## Nailgun: Breaking the Privilege Isolation on ARM

Zhenyu Ning

COMPASS Lab Wayne State University



Sep 23, 2019

Nailgun: Breaking the Privilege Isolation on ARM

### Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion

### Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion





### Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM

Background



### Breaking the Privilege Isolation on ARM



Nailgun: Breaking the Privilege Isolation on ARM

э

イロト イポト イヨト イヨト





### Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM





- ▶ In Dictionary: Hands, or weapons.
- Company: ARM was a British semiconductor company, now owned by SoftBank.
- Architecture: ARM is a processor architecture designed by ARM company.





- ▶ In Dictionary: Hands, or weapons.
- Company: ARM was a British semiconductor company, now owned by SoftBank.
- Architecture: ARM is a processor architecture designed by ARM company.





- ▶ In Dictionary: Hands, or weapons.
- Company: ARM was a British semiconductor company, now owned by SoftBank.
- Architecture: ARM is a processor architecture designed by ARM company.

・ロト ・得 ト ・ ヨト ・ ヨト ・ ヨー





- ▶ In Dictionary: Hands, or weapons.
- Company: ARM was a British semiconductor company, now owned by SoftBank.
- Architecture: ARM is a processor architecture designed by ARM company.





- ▶ In Dictionary: Hands, or weapons.
- Company: ARM was a British semiconductor company, now owned by SoftBank.
- Architecture: ARM is a processor architecture designed by ARM company.





### Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM



### What is Privilege Isolation?

- Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.
- Isolation In Dictionary: The process or fact of isolating or being isolated.
- In Company: CEO is able to view all the classified docs, but coders can not.



### What is Privilege Isolation?

- Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.
- Isolation In Dictionary: The process or fact of isolating or being isolated.
- In Company: CEO is able to view all the classified docs, but coders can not.



### What is Privilege Isolation?

- Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.
- Isolation In Dictionary: The process or fact of isolating or being isolated.
- In Company: CEO is able to view all the classified docs, but coders can not.



### What is Privilege Isolation?

- Privilege In Dictionary: A special right, advantage, or immunity granted or available only to a particular person or group.
- Isolation In Dictionary: The process or fact of isolating or being isolated.
- In Company: CEO is able to view all the classified docs, but coders can not.



Exception Levels in ARM:

- Exception: is used to divert the normal execution control flow, to allow the processor to handle internal or external events.
- Exception Levels: are used to specify different privileges in ARM processor.



### Normal Mode





### Normal Mode



OS kernel



### Normal Mode

| Normal EL2 |
|------------|
| Normal EL1 |
| Normal EL0 |

Hypervisors

æ

・ロン ・雪 と ・ ヨ と ・ ヨ と



# Normal Mode Secure Mode Normal EL2 Normal EL1 Normal EL0

#### Nailgun: Breaking the Privilege Isolation on ARM





Nailgun: Breaking the Privilege Isolation on ARM





< □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > ... □



### Normal Mode Secure Mode Gatekeeper Secure EL3 Normal EL2 Normal EL1 Secure EL1 Normal EL0 Secure EL0

Nailgun: Breaking the Privilege Isolation on ARM





### Breaking the Privilege Isolation on ARM

Nailgun: Breaking the Privilege Isolation on ARM





### **Breaking** the Privilege Isolation on ARM



Figure source: https://www.123rf.com/

Nailgun: Breaking the Privilege Isolation on ARM

э

イロト イポト イヨト イヨト

### Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion

3

・ロト ・回ト ・ヨト ・ヨト



Modern processors are equipped with hardware-based debugging features to facilitate on-chip debugging process.

- E.g., hardware breakpoints and hardware-based trace.
- It normally requires cable connection (e.g., JTAG [1]) to make use of these features.





