And after a couple of
-
seconds, we actually get a success
indication we just broke a chip. Sweet.
-
But one thing I moved to a part of Germany
to the very south is called the
-
Schwabenland. And I mean, 60 bucks. We are
known to be very cheap and 60 bucks
-
translates to like six beers at
Oktoberfest. Just to convert this to the
-
local currency, that's like 60 Club Mate.
Unacceptable. We need to go cheaper, much
-
cheaper, and so.
laughter and applause
-
What if we take a chip that is 57 secure
and we tried to break it with the smallest
-
chip. And so this is an ATTiny which
costs, I don't know, a a euro or two euro.
-
We combine it with a MOSFET to keep the
comparison that's roughly 3 Club Mate and
-
we hook it all up on a jumper board and
turns out: This works like you can have a
-
relatively stable glitch, a glitcher with
like 120 lines of assembly running all the
-
ATTiny and this will glitch your chip
successfully and can break TrustZone on
-
the SAM L11. The problem is chips are very
complex and it's always very hard to do an
-
attack on a chip that you configured
yourself because as you will see, chances
-
are very high that you messed up the
configuration and for example, missed a
-
security bit, forgot to set something and
so on and so forth. But luckily, in the
-
case of the SAM L11, there's a version of
this chip which is already configured and
-
only ships in non secure mode. And so this
is called the SAM L11 KPH. And so it comes
-
pre provisioned with a key and it comes
pre provisioned with a trusted execution
-
environment already loaded into the secure
part of the chips and ships completely
-
secured and the customer can write and
debug non secure code only. And also you
-
can download the SDK for it and write your
own trustlets and so on. But I couldn't
-
because it requires you to agree to their
terms and conditions so which exclude
-
reverse engineering. So no chance,
unfortunately. But anyway, this is the
-
perfect example to test our attack. You
can buy these chips on DigiKey and then
-
try to break into the secure world because
these chips are hopefully decently secured
-
and have everything set up and so on. And
yeah. So this was the setup. We designed
-
our own breakout port for the SAM L11,
which makes it a bit more accessible, has
-
JTAG and has no capacitors in the way. So
you get access to all the core voltages
-
and so on and you have the FPGA on the top
left the super cheap 20 bucks power supply
-
and the programmer. And then we just
implemented a simple function that uses
-
openOCD to try to read an address that we
normally can't read. So we basically we
-
glitch. Then we start OpenOCD, which uses
the JTAG adapter to try to read secure
-
memory. And so I hooked it all up, wrote a
nice script and let it rip. And so after a
-
while or in well, a couple of seconds
immediately again got successful, I got a
-
successful attack on the chip and more and
more. And you can see just how stable you
-
can get these glitches and how well you
can attack this. Yeah. So sweet hacked. We
-
can compromise the root of trust and the
trusted execution environment. And this is
-
perfect for supply chain attacks. Right.
Because if you can compromise a part of
-
the chip that the customer will not be
able to access, he will never find you.
-
But the problem with supply chain attacks
is, they're pretty hard to scale and they
-
are only for sophisticated actors normally
and far too expensive is what most people
-
will tell you, except if you hack the
distributor. And so as I guess last year
-
or this year, I don't know, I actually
found a vulnerability in DigiKey, which
-
allowed me to access any invoice on
DigiKey, including the credentials you
-
need to actually change the invoice. And
so basically the bug is that they did not
-
check when you basically requested an
invoice, they did not check whether you
-
actually had permission to access it. And
you have the web access id on top and the
-
invoice number. And that's all you need to
call DigiKey and change the delivery,
-
basically. And so this also is all data
that you need to reroute the shipment. I
-
disclosed this. It's fixed. It's been
fixed again afterwards. And now hopefully
-
this should be fine. So I feel good to
talk about it. And so let's walk through
-
the scenarios. We have Eve and we have
DigiKey and Eve builds this new super
-
sophisticated IOT toilet and she needs a
secure chip. So she goes to DigiKey and
-
orders some SAM L11 KPHs and Mallory.
Mallory scans all new invoices on DigiKey.
-
And as soon as somebody orders a SAM L11,
they talk to DigiKey with the API or via a
-
phone call to change the delivery address.
