1、#BHASIA BlackHatEventsWhat the TrustZone-M Doesnt See,theMCU Does Grieve OverLessons Learned from Assessing a Microcontroller TEECristiano Rodrigues|Sandro Pinto,PhD(Centro ALGORITMI/LASI,Universidade do Minho)#BHASIA BlackHatEventsWhat the TrustZone-M Doesnt See,theMCU Does Grieve OverLessons Learn

2、ed from Assessing a Microcontroller TEECristiano Rodrigues|Sandro Pinto,PhD(Centro ALGORITMI/LASI,Universidade do Minho)AGENDAIntroductionBackground and Motivation0102A Bumpy but Revealing JourneyWeak Protections,TEE Assessment and our Responsible Disclosure Journey 03What Can Go WrongAttack Example

3、s and“Live”Demo04Lessons LearnedAdvices for HW&SW providers and System Designers05SummaryFinal Thoughts and BH Sound BytesIntroductionBackground and MotivationINTERNET OF THINGSHOMEAPPLIANCESWEARABLESDRONESHARDWAREWALLETSMEDICALDEVICESSMARTCITIESSMARTFACTORIESAUTONOMOUSVEHICLESAI-ENABLEDEDGE DEVICES

4、 SMARTAGRICULTURE INTERNET OF THINGSHOMEAPPLIANCESWEARABLESDRONESHARDWAREWALLETSMEDICALDEVICESSMARTCITIESSMARTFACTORIESAUTONOMOUSVEHICLESAI-ENABLEDEDGE DEVICES SMARTAGRICULTURE INTERNET OF THINGSHOMEAPPLIANCESWEARABLESDRONESHARDWAREWALLETSMEDICALDEVICESSMARTCITIESSMARTFACTORIESAUTONOMOUSVEHICLESAI-E

5、NABLEDEDGE DEVICES SMARTAGRICULTURE THE AGE OF CYBERWARFAREINTERNET OF THINGSHOMEAPPLIANCESWEARABLESDRONESHARDWAREWALLETSMEDICALDEVICESSMARTCITIESSMARTFACTORIESAUTONOMOUSVEHICLESAI-ENABLEDEDGE DEVICES SMARTAGRICULTURE MCUINTERNET OF THINGSMCUTRUSTZONEINTERNET OF THINGSArmv8-M TrustZoneArmv6/7-M Proc

6、essor ModesESRGv3BLACKHAT24Armv8-M TrustZoneTHREADArmv6/7-M Processor ModesESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M

7、Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedESRGv3

8、BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedArmv6/7-M Base ArchitectureESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedUnPriv.THREADArmv6/7-M Base Architectur

9、eESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedUnPriv.THREADPriv.THREADArmv6/7-M Base ArchitectureESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedUnPriv.T

10、HREADPriv.THREADPriv.HANDLERArmv6/7-M Base ArchitectureESRGv3BLACKHAT24Armv8-M TrustZoneTHREADHANDLERArmv6/7-M Processor ModesArmv6/7-M Privileges LevelsUnPrivilegedPrivilegedUnPriv.THREADPriv.THREADPriv.HANDLERArmv6/7-M Base ArchitectureESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.

11、HANDLERArmv6/7-M Base ArchitectureESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERArmv6/7-M Base Architecturex2ESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERArmv6/7-M Base ArchitectureUnPriv.THREADPriv.THREADPriv.HANDLERx2ESRGv3BLACKHAT24Armv8-M TrustZoneU

12、nPriv.THREADPriv.THREADPriv.HANDLERArmv6/7-M Base ArchitectureUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERx2ESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERArmv6/7-M Base ArchitectureUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HAN

13、DLERx2Non-Secure StateESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERArmv6/7-M Base ArchitectureUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERx2Non-Secure StateSecure StateESRGv3BLACKHAT24Armv8-M TrustZone ArchitectureArmv8-M TrustZoneUnPriv.THREADPriv

14、.THREADPriv.HANDLERArmv6/7-M Base ArchitectureUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERx2Non-Secure StateSecure StateESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateESRGv3BLACKHAT24Arm

15、v8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERSecure StateArmv8-M CPUArmv8-M Processor CoreUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateESRGv3BLA

16、CKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processor CoreMemory AccessMemoryESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERSecure StateArmv8-M CPUArmv8-M Processor CoreAccess Per

17、missions ChecksMemory AccessMemoryUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processor CoreSAU+IDAUAccess Permissions ChecksMemory AccessMe

18、moryESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processor CoreSAU+IDAUAccess Permissions ChecksMemory AccessMemoryESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.TH

19、READPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processor CoreSAU+IDAUAccess Permissions ChecksMemory AccessMemoryESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processo

20、r CoreSAU+IDAUMPU_NSMPU_SAccess Permissions ChecksMemory AccessMemoryESRGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processor CoreSAU+IDAUMPU_NSMPU_SAccess Permissions ChecksMemory AccessMemoryES

21、RGv3BLACKHAT24Armv8-M TrustZoneUnPriv.THREADPriv.THREADPriv.HANDLERUnPriv.THREADPriv.THREADPriv.HANDLERNon-Secure StateSecure StateArmv8-M CPUArmv8-M Processor CoreSAU+IDAUMPU_NSMPU_SAccess Permissions ChecksMemory AccessMemoryESRGv3BLACKHAT24CPU Protection vs System ProtectionCPU Protection vs Syst

22、em ProtectionESRGv3BLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryArmv8-M CPUESRGv3BLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreMemoryArmv8-M CPUESRGv3BLACKHAT24SAUMPUArmv8-M Memory Protection ControllersCPU Protection vs System ProtectionArmv8-M

23、 Processor CoreSAUMPUMemoryArmv8-M CPUESRGv3BLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsArmv8-M CPUESRGv3BLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsArmv8-M CPUESRGv3BLACKHAT24MCUCPU Protectio

24、n vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUMPUArmv8-M CPUBLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUPriv.Access PermissionsMemoryDMAOtherPeripheralsACCESS POLICIESADDR0 x1000 x2000 x3000 x4

25、000 x500SAUSNSSSNSMPUArmv8-M CPUBLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivArmv8-M CPUBLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPU

26、MemoryDMAOtherPeripheralsACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivArmv8-M CPUBLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOtherPeripheralsSecure Unprivileged ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPriv

27、UnprivUnprivPrivPriv0 x100Armv8-M CPUBLACKHAT24SAUMPUCPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOtherPeripherals0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivSecure Unprivileged Armv8-M CPUBLACKHAT24SAUMPUCPU Protection vs System P

28、rotectionArmv8-M Processor CoreMemoryDMAOtherPeripherals0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivSecure Unprivileged 0 x100Armv8-M CPUBLACKHAT24SAUMPUCPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOtherPeripherals0 x100ACCESS POLI

29、CIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivSecure Unprivileged 0 x100Armv8-M CPUBLACKHAT24SAUMPUCPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOtherPeripheralsMPCMPC0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnpriv

30、PrivPrivSecure Unprivileged Armv8-M CPUBLACKHAT24SAUMPUCPU Protection vs System ProtectionMemoryDMAOtherPeripheralsMPCMPC0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivArmv8-M CPUBLACKHAT24SAUMPUSecure Unprivileged Vendor-Specific Memory Protection Contro

31、llersCPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOtherPeripheralsMPCMPC0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivSecure Unprivileged Armv8-M CPUBLACKHAT24SAUMPUCPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOt

32、herPeripheralsMPCMPC0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivArmv8-M CPUBLACKHAT24SAUMPUSecure Unprivileged 0 x100CPU Protection vs System ProtectionArmv8-M Processor CoreMemoryDMAOtherPeripheralsMPCMPC0 x100ACCESS POLICIESADDR0 x1000 x2000 x3000 x4

33、000 x500SAUSNSSSNSMPUPrivUnprivUnprivPrivPrivArmv8-M CPUBLACKHAT24SAUMPUSecure Unprivileged 0 x100CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsMPCMPCArmv8-M CPUESRGv3BLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeri

34、pheralsMPCMPCArmv8-M CPUESRGv3BLACKHAT24CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsMPCMPCArmv8-M CPUESRGv3BLACKHAT24CPU-Only Protections(Armv8-M)CPU Protection vs System ProtectionArmv8-M Processor CoreSAUMPUMemoryDMAOtherPeripheralsMPCMPCArmv8-M CPUESRGv

35、3BLACKHAT24CPU-Only Protections(Armv8-M)System-Wide Protection(Vendors)Platform Security Architecture(PSA)Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Platform Securit

36、y Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Platform Security Architecture(PSA)SPE SWSECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Platform Security Architecture(PSA)PRIV.UNPRIV.SECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Platform Security Architecture(

37、PSA)Unprivileged Secure SoftwarePRIV.UNPRIV.SECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Platform Security Architecture(PSA)Unprivileged Secure SoftwarePRIV.UNPRIV.SECURE WORLDNORMAL WORLDNSPESWCPUSPESWESRGv3BLACKHAT24Privileged Secure ServicesPlatform Security Architecture(PSA)Unprivileged

38、 Secure SoftwarePRIV.UNPRIV.SECURE WORLDNORMAL WORLDNSPESWCPUSPESWTHREADESRGv3BLACKHAT24Privileged Secure ServicesPlatform Security Architecture(PSA)THREADPrivileged Secure SoftwarePRIV.UNPRIV.Privileged Secure ServicesSECURE WORLDNORMAL WORLDNSPESWCPUSPESWUnprivileged Secure SoftwareESRGv3BLACKHAT2

39、4Platform Security Architecture(PSA)THREADTHREADPrivileged Secure SoftwarePRIV.UNPRIV.Privileged Secure ServicesSECURE WORLDNORMAL WORLDNSPESWCPUSPESWUnprivileged Secure SoftwareESRGv3BLACKHAT24Platform Security Architecture(PSA)THREADTHREADHANDLERPrivileged Secure SoftwarePRIV.UNPRIV.Privileged Sec

40、ure ServicesSECURE WORLDNORMAL WORLDNSPESWCPUSPESWUnprivileged Secure SoftwareESRGv3BLACKHAT24Platform Security Architecture(PSA)THREADTHREADHANDLERPrivileged Secure SoftwarePRIV.UNPRIV.Privileged Secure ServicesSECURE WORLDNORMAL WORLDNSPESWCPUSPESWARoT 1ARoT 2ARoT NESRGv3BLACKHAT24Platform Securit

41、y Architecture(PSA)THREADTHREADHANDLERPrivileged Secure SoftwarePRIV.UNPRIV.SECURE WORLDNORMAL WORLDNSPESWCPUSPESWARoT 1ARoT 2ARoT NPRoT NPRoT 2PRoT 1ESRGv3BLACKHAT24Platform Security Architecture(PSA)THREADTHREADHANDLERIPCSPMIRQARoT 1ARoT 2PRoT NPRIV.UNPRIV.ARoT NPRoT 2PRoT 1SECURE WORLDNORMAL WORL

42、DNSPESWCPUSPESWESRGv3BLACKHAT24Platform Security Architecture(PSA)PSA Level 1ESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDSWCPUPSA Level 1ESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUSPESWPSA Level 1ESRGv3BLACKHAT24Platform Securit

43、y Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1PSA Level 2KernelPRoTsARoTsESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1SECU

44、RE WORLDNORMAL WORLDNSPESWCPUPSA Level 2KernelPRoTsARoTsKernelPRoTsARoTsESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1SECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsKernelPRoTsARoTsESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE

45、 WORLDNORMAL WORLDNSPESWCPUPSA Level 1SECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PSA Level 3PRoTsARoTsKernelPRoTsARoTsESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1SECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2SECURE WORLDNORMAL WORLDNSPESW

46、CPUPSA Level 3PRoTsARoTsKernelPRoTsARoTsKernelPRoTsARoTsESRGv3BLACKHAT24Platform Security Architecture(PSA)SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1SECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 3PRoTsARoTsKernelPRoTsARoT1ARoTNKernelPRoTsARoTsESRGv3BL

47、ACKHAT24PARADOXAL OBSERVATIONS020103TRUSTZONE-M HAS A CPU-CENTRIC VIEWSYSTEM-WIDE PROTECTIONS ARE PROPRIETARYMISSMATCH BETWEEN TZ-M AND PSA LEVELSESRGv3BLACKHAT2403Armv8-M Only Defines Protection Controllers at The CPU-level(MPU,SAU,IDAU)Vendors Are Forced to Develop System Protection Controllers(PP

48、Cs,MPCs)PSA Level 2/3 Need CPU-and System-level Memory Protection Controllers(the latter isnt defined by Armv8-M)While System-Wide protections are a must,Armv8-M only defines CPU-level memory protections.We hypothesize that this dichotomy(together with a lack of understanding of the PSA isolation le

49、vels)may open security holes in modern TrustZone-M systems HypothesisA Bumpy but Revealing JourneyWeak Protections,TEE Assessment and our Responsible Disclosure Journey SAML11MICROCHIPTRUSTONICMICROCHIPTRUSTONICMICROCHIPSAML11TRUSTONICKinibi-MMICROCHIPSAML11TRUSTONICKinibi-MMICROCHIPSAML11TRUSTONICK

50、inibi-MMICROCHIPSAML11TRUSTONICKinibi-MMICROCHIPSAML11TRUSTONICKinibi-MMICROCHIPSAML11TRUSTONICKinibi-MMICROCHIPSAML11TRUSTONICKinibi-MMICROCHIPSAML11MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3

51、BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24MICROCHIP SAML11ESRGv3BLACKHAT24Pag.17-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.Pag.17-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.MPUPag.17-

52、Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.MPUSAUPag.17-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.MPUSAUIDAUPag.17-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.MPUSAUIDAUMPC?Pag.17-Microchip.SAM L10/L11 Family Data Sheet.Te

53、ch.rep.Microchip,June 2020.MPUSAUIDAUMPC?Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.Pag.53-Microchip.SAM L10/L11 Fa