# Debug Target (TARGET)

# **Security**?

<ロ> <同> <同> < 同> < 同>

Nailgun: Breaking the Privilege Isolation on ARM

э







Debug Target (TARGET) Debug Host (HOST)

<ロ> <同> <同> < 同> < 同>

# **Security**?

Nailgun: Breaking the Privilege Isolation on ARM

æ





Nailgun: Breaking the Privilege Isolation on ARM

э

<ロ> <同> <同> < 同> < 同>





э

<ロ> <同> <同> < 同> < 同>





э

<ロ> <同> <同> < 同> < 同>





Э

イロト イポト イヨト イヨト





Э

イロト イポト イヨト イヨト





### Security? We have obstacles for attackers!

► Obstacle 1: Physical access.

• **Obstacle 2**: Debug authentication mechanism.

### Do these obstacles work?





## Security? We have obstacles for attackers!

► Obstacle 1: Physical access.

• **Obstacle 2**: Debug authentication mechanism.

## Do these obstacles work?

## Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion

3

・ロト ・回ト ・ヨト ・ヨト

Obstacles for Misusing the Traditional Debugging



Obstacles for attackers:

- **Obstacle 1**: Physical access.
- **Obstacle 2**: Debug authentication mechanism.

# Does it really require physical access?

・ロト ・ 同ト ・ ヨト ・ ヨト





・ロット (雪) ( ) ( ) (

-≣⇒





æ

<ロ> <同> <同> < 同> < 同>





Nailgun: Breaking the Privilege Isolation on ARM

æ

<ロ> <同> <同> < 同> < 同>



# Use one to debug another one?

Nailgun: Breaking the Privilege Isolation on ARM

3

イロト 不得 トイヨト イヨト



We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging.

- Memory-mapped debugging registers.
  - Introduced since ARMv7.
- ▶ No JTAG, No physical access.

## Inter-Processor Debugging





< □ > <

Obstacles for Misusing the Traditional Debugging



Obstacles for attackers:

- **Obstacle 1**: Physical access.
- **Obstacle 2**: Debug authentication mechanism.

# Does debug authentication work as expected?

・ロト ・ 同ト ・ ヨト ・ ヨト

## Processor in Normal State



## TARGET is executing instructions pointed by pc

Nailgun: Breaking the Privilege Isolation on ARM

イロト イロト イヨト イヨト 三日

## Processor in Non-invasive Debugging



### Non-invasive Debugging: Monitoring without control

Nailgun: Breaking the Privilege Isolation on ARM

## Processor in Invasive Debugging



## Invasive Debugging: Control and change status

Nailgun: Breaking the Privilege Isolation on ARM

## ARM Debug Authentication Mechanism



## Debug Authentication Signal: Whether debugging is allowed

Nailgun: Breaking the Privilege Isolation on ARM

## ARM Debug Authentication Mechanism



#### Four signals for: Secure/Non-secure, Invasive/Non-invasive

Nailgun: Breaking the Privilege Isolation on ARM





문 🛌 문

< □ > < □ > < □





- ARM licenses technology to the System-On-Chip (SoC) Vendors.
  - E.g., ARM architectures and Cortex processors
- **Defines** the debug authentication signals.

・ロッ ・ 一 ・ ・ ・ ・

3.5





- The SoC Vendors develop chips for Original Equipment Manufacturers (OEMs).
  - E.g., Qualcomm Snapdragon SoCs
- **Implement** the debug authentication signals.

・ロッ ・ 一 ・ ・ ・ ・





- The OEMs produce devices for the users.
  - E.g., Samsung Galaxy Series and Huawei Mate Series
- **Configure** the debug authentication signals.

Nailgun: Breaking the Privilege Isolation on ARM

(日)





- Finally, the User can enjoy the released devices.
  - Tablets, smartphones, and other devices
- Learn the status of debug authentication signals.

- ▲ 同 ▶ - ▲ 三

Obstacles for Misusing the Traditional Debugging



Obstacles for attackers:

- Obstacle 1: Physical access.
- **Obstacle 2**: Debug authentication mechanism.

# Does debug authentication work as expected?

イロト 不得 トイヨト イヨト



## What is the status of the signals in real-world device?

How to manage the signals in real-world device?