And because you know who the chips are
-
going to, you can actually target this
very, very well. So now the chips get
-
delivered to Mallory Mallory backdoors the
chips. And then sends the backdoored chips
-
to Eve who is none the wiser, because it's
the same carrier, it's the same, it looks
-
the same. You have to be very, very
mindful of these types of attack to
-
actually recognize them. And even if they
open the chips and they say they open the
-
package and they try the chip, they scan
everything they can scan the backdoor will
-
be in the part of the chip that they
cannot access. And so we just supply chain
-
attacked whoever using an UPS envelope,
basically. So, yeah. Interesting attack
-
vector. So I talked to microchip and it's
been great. They've been super nice. It
-
was really a pleasure. I also talked to
Trustonic, who were very open to this and
-
wanted to understand it. And so it was
great. And they explicitly state that this
-
chip only protects against software
attacks while it has some hardware
-
features like tamper ressistant RAM. It is
not built to withstand fault injection
-
attacks. And even if you compare it now,
different revisions of the data sheet, you
-
can see that some data sheets, the older
ones they mention some fault injection
-
resistance and it's now gone from the data
sheet. And they are also asking for
-
feedback on making it more clear what this
chip protects against, which I think is a
-
noble goal because we all know marketing
versus technicians is always an
-
interesting fight. Let's say, cool first
chip broken time for the next one, right?
-
So the next chip I looked at was the
Nuvoton NuMicro M2351 rolls off the
-
tongue. It's a Cortex-M23 processor. It
has TrustZone-M. And I was super excited
-
because this finally has an SAU, a
security attribution unit and an IDAU and
-
also I talked to the marketing. It
explicitly protects against fault
-
injection. So that's awesome. I was
excited. Let's see how that turns out.
-
Let's briefly talk about the TrustZone in
the Nuvoton chip. So as I've mentioned
-
before, the SAU if it's turned off or
turned on without regions will be to fully
-
secure. And no matter what the IDAU is,
the most privileged level always wins. And
-
so if our entire security attribution unit
is secure, our final security state will
-
also be secure. And so if we now add some
small regions, the final state will also
-
have the small, non secure regions. I
mean, I saw this looked at how this this
-
code works. And you can see that at the
very bottom SAU control is set to 1 simple
-
right. We glitch over the SAU enabling and
all our code will be secure and we'll just
-
run our code in secret mode, no problem -
is what I fought. And so basically the
-
secure bootloader starts execution of non
secure code. We disable the SAU by
-
glitching over the instruction and now
everything is secure. So our code runs in
-
a secure world. It's easy except read the
fucking manual. So turns out these
-
thousands of pages of documentation
actually contain useful information and
-
you need a special instruction to
transition from secure to non secure state
-
which is called BLXNS, which stands for
branch optionally linked and exchange to
-
non secure. This is exactly made to
prevent this. It prevents accidentally
-
jumping into non secure code. It will
cause a secure fault if you try to do it.
-
And what's interesting is that even if you
use this instruction, it will not always
-
transition. The state depends on the last
bit in the destination address, whether
-
the status transition and the way the
bootloader will actually get these
-
addresses it jumps to is from what's
called the reset table, which is basically
-
where your reset handlers are, where your
stack pointer, your initial stack pointer
-
is and so on. And you will notice that the
last bit is always set. And if the last
-
bit is set, it will jump to secure code.
So somehow they managed to branch to this
-
address and run it into non secure. So how
do they do this? They use an explicit bit
-
clear instruction. What do we know about
instructions? We can glitch over them. And
-
so basically we can with two glitches, we
can glitch over the SAU control enable now
-
our entire memory is secure and then we
glitch over the bitclear instruction and
-
then branch linked ex non secure again
rolls off the tongue will run secure code.
-
And now our normal world code is running
in secure mode. The problem is it works,
-
but it's very hard to get stable. So, I
mean, this was I somehow got it working,
-
but it was not very stable and it was a
big pain to to actually make use of. So I
-
wanted a different vulnerability. And I
read up on the implementation defined
-
attribution unit of the M2351. And it
turns out that each flash RAM peripheral
-
and so on is mapped twice into memory. And
so basically once as secure as the address
-
0x2000 and once as non secure at the
address 0x3000. And so you have the flash
-
twice and you have the the RAM twice. This
is super important. This is the same
-
memory. And so I came up with an attack
that I called CroeRBAR because a
-
vulnerability basically doesn't exist if
it doesn't have a fancy name. And the
-
basic point of this is that the security
of the system relies on the region
-
configuration of the SAU. What if we
glitch this initialization combined with
-
this IDAU layout again with the IDAU
mirrors the memory. Has it once a secure
-
and once it's not secure. Now let's say we
have at the very bottom of our flash. We
-
have a secret which is in the secure area.