54、mily Data Sheet.Tech.rep.Microchip,June 2020.Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.What about Privilege and Non-Privileged?Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microch

55、ip,June 2020.What about Privilege and Non-Privileged?What about Memory Protectionat the System-Level?Pag.53-Microchip.SAM L10/L11 Family Data Sheet.Tech.rep.Microchip,June 2020.What about Privilege and Non-Privileged?What about Memory Protectionat the System-Level?SAML11 WEAK PROTECTIONSArmv8-M Proc

56、essor CoreTZ Access PermissionsPriv.Access PermissionsArmv8-M CPUMemoryDMAOtherPeripheralsTZ&Priv.Access PermissionsTZ&Priv.Access PermissionsESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSArmv8-M Processor CoreTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsTZ&Priv.Access PermissionsTZ

57、&Priv.Access PermissionsArmv8-M CPUPAC Distinguishes Only Security StatesESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSArmv8-M Processor CoreTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsTZ&Priv.Access PermissionsTZ&Priv.Access PermissionsNSNSPAC Distinguishes Only Security StatesArm

58、v8-M CPUESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSArmv8-M Processor CoreTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsTZ&Priv.Access PermissionsTZ&Priv.Access PermissionsSSPAC Distinguishes Only Security StatesArmv8-M CPUESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSArmv8-M Processor Co

59、reTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsTZ&Priv.Access PermissionsTZ&Priv.Access PermissionsSSSAML11 doesnt have MPCArmv8-M CPUESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsArmv8-M Processor CoreSecure Unpri

60、vileged SSS.Unpriv.Try To Access S Priv MemArmv8-M CPUESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsArmv8-M Processor CoreSecure Unprivileged SSS.Unpriv.Try To Access S Priv MemArmv8-M CPUESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSTZ Access P

61、ermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsArmv8-M Processor CoreSecure Unprivileged SSS.Unpriv.Try To Access S Priv MemArmv8-M CPUESRGv3BLACKHAT24SAML11PSA CertificationSAML11PSA CertificationSAML11PSA CertificationSAML11PSA CertificationSAML11PSA CertificationSAML11SECURE WORLDNORMA

62、L WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsPSA CertificationSAML11SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsPSA CertificationSAML11SECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsPSA CertificationSAML11+Kinibi-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoT

63、sPSA CertificationSAML11+Kinibi-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsPSA CertificationSAML11+Kinibi-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsPSA CertificationSAML11+Kinibi-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsSECURE WORLDNORMAL WORL

64、DNSPESWCPUKernelPSA Level 2PRoTsARoTsPSA CertificationSAML11+Kinibi-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsPSA CertificationSAML11+Kinibi-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 1KernelPRoTsARoTsSECURE WORLDNORMAL

65、WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsSAML11 WEAK PROTECTIONSTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsArmv8-M Processor CoreSecure Unprivileged SSArmv8-M CPUESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsArmv

66、8-M Processor CoreSSecure Unprivileged SSArmv8-M CPUPSA Level 2?ESRGv3BLACKHAT24SAML11 WEAK PROTECTIONSTZ Access PermissionsPriv.Access PermissionsMemoryDMAOtherPeripheralsArmv8-M Processor CoreSSecure Unprivileged Difficult Without MPCTZ&Priv.Access PermissionsTZ&Priv.Access PermissionsSSArmv8-M CP

67、UPSA Level 2?ESRGv3BLACKHAT24We report to Microchip that the lack of a MPC may create security issues,special in PSA level 2/3,Microchip didnt take any actions!Responsible Disclosure:MicrochipSAML11TrustonicKinibi-MTRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24TRUSTONIC KINIBI-MS

68、ECURE WORLDNORMAL WORLDCPUPSA Level 2Image:Pag.3-Kinibi-M Developers Guide BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUPSA Level 2Image:Pag.3-Kinibi-M Developers Guide BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2Image:Pag.3-Kinibi-M Developers Guide

69、 BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsCould be BothImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24TRUSTONIC KINIBI-MSECURE WORL

70、DNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleTRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT an

71、d ARoT as a Secure ModuleText:Pag.4-Kinibi-M Developers Guide TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleText:Pag.4-Kinibi-M Developers Guide TRUSTONIC KINIBI-MSECURE

72、 WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2PRoTsARoTsImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleTRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESW

73、CPUKernelPSA Level 2 PRoTsARoTsTRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2 PRoTsARoTsPSA Level 2?TRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refe

74、rs to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2 PRoTsARoTsPSA Level 2?Text:Pag.5-Kinibi-M Developers Guide TRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESWCPUKe

75、rnelPSA Level 2 PRoTsARoTsPSA Level 2?Text:Pag.5-Kinibi-M Developers Guide TRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2 PRoTsARoTsPSA Level 2?Text:Pag.5-Kinibi-M Developers Guid

76、e TRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinibi-M Refers to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2 PRoTsARoTsPSA Level 2?Text:Pag.5-Kinibi-M Developers Guide TRUSTONIC KINIBI-MImage:Pag.3-Kinibi-M Developers Guide BLACKHAT24Kinib

77、i-M Refers to PRoT and ARoT as a Secure ModuleSECURE WORLDNORMAL WORLDNSPESWCPUKernelPSA Level 2 PRoTsARoTsPSA Level 2?Text:Pag.5-Kinibi-M Developers Guide PSA Level 3?TRUSTONIC KINIBI-MBLACKHAT24Text:Pag.4-Kinibi-M Developers Guide SECURE WORLDNORMAL WORLDNSPESWCPUKernelPRoTsARoTsTRUSTONIC KINIBI-M

78、BLACKHAT24Text:Pag.4-Kinibi-M Developers Guide SECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNTRUSTONIC KINIBI-MBLACKHAT24Text:Pag.4-Kinibi-M Developers Guide SECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNMicrokernel-like ArchitectureTRUSTONIC KINIBI-MBLACKHAT24Text:Pag.4-Ki

79、nibi-M Developers Guide SECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNMicrokernel-like ArchitecturePSA Level?TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPRoTsARoTsBLACKHAT24Text:Pag.4-Kinibi-M Developers Guide TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPRoTsAR

80、oTsBLACKHAT24Text:Pag.4-Kinibi-M Developers Guide MPUTRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelPRoTsARoTsBLACKHAT24Text:Pag.4-Kinibi-M Developers Guide MPUJust MPU?TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureESRGv3BLACKHAT24TRUSTON

81、IC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3ESRGv3BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3ESRGv3BLACKHAT24TRUSTON

82、IC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3Microchip SAML11ESRGv3BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3Microch

83、ip SAML11Only PSA Level 1&No MPCESRGv3BLACKHAT24Kinibi-M TEESECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3Microchip SAML11Only PSA Level 1&No MPCESRGv3BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPR

84、oT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3Microchip SAML11Only PSA Level 1&No MPCESRGv3BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3Microchip SAML11Only PSA Level 1&No MPCSAU+IDA

85、UESRGv3BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi-M ArchitectureSeems Probably More then PSA Level 3Microchip SAML11Only PSA Level 1&No MPCMPUSAU+IDAUESRGv3BLACKHAT24TRUSTONIC KINIBI-MSECURE WORLDNORMAL WORLDNSPESWCPUKernelARoT1ARoTNPRoT1PRoTNKinibi