Nailgun: Breaking the Privilege Isolation on ARM



#### Table: Debug Authentication Signals on Real Devices.

| Category              | Platform / Device      | Debug Authentication Signals |       |        |         |  |
|-----------------------|------------------------|------------------------------|-------|--------|---------|--|
|                       |                        | DBGEN                        | NIDEN | SPIDEN | SPNIDEN |  |
| Development<br>Boards | ARM Juno r1 Board      | ~                            | ~     | ~      | ~       |  |
|                       | NXP i.MX53 QSB         | ×                            | ~     | ×      | ×       |  |
| IoT Devices           | Raspberry PI 3 B+      | ~                            | ~     | ~      | ~       |  |
| Cloud<br>Platforms    | 64-bit ARM miniNode    | ~                            | ~     | ~      | ~       |  |
|                       | Packet Type 2A Server  | ~                            | ~     | ~      | ~       |  |
|                       | Scaleway ARM C1 Server | ~                            | ~     | ~      | ~       |  |
| Mobile<br>Devices     | Google Nexus 6         | ×                            | ~     | ×      | ×       |  |
|                       | Samsung Galaxy Note 2  | ~                            | ~     | ×      | *       |  |
|                       | Huawei Mate 7          | ~                            | ~     | ~      | ~       |  |
|                       | Motorola E4 Plus       | ~                            | ~     | ~      | ~       |  |
|                       | Xiaomi Redmi 6         | ~                            | ~     | ~      | ~       |  |

◆□> ◆□> ◆三> ◆三> ・三 のへで

Nailgun: Breaking the Privilege Isolation on ARM



#### Table: Debug Authentication Signals on Real Devices.

| Category              | Platform / Device      | Debug Authentication Signals |       |        |         |
|-----------------------|------------------------|------------------------------|-------|--------|---------|
|                       |                        | DBGEN                        | NIDEN | SPIDEN | SPNIDEN |
| Development<br>Boards | ARM Juno r1 Board      | ~                            | ~     | ~      | ~       |
|                       | NXP i.MX53 QSB         | ×                            | ~     | ×      | ×       |
| IoT Devices           | Raspberry PI 3 B+      | ~                            | ~     | ~      | ~       |
| Cloud<br>Platforms    | 64-bit ARM miniNode    | ~                            | ~     | ~      | ~       |
|                       | Packet Type 2A Server  | ~                            | ~     | ~      | ~       |
|                       | Scaleway ARM C1 Server | ~                            | ~     | ~      | ~       |
| Mobile<br>Devices     | Google Nexus 6         | ×                            | ~     | ×      | ×       |
|                       | Samsung Galaxy Note 2  | ~                            | ~     | ×      | *       |
|                       | Huawei Mate 7          | ~                            | ~     | ~      | ~       |
|                       | Motorola E4 Plus       | ~                            | ~     | ~      | ~       |
|                       | Xiaomi Redmi 6         | ~                            | ~     | ~      | ~       |

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで

Nailgun: Breaking the Privilege Isolation on ARM



Table: Debug Authentication Signals on Real Devices.

| Category              | Platform / Device      | Debug Authentication Signals |          |                      |         |  |
|-----------------------|------------------------|------------------------------|----------|----------------------|---------|--|
|                       |                        | DBGEN                        | NIDEN    | SPIDEN               | SPNIDEN |  |
| Development<br>Boards | ARM Juno r1 Board      | <b>v</b>                     | <b>v</b> | <b>v</b>             | ✓       |  |
|                       | NXP i.MX53 QSB         | ×                            | ~        | ×                    | ×       |  |
| loT Devices           | Raspberry PI 3 B+      | <b>v</b>                     | <b>v</b> | <b>v</b>             | ✓       |  |
| Cloud<br>Platforms    | 64-bit ARM miniNode    | <b>v</b>                     | <b>v</b> | <b>v</b>             | ✓       |  |
|                       | Packet Type 2A Server  | <b>v</b>                     | <b>v</b> | <b>v</b>             | ✓       |  |
|                       | Scaleway ARM C1 Server | <ul> <li></li> </ul>         | ~        | <ul> <li></li> </ul> | ✓       |  |
| Mobile<br>Devices     | Google Nexus 6         | ×                            | ~        | ×                    | ×       |  |
|                       | Samsung Galaxy Note 2  | ~                            | ~        | ×                    | ×       |  |
|                       | Huawei Mate 7          | <b>v</b>                     | <b>v</b> | <b>v</b>             | ✓       |  |
|                       | Motorola E4 Plus       | <b>v</b>                     | <b>v</b> | <b>v</b>             | ✓       |  |
|                       | Xiaomi Redmi 6         | <ul> <li></li> </ul>         | ~        | <ul> <li></li> </ul> | ✓       |  |