It will also be in the mirror of this
-
memory. But again, because our SAU
configuration is fine, it will not be
-
accessible by the non secure region.
However, the start of this non secret area
-
is configured by the RBAR register. And so
maybe if we glitch this RBAR being set, we
-
can increase the size of the non secure
area. And if you check the ARM
-
documentation on the RBAR register, the
reset values state of this register is
-
unknown. So unfortunately it doesn't just
say zero, but I tried this on all chips I
-
had access to and it is zero on all chips
I tested. And so now what we can do is we
-
glitch over this RBAR and now our final
security state will be bigger and our
-
secure code is still running in the bottom
half. But then the jump into non secure
-
will also give us access to the secret and
it works. We get a fully stable glitch,
-
takes roughly 30 seconds to bypass it. I
should mention that this is what I think
-
happens. All I know is that I inject a
glitch and I can read the secret. I cannot
-
tell you exactly what happens, but this is
the best interpretation I have so far. So
-
wuhu we have an attack with a cool name?
And so I looked at another chip called the
-
NXP LPC55S69, and this one has 2
Cortex-M33 cores, one of which has
-
TrustZone-M. The IDAU and the overall
TrustZone layout seem to be very similar
-
to the NuMicro. And I got the dual glitch
attack working and also the CrowRBAR
-
attack working. And the vendor response
was amazing. Like holy crap, they called
-
me and wanted to fully understand it. They
reproduced that. They got me on the phone
-
with an expert and the expert was super
nice. But what he said came down to was
-
RTFM. But again, this is a long document,
but it turns out that the example code did
-
not enable a certain security feature. And
this security feature is helpfully named
-
Miscellaneous Control Register, basically,
laughter which stands for Secure Control
-
Register, laughter obviously. And this
register has a bit. If you set it, it
-
enables secure checking. And if I read
just a couple of sentences first further,
-
when I read about the TrustZone on the
chip, I would have actually seen this. But
-
Millennial sorry. Yeah. And so what this
enables is called the memory protection
-
checkers and this is an additional memory
security check that gives you finer
-
control over the memory layout. And so it
basically checks if the attribution unit
-
security state is identical with the
memory protection checker security state.
-
And so, for example, if our attack code
tries to access memory, the MPC will check
-
whether this was really a valid request.
So to say and stop you if you are unlucky
-
as I was. But turns out it's glitchable,
but it's much, much harder to glitch and
-
you need multiple glitches. And the vendor
response was awesome. They also say
-
they're working on improving the
documentation for this. So yeah, super
-
cool. But still like it's not a full
protection against glitching, but it gives
-
you certain security. And I think that's
pretty awesome. Before we finish. Is
-
everything broken? No. These chips are not
insecure. They are not protected against a
-
very specific attack scenario and align
the chips that you want to use with your
-
threat model. If fault injection is part
of your threat models. So, for example,
-
you're building a carkey. Maybe you should
protect against glitching. If you're
-
building a hardware wallet, definitely you
should protect against glitching. Thank
-
you. Also, by the way, if you want to play
with some awesome fault injection
-
equipment, I have an EMFI glitcher with me
and so. So just hit me up on Twitter and
-
I'm happy to show it to you. So thanks a
lot.
-
applause
-
Herald: Thank you very much, Thomas. We do
have an awesome 15 minutes for Q and A. So
-
if you line up, we have three microphones.
Microphone number 3 actually has an
-
induction loop. So if you're hearing
impaired and have a suitable device, you
-
can go to microphone 3 and actually hear
the answer. And we're starting off with
-
our signal angel with questions from the
Internet.
-
Thomas: Hello, Internet.
Signal Angel: Hello. Are you aware of the
-
ST Cortex-M4 firewall? And can your
research be somehow related to it? Or
-
maybe do you have plans to explore it in
the future?
-
Thomas: I. So, yes, I'm very aware of the
ST M3 and M4. If you watch our talk last
-
year at CCC called Wallet.fail, we
actually exploited the sister chip, the
-
STM32 F2. The F4 has this strange firewall
thing which feels very similar to
-
TrustZone-M. However, I cannot yet share
any research related to that chip,
-
unfortunately. Sorry.
Signal Angel: Thank you.
-
Herald: Microphone number 1, please.
Mic 1: Hello. I'm just wondering, have you
-
tried to replicate this attack on
multicore CPUs with higher frequency such
-
like 2GHz and others, how would you go
about that?