86、-M ArchitectureSeems Probably More then PSA Level 3Microchip SAML11Only PSA Level 1&No MPCMPUSAU+IDAUMPCESRGv3BLACKHAT24With this gap of protection,a Secure Unprivilegedapplication that has been granted a DMA can bypass all Kinibi-M security mechanism and achieve arbitrary read,write or execute capa

87、bilitiesObservationSAML11Responsible Disclosure TrustonicA JourneyJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thWe Contact Trustonic Reporting our Findings1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTrustonic Security Team Acknowledgedthe Reception of Our Report

88、1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTrustonic Security Team Provided 1stFeedback1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thWe Respond to 1stFeedback1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTrustonic Security Team Provided 2nd

89、Feedback1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thWe Respond to 2ndFeedback1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTrustonic Security Team Provided 3rd and last Feedback1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thWe Sent a Last Res

90、ponse Wrapping up the Responsible Disclosure1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Attestation Secure Modules Topic:Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 3

91、0thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Attestation Secure Modules Topic:DMA PermissionsTopic:Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Attestation Secure Modules Topic:DMA PermissionsTopic:Evaluatoin SDK vs Comercial SDKJan 10thJan 1

92、2thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Evaluatoin SDK vs Comercial SDK“We note that you are using the Kinibi-M evaluation SDK,not the full(commercial)production SDK.()Kinibi-M evaluation()is deliberately more flexible than a commercial()production SDK”1 Jan 10thJan 12thJan 30thJan 3

93、1stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Evaluatoin SDK vs Comercial SDK“We note that you are using the Kinibi-M evaluation SDK,not the full(commercial)production SDK.()Kinibi-M evaluation()is deliberately more flexible than a commercial()production SDK”1 We were only granted access to the evaluat

94、ion SDK,thus all assessments andconclusions presented on this talk are derived form documentation and artifacts fromthe Evaluation SDK.DISCLAIMER Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Evaluatoin SDK vs Comercial SDK“We note that you are using the Kinibi-M evaluation

95、 SDK,not the full(commercial)production SDK.()Kinibi-M evaluation()is deliberately more flexible than a commercial()production SDK”1 We still think commercial version may suffer from the same problem(the underlying architecture problem is the same,weak hardware protections on SAML11)We were only gra

96、nted access to the evaluation SDK,thus all assessments andconclusions presented on this talk are derived form documentation and artifacts fromthe Evaluation SDK.DISCLAIMER Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1321 Topic:Attestation Secure Modules Topic:DMA PermissionsTopic:

97、Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Attestation Secure Modules Topic:DMA PermissionsTopic:Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Attestation Secure ModulesYou cannot install m

98、alicious modules because,“all modules must be signed,and are validated atinstall time against a protected list of signing keys”(attestation).1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Attestation Secure ModulesYou cannot install malicious modules because,“all modules m

99、ust be signed,and are validated atinstall time against a protected list of signing keys”(attestation).1 The Evaluation SDK doesnt support attestation of secure modules so we couldfreely instantiate secure modules,but in the Commercial SDK only OEMs caninstantiate modules and they are all signed and

100、validated.DISCLAIMER Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Attestation Secure ModulesYou cannot install malicious modules because,“all modules must be signed,and are validated atinstall time against a protected list of signing keys”(attestation).1 The Evaluation SDK

101、 doesnt support attestation of secure modules so we couldfreely instantiate secure modules,but in the Commercial SDK only OEMs caninstantiate modules and they are all signed and validated.DISCLAIMER Attesting OEMs Secure Modules offers no guarantees that the Secure Module has no defects.Jan 10thJan

102、12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1321 Topic:Attestation Secure ModulesYou cannot install malicious modules because,“all modules must be signed,and are validated atinstall time against a protected list of signing keys”(attestation).1 The Evaluation SDK doesnt support attestation of

103、secure modules so we couldfreely instantiate secure modules,but in the Commercial SDK only OEMs caninstantiate modules and they are all signed and validated.DISCLAIMER Attesting OEMs Secure Modules offers no guarantees that the Secure Module has no defects.Unless OEMs code is formally verified(which

104、,as far as we know,is not the industry standard)weshould(by probability)expect bugs and vulnerabilities.Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1321 1 TAKEAWAYWe argue that there is a naive trust in OEM developers.Even if there is no malicious intent,unintended bugs may be int

105、roduced in the code which may lead to a vulnerability,e.g.,privileged escalation.1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Attestation Secure Modules Topic:DMA PermissionsTopic:Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th

106、Topic:Attestation Secure Modules Topic:DMA PermissionsTopic:Evaluatoin SDK vs Comercial SDKJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:DMA PermissionsIts true that a Secure Module with access to a DMA can effectively access any part of the system,it is a common limitation of

107、 low-cost hardware,however it is far from an open door1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:DMA PermissionsIts true that a Secure Module with access to a DMA can effectively access any part of the system,it is a common limitation of low-cost hardware,however it is

108、 far from an open door1“Access to the DMA controller needs to be granted,and the best practice guidance in the productionSDK(which we acknowledge you do not have)explains how to lock down access to devices from lesstrusted developers”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1

109、32Topic:DMA PermissionsIts true that a Secure Module with access to a DMA can effectively access any part of the system,it is a common limitation of low-cost hardware,however it is far from an open door1 Contradictory ideas,on one side,Trustonic admits that a Secure Module with DMA access has full a

110、ccess to the system,and,on the other side,Trustonic claims that it is not an open door.“Access to the DMA controller needs to be granted,and the best practice guidance in the productionSDK(which we acknowledge you do not have)explains how to lock down access to devices from lesstrusted developers”1

111、Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 132Topic:DMA PermissionsIts true that a Secure Module with access to a DMA can effectively access any part of the system,it is a common limitation of low-cost hardware,however it is far from an open door1 Contradictory ideas,on one sid

112、e,Trustonic admits that a Secure Module with DMA access has full access to the system,and,on the other side,Trustonic claims that it is not an open door.DMA access should not need to be granted but MEDIATED(because lack of hardware mechanisms).Kinibi-B should mediate access from ALL Secure Modules v

113、ia DMA interposer.“Access to the DMA controller needs to be granted,and the best practice guidance in the productionSDK(which we acknowledge you do not have)explains how to lock down access to devices from lesstrusted developers”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1321 1

114、 Topic:DMA PermissionsIts true that a Secure Module with access to a DMA can effectively access any part of the system,it is a common limitation of low-cost hardware,however it is far from an open door1 Contradictory ideas,on one side,Trustonic admits that a Secure Module with DMA access has full ac

115、cess to the system,and,on the other side,Trustonic claims that it is not an open door.DMA access should not need to be granted but MEDIATED(because lack of hardware mechanisms).Kinibi-B should mediate access from ALL Secure Modules via DMA interposer.“Access to the DMA controller needs to be granted

116、,and the best practice guidance in the productionSDK(which we acknowledge you do not have)explains how to lock down access to devices from lesstrusted developers”1 We proposed to share the DMA interposer mechanism to fix the DMA issue.Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th13