Nailgun: Breaking the Privilege Isolation on ARM

イロト イヨト イヨト イヨト 三日



## How to manage the signals in real-world device?

- For both development boards with manual, we cannot fully control the debug authentication signals.
  - Signals in i.MX53 QSB can be enabled by JTAG.
  - The DBGEN and NIDEN in ARM Juno board cannot be disabled.
- In some mobile phones, we find that the signals are controlled by One-Time Programmable (OTP) fuse.

# For all the other devices, nothing is publicly available.

Obstacles for Misusing the Traditional Debugging



Obstacles for attackers:

#### Obstacle 1: Physical access.

We don't need physical access to debug a processor.

Obstacle 2: Debug authentication mechanism.
 The debug authentication mechanism allows us to debug the processor.

・ロッ ・雪 ・ ・ ヨ ・ ・

## Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion

3

・ロト ・回ト ・ヨト ・ヨト

## Inter-processor Debugging





## Inter-processor Debugging







#### A Multi-processor SoC System



An example SoC system:

- ► Two processors as HOST and TARGET, respectively.
- Low-privilege and High-privilege resource.

(a)



#### A Multi-processor SoC System



- Low-privilege refers to non-secure kernel-level privilege
- High-privilege refers to any other higher privilege



#### A Multi-processor SoC System



Both processors are only access low-privilege resource.

- Normal state
- Low-privilege mode

イロト イポト イヨト イヨト



#### A Multi-processor SoC System



## HOST sends a **Debug Request** to TARGET,

- TARGET checks its authentication signal.
- Privilege of HOST is ignored.

イロト イポト イヨト イヨト



#### A Multi-processor SoC System



## HOST sends a **Debug Request** to TARGET,

- TARGET checks its authentication signal.
- Privilege of HOST is ignored.

イロト イポト イヨト イヨト



#### A Multi-processor SoC System



Implication: A low-privilege processor can make an arbitrary processor (even a high-privilege processor) enter the debug state.

< ロ > < 同 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ >



#### A Multi-processor SoC System



TARGET turns to **Debug State** according to the request.

- Low-privilege mode
- No access to high-privilege resource

- 4 同 6 4 日 6 4 日 6



#### A Multi-processor SoC System



HOST sends a Privilege Escalation Request to TARGET,

- E.g., executing DCPS series instructions.
- The instructions can be executed at any privilege level.



#### A Multi-processor SoC System



Implication: The privilege escalation instructions enable a processor running in the debug state to gain a high privilege without restriction.



#### A Multi-processor SoC System



TARGET turns to **High-privilege Mode** according to the request.

- Debug state, high-privilege mode
- Gained access to high-privilege resource



#### A Multi-processor SoC System



HOST sends a Resource Access Request to TARGET,

- E.g., accessing secure RAM/register/peripheral.
- Privilege of HOST is ignored.



#### A Multi-processor SoC System



Implication: The instruction execution and resource access in TARGET does not take the privilege of HOST into account.

(a)



#### A Multi-processor SoC System



TARGET return the result to HOST,

- i.e., content of the high-privilege resource.
- Privilege of HOST is ignored.

< ロ > < 同 > < 回 > < 回 >



#### A Multi-processor SoC System



HOST gains access to the high-privilege resource while running in,

- Normal state
- Low-privilege mode



Nailgun: Break the privilege isolation of ARM platform.

- Achieve access to high-privilege resource via misusing the ARM debugging features.
- Can be used to craft different attacks.