-
Thomas: So I have not because there there
are no TrustZone-M chips with this
-
frequency. However, people have done it on
mobile phones and other equipment. So, for
-
example, yeah, there's a lot of materials
on glitching higher frequency stuff. But
-
yeah, it will get expensive really quickly
because the scope, the way you can even
-
see a two gigahertz clock, that's a nice
car oscilloscope.
-
Herald: Microphone number 2, please.
Mic 2: Thank you for your talk. Is the
-
more functionality to go from non-secure
to secure area? Are there same standard
-
defined functionalities or the proprietory
libraries from NXP?
-
Thomas: So the the veneer stuff is
standard and you will find ARM documents
-
basically recommending you to do this. But
all the tool chains, for example, the one
-
for the SAM L11 will generate the veneers
for you. And so I have to be honest, I
-
have not looked at how exactly they are
generated.
-
However, I did some rust stuff to play
around with it. And yeah, it's relatively
-
simple for the tool chain and it's
standard. So
-
Herald: the signal angel is signaling.
Signal Angel: Yeah. That's not another
-
question from the internet but from me and
I wanted to know how important is the
-
hardware security in comparison to the
software security because you cannot hack
-
these devices without having physical
access to them except of this supply chain
-
attack.
Thomas: Exactly. And that depends on your
-
threat model. So that's basically if you
build a door, if you build a hardware
-
wallet, you want to have hardware
protection because somebody can steal it
-
potentially very easily and then... And if
you, for example, look at your phone, you
-
probably maybe don't want to have anyone
at customs be able to immediately break
-
into your phone. And that's another point
where hardware security is very important.
-
And there with a car key, it's the same.
If you rent a car, you hopefully the car
-
rental company doesn't want you to copy
the key. And interestingly, the more
-
probably one of the most protected things
in your home is your printer cartridge,
-
because I can tell you that the vendor
invests a lot of money into you not being
-
able to clone the printer cartridge. And
so there are a lot of cases where it's
-
maybe not the user who wants to protect
against hardware attacks, but the vendor
-
who wants to protect against it.
Herald: Microphone number 1, please.
-
Mic 1: So thank you again for the amazing
Talk.
-
Thomas: Thank you.
Mic 1: You mentioned higher order attacks,
-
I think twice. And for the second chip,
you actually said you you broke it with
-
two glitches, two exploiteable glitches.
Thomas: Yes.
-
Mic 1: So what did you do to reduce the
search space or did you just search over
-
the entire space?
Thomas: So the nice thing about these
-
chips is that you can actually you can if
you have a security attribution unit, you
-
can decide when you turn it on, because
you can just, I had the GPIO go up. Then I
-
enable the SAU. And then I had my search
space very small because I knew it would
-
be just after I pulled up the GPIO. And so
I was able to very precisely time where I
-
glitch and I was able because I wrote the
code basically that does it. I could
-
almost count on the oscilloscope which
instruction I'm hitting.
-
Mic 1: Thank you.
Herald: Next question from microphone
-
number 2, please.
Mic 2: Thank you for the talk. I was just
-
wondering if the vendor was to include the
capacitor directly on the die, howfixed
-
would you consider it to be?
Thomas: So against voltage glitching? It
-
might help. It depends. But for example,
on a recent chip, we just used the
-
negative voltage to suck out the power
from the capacitor. And also, you will
-
have EMFI glitching as a possibility and
EMFI glitching is awesome because you
-
don't even have to solder. You just
basically put a small coil on top of your
-
chip and inject the voltage directly into
it behind any of the capacitors. And so
-
on. So it it helps, but it's not a. Often
it's not done for security reasons. Let's
-
see.
Herald: Next question again from our
-
Signal Angel.
Signal Angel: Did you get to use your own
-
custom hardware to help you?
Thomas: I partially the part that worked
-
is the summary.
Herald: Microphone number 1, please.
-
Mic 1: Hi. Thanks for the interesting
talk. All these vendors pretty much said
-
this sort of attack is sort of not really
in scope for what they're doing.
-
Thomas: Yes.
Mic 1: Are you aware of anyone like in
-
this sort of category of chip actually
doing anything against glitching attacks?
-
Thomas: Not in this category, but there
are secure elements that explicitly
-
protect against it. A big problem with
researching those is that it's also to a
-
large degree security by NDA, at least for
me, because I have no idea what's going
-
on. I can't buy one to play around with
it. And so I can't tell you how good these
-
are. But I know from some friends that
there are some chips. Are very good at
-
protecting against glitches. And
apparently the term you need to look for
-
it is called glitch monitor. And if you
see that in the data sheet, that tells you
-
that they at least thought about it
Herald: Microphone number 2, please.