117、21 1 1 TAKEAWAY1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTAKEAWAYWe argue that there is a lack of understanding of the limitations of the underlying hardware(where Kinibi-M runs)and the necessary Software mechanisms needed to enforce claimed protections.1 Jan 10thJan 12thJan 3

118、0thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No Native DMA SupportJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA permissionsTopic:N

119、o Native DMA SupportJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA permissionsTopic:Native FLASH Access Mediation but not Native DMA mediation.Topic:No Native DMA SupportJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA per

120、missionsTopic:Native FLASH Access Mediation but not Native DMA mediation.Topic:No Native DMA SupportTopic:No Native DMA Support“Kinibi-M for SAML11 does not ship with a Secure World DMA module,and it is left up tocustomers to source one or do without.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14t

121、hFeb 16thMar 10th132Topic:No Native DMA Support“Kinibi-M for SAML11 does not ship with a Secure World DMA module,and it is left up tocustomers to source one or do without.”1“In our architecture it would be up to the OEM provided DMA module to provide that mediation”1 Jan 10thJan 12thJan 30thJan 31st

122、Feb 9thFeb 14thFeb 16thMar 10th132Topic:No Native DMA Support“Kinibi-M for SAML11 does not ship with a Secure World DMA module,and it is left up tocustomers to source one or do without.”1 OEMs have to source one DMA module if they want to use a DMA.We dont think is a good approach,because this force

123、s OEMs to trust each other(which they dont).“In our architecture it would be up to the OEM provided DMA module to provide that mediation”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 132Topic:No Native DMA Support“Kinibi-M for SAML11 does not ship with a Secure World DMA module,

124、and it is left up tocustomers to source one or do without.”1 OEMs have to source one DMA module if they want to use a DMA.We dont think is a good approach,because this forces OEMs to trust each other(which they dont).It also increases the probability of a bug/vulnerability.“In our architecture it wo

125、uld be up to the OEM provided DMA module to provide that mediation”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 1 132TAKEAWAY1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTAKEAWAYWe argue that there is a lack of understanding of multi-OEM threat model.In a mu

126、ltistakeholder scenario(i.e.,multiple OEMs)OEMs dont trust each other.1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA permissionsTopic:Native FLASH Access Mediation but not Native DMA mediation.To

127、pic:No Native DMA SupportJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA permissionsTopic:Native FLASH Access Mediation but not Native DMA mediation.Topic:No Native DMA SupportTopic:No System MMU&DMA permissions“You have at most revealed that this device has no

128、 system MMU(covered in the data sheet),and thatDMA permissions should not be granted to untrusted application modules”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:No System MMU&DMA permissions“You have at most revealed that this device has no system MMU(covered in the da

129、ta sheet),and thatDMA permissions should not be granted to untrusted application modules”1 System MMU is an access control IP used in platforms with virtual memory,In Cortex-M(MCU)platforms,there are no SMMU,but MPC(Memory Protection Controller)and PPC(Peripheral Protection Controller)Jan 10thJan 12

130、thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 132Topic:No System MMU&DMA permissions“You have at most revealed that this device has no system MMU(covered in the data sheet),and thatDMA permissions should not be granted to untrusted application modules”1 System MMU is an access control IP used i

131、n platforms with virtual memory,In Cortex-M(MCU)platforms,there are no SMMU,but MPC(Memory Protection Controller)and PPC(Peripheral Protection Controller)The PPC/MPC in SAML11 cannot enforce access control in terms of privilege levels.If you directly assign a DMA device to an OEM you are basically g

132、ranting them full control of the systemJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 1 132Topic:No System MMU&DMA permissions“You have at most revealed that this device has no system MMU(covered in the data sheet),and thatDMA permissions should not be granted to untrusted applicat

133、ion modules”1 System MMU is an access control IP used in platforms with virtual memory,In Cortex-M(MCU)platforms,there are no SMMU,but MPC(Memory Protection Controller)and PPC(Peripheral Protection Controller)The PPC/MPC in SAML11 cannot enforce access control in terms of privilege levels.If you dir

134、ectly assign a DMA device to an OEM you are basically granting them full control of the systemKinibi-M should provide native DMA support once it is a critical piece of infrastructure for Microcontrollers,due to the power and resource-constrained nature of this devices.Jan 10thJan 12thJan 30thJan 31s

135、tFeb 9thFeb 14thFeb 16thMar 10th1 1 1 132TAKEAWAY1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTAKEAWAYWe argue there is a lack of understanding about the memory protection controllers of Microcontrollers(system wide protection mechanisms).1 Jan 10thJan 12thJan 30thJan 31stFeb 9th

136、Feb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA permissionsTopic:Native FLASH Access Mediation but not Native DMA mediation.Topic:No Native DMA SupportJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:No System MMU&DMA

137、 permissionsTopic:Native FLASH Access Mediation but not Native DMA mediation.Topic:No Native DMA SupportTopic:Native FLASH Access Mediation but not Native DMA mediation.“Kinibi-M fully supports secure identification of module-to-module caller identity precisely to supportthis sort of use case.For ex

138、ample this is the pattern we use to mediated access to flash storageprovided by our secure storage module.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Native FLASH Access Mediation but not Native DMA mediation.“Kinibi-M fully supports secure identification of module-to-

139、module caller identity precisely to supportthis sort of use case.For example this is the pattern we use to mediated access to flash storageprovided by our secure storage module.”1 Kinibi-M provides mediation for flash storage,but why doesnt it offer similar mediation for DMA?DMA is also a critical s

140、ervice,arguably even more.Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 132TAKEAWAY1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTAKEAWAYWe argue that there is a lack of understanding regarding the criticality of a core service such as the DMA.If mismanaged,it c

141、an grant full access to all system memory.1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of Kinibi-M isolation levelsJan 10thJan 12thJan

142、 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of who should provide DMA mediatorTopic:Clarification of Kinibi-M isolation levelsJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of who should provide DMA mediatorTopic:Requests to TrustonicTopic:Clar

143、ification of Kinibi-M isolation levelsJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of who should provide DMA mediatorTopic:Requests to TrustonicTopic:Clarification of Kinibi-M isolation levelsTopic:Clarification of Kinibi-M isolation levels“Kinibi-M pre-dates Ar

144、m PSA and was not built on the PSA architecture.()In some areas we domore that PSA(any level)in others we do less.That is why we do not claim PSA Level 3 and have notcertified against it.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132TAKEAWAY1 Jan 10thJan 12thJan 30thJan 31stFe

145、b 9thFeb 14thFeb 16thMar 10thTAKEAWAYWe argue there is lack of awareness and mapping regarding the PSA isolation levels on Kinibi-M.1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of who should provid

146、e DMA mediatorTopic:Requests to TrustonicTopic:Clarification of Kinibi-M isolation levelsJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of who should provide DMA mediatorTopic:Requests to TrustonicTopic:Clarification of Kinibi-M isolation levelsTopic:Clarification