# Attack Scenarios



- Implemented Attack Scenarios:
  - Inferring AES keys from TrustZone.
  - Read Secure Configuration Register (SCR).
  - Arbitrary payload execution in TrustZone.
- Covered Architectures:
  - ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.
- Vulnerable Devices:
  - Development boards, IoT devices, cloud platforms, mobile devices.

# Attack Scenarios



- Implemented Attack Scenarios:
  - Inferring AES keys from TrustZone.
  - Read Secure Configuration Register (SCR).
  - Arbitrary payload execution in TrustZone.
- Covered Architectures:
  - ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture.
- Vulnerable Devices:
  - Development boards, IoT devices, cloud platforms, mobile devices.





- DLR\_EL0 points to the debug return address.
- ▶ VBAR\_EL3 points to the exception vector in EL3.





 With Nailgun, we can directly copy the payload to the secure memory.

Nailgun: Breaking the Privilege Isolation on ARM

э





 Modify the instruction pointed by *DLR\_EL0* to get into TrustZone.

Nailgun: Breaking the Privilege Isolation on ARM

3





 Manipulate the exception vector to execute the payload while the SMC exception is routed to EL3.





#### The last instruction of the payload should be eret.

3





#### Make TARGET exit the debug state.

Nailgun: Breaking the Privilege Isolation on ARM

3





► *ELR\_EL3* points to the exception return address.

Nailgun: Breaking the Privilege Isolation on ARM

э





### The payload get executed.

Nailgun: Breaking the Privilege Isolation on ARM

3

・ロト ・回ト ・ヨト ・ヨト





In the payload, we first restore the exception vector.

э





- ▶ Roll back the *ELR\_EL3* register.
- Revert the modified instruction.

э





### ► The *eret* instruction will finish the exception handle process.

э

イロト 不得 とくほ とくほう





After that, everything goes back to the original state.

э



Fingerprint extraction in commercial mobile phone.

- Deivce: Huawei Mate 7 (MT-L09)
- Firmware: MT7-L09V100R001C00B121SP05
- ► Fingerprint sensor: FPC1020

We choose this phone because the manual and driver of the fingerprint sensor is publicly available. Similar attack can be demonstrated on other devices with enabled debug authentication signals.



- ► Step 1: Learn the location of fingerprint data in secure RAM.
  - Achieved by reverse engineering.
- Step 2: Extract the data.
  - With the inter-processor debugging in Nailgun.
- Step 3: Restore fingerprint image from the extracted data.
  - Read the publicly available sensor manual.





- The right part of the image is blurred for privacy concerns.
- Source code: https://compass.cs.wayne.edu/nailgun/
- The issue has been fixed in Huawei devices.

< ロ > < 同 > < 回 > < 回 >



◆□▶ ◆□▶ ◆目▶ ◆目▶ 目 のへぐ

### Disclosure



| March 2018 -    | Preliminary findings are reported to ARM            |
|-----------------|-----------------------------------------------------|
| August 2018 -   | Report to ARM and related OEMs with enriched result |
| October 2018 -  | Issue is reported to MITRE                          |
| February 2019 - | PoCs and demos are released                         |
| April 2019 -•   | CVE-2018-18068 is released                          |

Nailgun: Breaking the Privilege Isolation on ARM

< □ > < □ > < □ > < □ > < □ > < □ > = □

# Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion

3

・ロト ・回ト ・ヨト ・ヨト

Mitigations



# Simply disable the signals?

Nailgun: Breaking the Privilege Isolation on ARM



Simply disable the authentication signals?

- Existing tools rely on the debug authentication signals.
  - E.g., [2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
- Unavailable management mechanisms.
- OTP feature, cost, and maintenance.

# Mitigations



We suggest a comprehensive defense across different roles in the ARM ecosystem.

- For ARM, additional restriction in inter-processor debugging model.
- For SoC vendors, refined signal management and hardware-assisted access control to debug components.
- ► For OEMs and cloud providers, software-based access control.

