Pengfei Qui
Abstract
Based on the concept of hardware separation, ARM introduced TrustZone to build a trusted execution environment for applications. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side channels. In this article, we propose an innovative software-controlled hardware fault-based attack, VoltJockey, on multi-core processors that adopt dynamic voltage and frequency scaling (DVFS) techniques for energy efficiency. We deliberately manipulate the processor voltage via DVFS to induce hardware faults into the victim cores, and therefore breaking TrustZone. The entire attack process is based on software without any involvement of hardware, which makes VoltJockey stealthy and hard to prevent.
- ARM, Architecture. "Security technology building a secure system using trustzone technology (white paper)." ARM Limited (2009).Google Scholar
- Dan Rosenberg. "Reflections on trusting trustzone." Black Hat Conference. 2014.Google Scholar
- Huasong Meng, et al. "A survey of Android exploits in the wild." 2018. Computers & Security, 76, 71--91.Google Scholar
- Dan Rosenberg. "Qsee trustzone kernel integer over flow vulnerability." Black Hat Conference. 2014.Google Scholar
- Moritz Lipp, et al. "Armageddon: Cache attacks on mobile devices." 2016. 25th USENIX Security Symposium (USENIX Security 16). Google ScholarDigital Library
- Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. "CLKSCREW: Exposing the perils of security-oblivious energy management." 2017. 26th USENIX Security Symposium (USENIX Security 17). Google ScholarDigital Library
- Pengfei Qui, et al. "VoltJockey: Breaching Trust- Zone by software-controlled voltage manipulation over multi-core frequencies." 2019. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Inki Hong, et al. "Power optimization of variable-voltage core-based systems." 1999. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 18.12, 1702--1714. Google ScholarDigital Library
- Jean Arlat, et al. "Fault injection for dependability validation: A methodology and some applications." 1990. IEEE Transactions on software engineering 16.2, 166--182. Google ScholarDigital Library
- Eli Biham and Adi Shamir. 2012. Differential cryptanalysis of the data encryption standard. Springer Science & Business Media. Google ScholarDigital Library
- Nidhal Selmane, Sylvain Guilley, and Jean-Luc Danger. "Practical setup time violation attacks on AES." 2008. 2008 Seventh European Dependable Computing Conference. IEEE. Google ScholarDigital Library
- Alessandro Barenghi, et al. "Low voltage fault attacks on the RSA cryptosystem." 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE. Google ScholarDigital Library
- Alessandro Barenghi, et al. "Low voltage fault attacks to AES." 2010. 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). IEEE.Google Scholar
- Alessandro Barenghi, et al. "A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA." Journal of Systems and Software 86.7 (2013), 1864--1878. Google ScholarDigital Library
Recommendations
VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityARM TrustZone builds a trusted execution environment based on the concept of hardware separation. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side ...
Cache Attacks on Intel SGX
EuroSec'17: Proceedings of the 10th European Workshop on Systems SecurityFor the first time, we practically demonstrate that Intel SGX enclaves are vulnerable against cache-timing attacks. As a case study, we present an access-driven cache-timing attack on AES when running inside an Intel SGX enclave. Using Neve and Seifert'...
Comments