147、 of who should provide DMA mediatorDMAs are key components(but bus masters!)in MCU-based platforms,and not providing DMA module(or let that for OEMs)is limiting the capabilities of the system from one side and leaving an open threat vector on the other side.“This device has only(at most)64kb of flas

148、h and a 16kb of ram.There are very few use cases forsecure world DMA.In practice most customers simply disable the use of DMA in the secure world,preventing any potential abuse.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Clarification of who should provide DMA mediator

149、DMAs are key components(but bus masters!)in MCU-based platforms,and not providing DMA module(or let that for OEMs)is limiting the capabilities of the system from one side and leaving an open threat vector on the other side.“If needed,DMA access should be provided and mediated by a“system”module.That

150、 is what wehave said all along.However,that module needs to be provided by an OEM.It is not provided byTrustonic.”1“This device has only(at most)64kb of flash and a 16kb of ram.There are very few use cases forsecure world DMA.In practice most customers simply disable the use of DMA in the secure wor

151、ld,preventing any potential abuse.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th132Topic:Clarification of who should provide DMA mediator“If needed,DMA access should be provided and mediated by a“system”module.That is what wehave said all along.However,that module needs to be pro

152、vided by an OEM.It is not provided byTrustonic.”1 We strongly believe that not providing DMA mediation is not a good security practice.“This device has only(at most)64kb of flash and a 16kb of ram.There are very few use cases forsecure world DMA.In practice most customers simply disable the use of D

153、MA in the secure world,preventing any potential abuse.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 132Topic:Clarification of who should provide DMA mediator“If needed,DMA access should be provided and mediated by a“system”module.That is what wehave said all along.However,that

154、module needs to be provided by an OEM.It is not provided byTrustonic.”1 We strongly believe that not providing DMA mediation is not a good security practice.DMAs are key components in MCUs(but bus masters!).Not providing DMA module is limiting the systems capabilities from one side and leaving an op

155、en threat vector on the other side.“This device has only(at most)64kb of flash and a 16kb of ram.There are very few use cases forsecure world DMA.In practice most customers simply disable the use of DMA in the secure world,preventing any potential abuse.”1 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb

156、14thFeb 16thMar 10th1 1 132Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarification of who should provide DMA mediatorTopic:Requests to TrustonicTopic:Clarification of Kinibi-M isolation levelsJan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thTopic:Clarificatio

157、n of who should provide DMA mediatorTopic:Requests to TrustonicTopic:Clarification of Kinibi-M isolation levelsRequests to TrustonicTo issue a Security Advisory.Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 132Requests to TrustonicTo issue a Security Advisory.Clarify the documenta

158、tion clearly communicating the limitations of Evaluation SDK vs Commercial SDK.Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 1 132Requests to TrustonicTo issue a Security Advisory.Clarify the documentation clearly communicating the limitations of Evaluation SDK vs Commercial SDK.P

159、rovide us access to the Commercial SDK for internal assessment.Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 1 1 132Requests to TrustonicTo issue a Security Advisory.Clarify the documentation clearly communicating the limitations of Evaluation SDK vs Commercial SDK.Provide us acce

160、ss to the Commercial SDK for internal assessment.NO RESPONSE TO OUR REQUESTS!Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10th1 1 1 132Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 31stSUMMING UP1 2 3 4 5 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 1

161、0thJan 31stSUMMING UPWe could only validate our claims on Evaluation SDK(the only SDK we were granted permissions);1 2 3 4 5 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 31stSUMMING UPWe could only validate our claims on Evaluation SDK(the only SDK we were granted permissions);

162、1 Secure Modules(from OEMs)are signed and validated on the Commercial Version;2 3 4 5 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 31stSUMMING UPWe could only validate our claims on Evaluation SDK(the only SDK we were granted permissions);1 Secure Modules(from OEMs)are signed a

163、nd validated on the Commercial Version;2 We think attestation is orthogonal to the problem we discussed in this presentation;3 4 5 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 31stSUMMING UPWe could only validate our claims on Evaluation SDK(the only SDK we were granted permiss

164、ions);1 Secure Modules(from OEMs)are signed and validated on the Commercial Version;2 We think attestation is orthogonal to the problem we discussed in this presentation;3 Official Kinibi-m claims only PSA Level 2 ready,but its secure architecture claims higher protections levels(not backed by any h

165、ardware or software mechanism);4 5 Jan 10thJan 12thJan 30thJan 31stFeb 9thFeb 14thFeb 16thMar 10thJan 31stSUMMING UPWe could only validate our claims on Evaluation SDK(the only SDK we were granted permissions);1 Secure Modules(from OEMs)are signed and validated on the Commercial Version;2 We think a

166、ttestation is orthogonal to the problem we discussed in this presentation;3 Official Kinibi-m claims only PSA Level 2 ready,but its secure architecture claims higher protections levels(not backed by any hardware or software mechanism);4 There is no DMA mediator,the responsibility is left to the OEMs

167、,and by default Kinibi-M has no control of such an import core service,able to disrupt all system;5 SAML11DMA MediationPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 2PRoT 1ESRGv3BLACKHAT24DMA MEDIATIONDMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESW

168、TEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 2PRoT 1DMA MediatorESRGv3BLACKHAT24PERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 2PRoT 1DMA MediatorDMA MEDIATIONESRGv3BLACKHAT24MEMORY RANGESIZEBASE ADDRWHITELISTIDUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedU

169、nusedUnusedUnusedUnusedUnusedUnusedDMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 2PRoT 1DMA MediatorMEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedUnusedESRGv3BLACKHAT24DMA M

170、EDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 2PRoT 1DMA MediatorMEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnusedESRGv3BLACKHAT24DMA MEDIATIONPERIPHPRIVUNPRIVSECURE WOR

171、LDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 2PRoT 1DMA MediatorMEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnused11NS calls ARoT 1 ESRGv3BLACKHAT24DMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNS

172、PESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 22PRoT 1DMA MediatorMEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnused1M2M Binding1ARoT 1 requests access to DMA mediatorNS calls ARoT 1 2ESRGv3BLACKHAT24DMA MEDIATIONPERIPHP

173、RIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 22PRoT 1DMA Mediator3MEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnused1M2M Binding1ARoT 1 requests access to DMA mediatorNS calls ARoT 1 2

174、3TEE Kernel Invokes DMA MediatorESRGv3BLACKHAT24DMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 22PRoT 1DMA Mediator34MEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnuse

175、d1M2M Binding1ARoT 1 requests access to DMA mediator4DMA Mediator Checks Access Permissions and Memory RangeNS calls ARoT 1 23TEE Kernel Invokes DMA MediatorESRGv3BLACKHAT24DMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 22PRoT 1DMA Mediator34MEMORY

176、 RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnused51M2M Binding1ARoT 1 requests access to DMA mediator4DMA Mediator Checks Access Permissions and Memory RangeNS calls ARoT 1 23TEE Kernel Invokes DMA Mediator5DMA Memory Acces

177、s Granted to ARoT 1ESRGv3BLACKHAT24DMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 22APRoT 1DMA Mediator34MEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnused51M2M Bindi