< ロ > < 同 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < 回 > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ >

## Outline



- Background
- Introduction
- Obstacles for Misusing the Traditional Debugging
- Nailgun Attack
- Mitigations
- Conclusion

3

・ロト ・回ト ・ヨト ・ヨト





- We present a study on the security of hardware debugging features on ARM platform.
- "Safe" components in legacy systems may be vulnerable in advanced systems.
- We suggest a comprehensive rethink on the security of legacy mechanisms.

イロト 不得 トイヨト イヨト 二日

### References I



- IEEE, "Standard for test access port and boundary-scan architecture," https://standards.ieee.org/findstds/standard/1149.1-2013.html.
- [2] D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, "An experience in testing the security of real-world electronic voting systems," <u>IEEE Transactions on Software</u> Engineering, 2010.
- [3] S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze, "Why (special agent) johnny (still) can't encrypt: A security analysis of the APCO project 25 two-way radio system," in <u>Proceedings of</u> the 20th USENIX Security Symposium (USENIX Security'11), 2011.
- [4] L. Cojocar, K. Razavi, and H. Bos, "Off-the-shelf embedded devices as platforms for security research," in Proceedings of the 10th European Workshop on Systems Security (EuroSec'17), 2017.
- N. Corteggiani, G. Camurati, and A. Francillon, "Inception: System-wide security testing of real-world embedded systems software," in <u>Proceedings of the 27th USENIX Security Symposium (USENIX</u> Security'18), 2018.
- [6] L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mohammed, and S. A. Zonouz, "Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit," in <u>Proceedings of 24th Network</u> and Distributed System Security Symposium (NDSS'17), 2017.
- K. Koscher, T. Kohno, and D. Molnar, "SURROGATES: Enabling near-real-time dynamic analyses of embedded systems," in <u>Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT'15)</u>, 2015.
- [8] Y. Lee, I. Heo, D. Hwang, K. Kim, and Y. Paek, "Towards a practical solution to detect code reuse attacks on ARM mobile devices," in Proceedings of the 4th Workshop on Hardware and Architectural Support for Security and Privacy (HASP'15), 2015.
- [9] S. Mazloom, M. Rezaeirad, A. Hunter, and D. McCoy, "A security analysis of an in-vehicle infotainment and app platform," in Proceedings of the 10th USENIX Workshop on Offensive Technologies (WOOT'16), 2016.

・ロッ ・雪 ・ ・ ヨ ・ ・ ヨ ・

## References II



- [10] Z. Ning and F. Zhang, "Ninja: Towards transparent tracing and debugging on ARM," in <u>Proceedings of the</u> 26th USENIX Security Symposium (USENIX Security'17), 2017.
- [11] J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti et al., "AVATAR: A framework to support dynamic security analysis of embedded systems' firmwares," in <u>Proceedings of 21st Network and Distributed System Security</u> Symposium (NDSS'14), 2014.

3

Thank you!



# Questions?

zhenyu.ning@wayne.edu



http://compass.cs.wayne.edu

Nailgun: Breaking the Privilege Isolation on ARM

э

**Backup Slides** 



# **Backup Slides**

Nailgun: Breaking the Privilege Isolation on ARM

3

ヘロン ヘロン ヘビン ヘビン

# Nailgun in different ARM architecture



► 64-bit ARMv8 architecture: ARM Juno r1 board.

- Embedded Cross Trigger (ECT) for debug request.
- Binary instruction to Instruction Transfer Register (ITR).
- ► 32-bit ARMv8 architecture: Raspberry PI Model 3 B+.
  - Embedded Cross Trigger (ECT) for debug request.
  - First and last half of binary instruction should be reversed in ITR.
- ARMv7 architecture: Huawei Mate 7.
  - Use Debug Run Control Register for debug request.
  - Binary instruction to Instruction Transfer Register (ITR).



### In normal state, TARGET is executing instructions pointed by pc

Nailgun: Breaking the Privilege Isolation on ARM



### In debug state, TARGET stops executing the instruction at pc

Nailgun: Breaking the Privilege Isolation on ARM



### In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM

(日) (間) (目) (日) (日)



### In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM



### In debug state, write binary instruction to ITR for execution

Nailgun: Breaking the Privilege Isolation on ARM

(日) (間) (目) (日) (日)