-
Mic 2: So what about brown-out or
detection? Did microchip say why it didn't
-
catch your glitching attempts?
Thomas: It's not meet to glitch it at two
-
to catch glitching attacks. Basically, a
brownout detector is mainly there to keep
-
your chip stable. And so, for example, if
you're supply voltage drops, you want to
-
make sure that you notice and don't
accidentally glitch yourself. So, for
-
example, if it is running on a battery and
your battery goes empty, you want your
-
chip to run stable, stable, stable off.
And that's the idea behind a brownout
-
detector is my understanding. But yeah,
they are not made to be fast enough to
-
catch glitching attacks.
Herald: Do we have any more questions from
-
the hall?
Thomas: Yes.
-
Herald: Yes? Where?
Mic ?: Thank you for your amazing talk.
-
You have shown that it gets very
complicated if you have two consecutive
-
glitches. So wouldn't it be an easy
protection to just do the stuff twice or
-
three times and maybe randomize it? Would
you consider this then impossible to be
-
glitched?
Thomas: So adding randomization to the
-
point in time where you enable it helps,
but then you can trigger off the power
-
consumption and so on. And I should add, I
only tried to to trigger once and then use
-
just a simple delay. But in theory, if you
do it twice, you could also glitch on the
-
power consumption signature and so on. So
it might help. But somebody very motivated
-
will still be able to do it. Probably.
Herald: OK. We have another question from
-
the Internet.
Signal Angel: Is there a mitigation for
-
such a attack that I can do on PCB level
or it can be addressed only on chip level?
-
Thomas: Only on chip level, because if you
have a heat, can you just pull the chip
-
off and do it in a socket or if you do
EMFI glitching, you don't even have to
-
touch the chip. You just go over it with
the coil and inject directly into the
-
chip. So the chip needs to be secured
against this type of stuff or you can add
-
a tamper protection case around your
chips. So, yeah.
-
Herald: Another question from microphone
number 1.
-
Mic 1: So I was wondering if you've heard
anything or know anything about the STM32
-
L5 series?
Thomas: I've heard a lot. I've seen
-
nothing. So, yes, I've heard about it. But
it doesn't ship yet as far as I know. We
-
are all eagerly awaiting it.
Mic 1: Thank you.
-
Herald: Microphone number 2, please
Mic 2: Hey, very good talk. Thank you. Do
-
you, Will you release all the hardware
design of the board and those scripts?
-
Thomas: Yes.
Mic 2: Is there anything already
-
availability even if I understood it's not
all finished?
-
Thomas: Oh, yes. So on chip.fail. There
are thoughtful domains. It's awesome.
-
Chip.fail has the source code to our
glitcher. I've also ported it to the
-
Lattice and I need to push that hopefully
in the next few days. But then all the
-
hardware would be open sourced also
because it's based on open source hardware
-
and yeah, I'm not planning to make any
money or anything using it. It's just to
-
make life easier.
Herald: Microphone number 2, please.
-
Mic 2: So you said already you don't
really know what happens at the exact
-
moment of the glitch and you were lucky
that you that you skipped an instruction
-
maybe. Do you have. Yes. A feeling what is
happening inside the chip at the moment of
-
the glitch?
Thomas: So I asked this precise question,
-
what exactly happens to multiple people? I
got multiple answers. But basically my my
-
understanding is that you basically pull
the voltage that it needs to set, for
-
example, the register. But I'm it's
absolutely out of my domain to give an
-
educated comment on this. I'm a breaker,
unfortunately, not a maker when it comes
-
to chips.
Herald: Microphone number 2, please.
-
Mic 2: OK. Thank you. You said a lot of
the chip attack. Can you tell us something
-
about JTAG attacks? So I just have a
connection to JTAG?
-
Thomas: Yeah. So, for example, the attack
on the KPH version of the chip was
-
basically a JTAG attack. I used JTAG to
read out the chip, but I did have JTAG in
-
normal world. However, it's possible on
most - on a lot of chips to reenable JTAG
-
even if it's locked. And for example,
again, referencing last year's talk, we
-
were able to re enable JTAG on the STM32F2
and I would assume was something similar
-
as possible on this chip as well. But I
haven't tried.
-
Herald: Are there any more questions we
still have a few minutes. I guess not.
-
Well, a big, warm round of applause for
Thomas Roth.
-
applause
-
postroll music
-
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!