178、ng1ARoT 1 requests access to DMA mediator4DMA Mediator Checks Access Permissions and Memory RangeNS calls ARoT 1 23TEE Kernel Invokes DMA Mediator5DMA Memory Access Granted to ARoT 1ARoT 2 requests access to DMA mediatorAESRGv3BLACKHAT24DMA MEDIATIONPERIPHPRIVUNPRIVSECURE WORLDNORMAL WORLDNSPESWTEE

179、KernelCPUDMAMEMORYMPU/SAUARoT 1ARoT 22APRoT 1DMA Mediator34MEMORY RANGESIZEBASE ADDRWHITELISTIDARoT 1UnusedUnusedUnusedUnused0 x20000000UnusedUnusedUnusedUnused0 x1000UnusedUnusedUnusedUnused51M2M Binding1ARoT 1 requests access to DMA mediator4DMA Mediator Checks Access Permissions and Memory RangeN

180、S calls ARoT 1 23TEE Kernel Invokes DMA Mediator5DMA Memory Access Granted to ARoT 1ARoT 2 requests access to DMA mediatorAARoT 2 is not on the DMAMediator Whitelist,requested is rejectedESRGv3BLACKHAT24What Can Go WrongAttack Examples and“Live”DemoWHEN WE WANT“PSA 3+”ISOLATIONNO MPCBUT THE MCUHAS N

181、O MPCAND FIRMWARE HASNO DMA MEDIATIONAND FIRMWARE HASNO DMA MEDIATIONPOTENTIAL EXPLOITS020103Arbitrary Code Execution in Secure Privilege ModeDemonstrates the capability to directly tamper with Kinibi-M and achieve arbitrary code execution in secure privileged mode,rendering all Kinibi-M memory prot

182、ections ineffective.Steal Proprietary Code from a Secure ModuleDemonstrates the capability to read arbitrary CODE memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.Steal Cryptographic Keys from Kinibi-M Secure StorageDemonstrates the capability to read and writ

183、e arbitrary DATA memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.ESRGv3BLACKHAT2403Attack 1Attack 2Attack 3POTENTIAL EXPLOITS020103Arbitrary Code Execution in Secure Privilege ModeDemonstrates the capability to directly tamper with Kinibi-M and achieve arbitr

184、ary code execution in secure privileged mode,rendering all Kinibi-M memory protections ineffective.Steal Proprietary Code from a Secure ModuleDemonstrates the capability to read arbitrary CODE memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.Steal Cryptographi

185、c Keys from Kinibi-M Secure StorageDemonstrates the capability to read and write arbitrary DATA memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.ESRGv3BLACKHAT2403Attack 1Attack 2Attack 3POTENTIAL EXPLOITS020103Arbitrary Code Execution in Secure Privilege Mode

186、Demonstrates the capability to directly tamper with Kinibi-M and achieve arbitrary code execution in secure privileged mode,rendering all Kinibi-M memory protections ineffective.Steal Proprietary Code from a Secure ModuleDemonstrates the capability to read arbitrary CODE memory from other secure mod

187、ules and entirely bypass Kinibi-Ms system memory protections.Steal Cryptographic Keys from Kinibi-M Secure StorageDemonstrates the capability to read and write arbitrary DATA memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.ESRGv3BLACKHAT2403Attack 1Attack 2At

188、tack 3POTENTIAL EXPLOITS020103Arbitrary Code Execution in Secure Privilege ModeDemonstrates the capability to directly tamper with Kinibi-M and achieve arbitrary code execution in secure privileged mode,rendering all Kinibi-M memory protections ineffective.Steal Proprietary Code from a Secure Module

189、Demonstrates the capability to read arbitrary CODE memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.Steal Cryptographic Keys from Kinibi-M Secure StorageDemonstrates the capability to read and write arbitrary DATA memory from other secure modules and entirely

190、bypass Kinibi-Ms system memory protections.ESRGv3BLACKHAT2403Attack 1Attack 2Attack 3POTENTIAL EXPLOITS020103Arbitrary Code Execution in Secure Privilege ModeDemonstrates the capability to directly tamper with Kinibi-M and achieve arbitrary code execution in secure privileged mode,rendering all Kini

191、bi-M memory protections ineffective.Steal Proprietary Code from a Secure ModuleDemonstrates the capability to read arbitrary CODE memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.Steal Cryptographic Keys from Kinibi-M Secure StorageDemonstrates the capability

192、to read and write arbitrary DATA memory from other secure modules and entirely bypass Kinibi-Ms system memory protections.ESRGv3BLACKHAT2403Attack 1Attack 2Attack 3What are the consequencesSteal Cryptographic Keys from Kinibi-M Secure StorageATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious

193、AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecureStorageDMADATA FLASHMPU/SAUPERIPHMaliciousVictimESRGv3BLACKHAT24ATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecureStorageDMADATA FLASHMPU/SAUPERIPHMaliciousVictimESRGv3BLACKHAT24AT

194、TACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecureStorageDMADATA FLASHMPU/SAUPERIPHMaliciousVictimESRGv3BLACKHAT24ATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MTA 2Crypto.CPUSecure StorageDMAD

195、ATA FLASHMPU/SAUPERIPHMaliciousVictimESRGv3BLACKHAT24ARoT 2Crypto.0 xdeadbeefATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH1MaliciousVictimESRGv3BLACKHAT240 xdeadbeefATTACK 3 STEALING KEYSNORMAL WOR

196、LDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH1MaliciousVictimESRGv3BLACKHAT240 xdeadbeef2ATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/S

197、AUPERIPH132MaliciousVictimESRGv3BLACKHAT240 xdeadbeefATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH132MaliciousVictimESRGv3BLACKHAT240 xdeadbeefText:Pag.20-Kinibi-M API Documentation ATTACK 3 STEALI

198、NG KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH132MaliciousVictimESRGv3BLACKHAT240 xdeadbeefText:Pag.20-Kinibi-M API Documentation ATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-En

199、dKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH132MaliciousVictimESRGv3BLACKHAT240 xdeadbeefText:Pag.20-Kinibi-M API Documentation ATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH134

200、2MaliciousVictimESRGv3BLACKHAT240 xdeadbeefATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH15342MaliciousVictimESRGv3BLACKHAT240 xdeadbeefATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppF

201、ront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH15342MaliciousVictimESRGv3BLACKHAT240 xdeadbeefATTACK 3 STEALING KEYSNORMAL WORLDSECURE WORLDTZMalicious AppFront-EndARoT 1Back-EndKinibi-MARoT 2Crypto.CPUSecure StorageDMADATA FLASHMPU/SAUPERIPH153462MaliciousVict

202、imESRGv3BLACKHAT240 xdeadbeefLive DemoVideoESRGv3BLACKHAT24Lessons LearnedAdvices for HW&SW providers and System DesignersLESSONSESRGv3BLACKHAT24LESSONSESRGv3BLACKHAT24For Hardware Providers#1 LESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Firmware Providers#2 LESSONSESRGv3BLACKHAT24For Hardwar

203、e Providers#1#3 For Firmware ProvidersFor Systems Users#2 LESSONSESRGv3BLACKHAT24For Hardware Providers#1 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.For Firmware Providers#3 For Systems Users#2 LESSONSESRGv3BLACK

204、HAT24For Hardware Providers#1 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.#2 For Firmware Providers#3 For Systems UsersRECOMENDEDLESSONSESRGv3BLACKHAT24For Hardware Providers#1 Hardware providers should implement

205、protections at the system-level that takes in account both privilege levels andsecurity states.#2 For Firmware Providers#3 For Systems UsersRECOMENDEDNOT RECOMENDEDLESSONSESRGv3BLACKHAT24For Hardware Providers#1 Hardware providers should implement protections at the system-level that takes in accoun

206、t both privilege levels andsecurity states.#2 For Firmware Providers#3 For Systems UsersMPCPPCNXP LPC5500NOT RECOMENDEDLESSONSESRGv3BLACKHAT24For Hardware Providers#1 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.#2

207、 For Firmware Providers#3 For Systems UsersMPCPPCMPC?NXP LPC5500 MICROCHIP SAML11LESSONSESRGv3BLACKHAT24For Hardware Providers#1 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.For Firmware Providers#3 For Systems Use

208、rs#2 LESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Firmware ProvidersHardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware providers should implement mechanisms that enforce isolation defined in the PSA stand

209、ard.#3 For Systems Users#2 LESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Firmware Providers#2 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware providers should implement mechanisms that enforce isolation

210、 defined in the PSA standard.#3 For Systems UsersRECOMENDEDNOT RECOMENDEDLESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Firmware Providers#2 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware providers shou

211、ld implement mechanisms that enforce isolation defined in the PSA standard.#3 For Systems UsersMULTIZONEPag.19-MultiZone.MultiZone Security Reference Manual,RISC-V.Tech.rep.MultiZone,Nov 2021.“To enforce system separation policies,MultiZone built-in support for protected DMA transfers traps all DMA

212、requests and emulates the PMP logic in software”NOT RECOMENDEDLESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Firmware Providers#2 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware providers should implemen

213、t mechanisms that enforce isolation defined in the PSA standard.#3 For Systems UsersKINIBI-MPag.19-MultiZone.MultiZone Security Reference Manual,RISC-V.Tech.rep.MultiZone,Nov 2021.“To enforce system separation policies,MultiZone built-in support for protected DMA transfers traps all DMA requests and

214、 emulates the PMP logic in software”MULTIZONELESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Firmware ProvidersHardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware providers should implement mechanisms that en

215、force isolation defined in the PSA standard.#3 For Systems Users#2 LESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Systems Users#3 For Firmware Providers#2 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware

216、providers should implement mechanisms that enforce isolation defined in the PSA standard.Users(OEMs and software developers)should be cautious in choosing the system where they want to deploy their software.LESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Systems Users#3 For Firmware Providers#2

217、Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.Users(OEMs and software developers)should be cautious in choosing the s

218、ystem where they want to deploy their software.WHY NOT AN EXTRA PSA LEVEL?LESSONSESRGv3BLACKHAT24For Hardware Providers#1 For Systems Users#3 For Firmware Providers#2 Hardware providers should implement protections at the system-level that takes in account both privilege levels andsecurity states.Fi

219、rmware providers should implement mechanisms that enforce isolation defined in the PSA standard.Users(OEMs and software developers)should be cautious in choosing the system where they want to deploy their software.SECURE WORLDNORMAL WORLDNSPESWCPUARoT1ARoTNPRoT1PRoTNKernelSummaryFinal Thoughts and B

220、H Sound BytesResponsible DisclosureESRGv3BLACKHAT24Responsible DisclosureMICROCHIPESRGv3BLACKHAT24Responsible DisclosureMICROCHIPTRUSTONICProblem of the SWESRGv3BLACKHAT24Responsible DisclosureMICROCHIPTRUSTONICProblem of the SWESRGv3BLACKHAT24It would be a Good Security Practice to Provide a MPCUSR

221、esponsible DisclosureMICROCHIPTRUSTONICProblem of the SWESRGv3BLACKHAT24It would be a Good Security Practice to Provide a MPCUSOEMsDMA Module is Responsibility of DevelopersResponsible DisclosureMICROCHIPTRUSTONICProblem of the SWESRGv3BLACKHAT24It would be a Good Security Practice to Provide a MPCU

222、SOEMsDMA Module is Responsibility of DevelopersIt would be a Good Security Practice to ProvideDMA MEDIATIONUSResponsible DisclosureMICROCHIPTRUSTONICProblem of the SWESRGv3BLACKHAT24It would be a Good Security Practice to Provide a MPCUSOEMsDMA Module is Responsibility of DevelopersIt would be a Goo

223、d Security Practice to ProvideDMA MEDIATIONUSATTESTATTIONWe signed all OEMs Secure ModulesResponsible DisclosureMICROCHIPTRUSTONICProblem of the SWESRGv3BLACKHAT24It would be a Good Security Practice to Provide a MPCUSOEMsDMA Module is Responsibility of DevelopersIt would be a Good Security Practice

224、 to ProvideDMA MEDIATIONUSATTESTATTIONWe signed all OEMs Secure ModulesUSATTESTATIONis ORTHOGONALto the problemResponsible DisclosureMICROCHIPTRUSTONICProblem of the SWATTESTATTIONWe signed all OEMs Secure ModulesEVALUATION SDKYou Just Proved in anUnsecure SDK VersionUSESRGv3BLACKHAT24It would be a

225、Good Security Practice to Provide a MPCUSIt would be a Good Security Practice to ProvideDMA MEDIATIONATTESTATIONis ORTHOGONALto the problemOEMsDMA Module is Responsibility of DevelopersUSResponsible DisclosureMICROCHIPTRUSTONICProblem of the SWATTESTATTIONWe signed all OEMs Secure ModulesEVALUATION

226、SDKYou Just Proved in anUnsecure SDK VersionUSESRGv3BLACKHAT24It would be a Good Security Practice to Provide a MPCUSIt would be a Good Security Practice to ProvideDMA MEDIATIONATTESTATIONis ORTHOGONALto the problemOEMsDMA Module is Responsibility of DevelopersUSYou Didnt Provide usCOMERCIAL SDK1.We

227、 shared our journey on fully assessing anMCU-based TEE(Kinibi-M)targeting a referenceTrustZone-M hardware platform(SAML11)2.We presented how it is possible to bypass CPU-level isolation primitives,and explain the design ofa TEE core mechanism(DMA Mediator)to offersuch protection;3.We perform a live

228、demo of one potential exploitthat retrieves a cryptographic key from otherSecurePartitionsbypassingallhardwareandsoftware TEE isolation boundaries.Black Hat SOUND BYTESTHANK YOU!id9492alunos.uminho.pt_CRodrigues_sandro.pintodei.uminho.ptsandro2pintoCristiano Rodrigues|Sandro Pinto,PhD(Centro ALGORITMI/LASI,Universidade do Minho)Q&ACristiano Rodrigues|Sandro Pinto,PhD(Centro ALGORITMI/LASI,Universidade do Minho)Cristiano RodriguesSandro Pinto