TY - JOUR
T1 - Revisiting ARM Debugging Features
T2 - Nailgun and its Defense
AU - Ning, Zhenyu
AU - Wang, Chenxu
AU - Chen, Yinhua
AU - Zhang, Fengwei
AU - Cao, Jiannong
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - Processors nowadays are consistently equipped with debugging features to facilitate program analysis. Specifically, the ARM debugging architecture involves a series of CoreSight components and debug registers to aid the system debugging, and a group of debug authentication signals are designed to restrict the usage of these components and registers. Meanwhile, the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model. However, ARM introduces a new debugging model that requires no physical access since ARMv7, which exacerbates our concern on the security of the debugging features. In this article, we perform a comprehensive security analysis of the ARM debugging features and summarize the security implications. To understand the impact of the implications, we also investigate a series of platforms with ARM-A architecture in different product domains (i.e., development boards, IoT devices, cloud servers, and mobile devices). We consider that the analysis and investigation expose a new attacking surface that universally exists in platforms with ARM-A architecture. To verify our concern, we further craft Nailgun attack, which obtains sensitive information (e.g., AES encryption key and fingerprint image) and achieves arbitrary payload execution in a high-privilege mode from a low-privilege mode via misusing the debugging features. This attack does not rely on software bugs, and our experiments show that almost all the platforms we investigated are vulnerable to the attack. Our analysis also indicates that ARM-R and ARM-M platforms may suffer from the same issue. To defend against the attack, we discuss potential mitigations from different perspectives in the ARM ecosystem. Finally, a practical defense mechanism based on ARM virtualization technology is presented, and the evaluation result shows that our defense can prevent Nailgun with a negligible performance penalty.
AB - Processors nowadays are consistently equipped with debugging features to facilitate program analysis. Specifically, the ARM debugging architecture involves a series of CoreSight components and debug registers to aid the system debugging, and a group of debug authentication signals are designed to restrict the usage of these components and registers. Meanwhile, the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model. However, ARM introduces a new debugging model that requires no physical access since ARMv7, which exacerbates our concern on the security of the debugging features. In this article, we perform a comprehensive security analysis of the ARM debugging features and summarize the security implications. To understand the impact of the implications, we also investigate a series of platforms with ARM-A architecture in different product domains (i.e., development boards, IoT devices, cloud servers, and mobile devices). We consider that the analysis and investigation expose a new attacking surface that universally exists in platforms with ARM-A architecture. To verify our concern, we further craft Nailgun attack, which obtains sensitive information (e.g., AES encryption key and fingerprint image) and achieves arbitrary payload execution in a high-privilege mode from a low-privilege mode via misusing the debugging features. This attack does not rely on software bugs, and our experiments show that almost all the platforms we investigated are vulnerable to the attack. Our analysis also indicates that ARM-R and ARM-M platforms may suffer from the same issue. To defend against the attack, we discuss potential mitigations from different perspectives in the ARM ecosystem. Finally, a practical defense mechanism based on ARM virtualization technology is presented, and the evaluation result shows that our defense can prevent Nailgun with a negligible performance penalty.
KW - ARM debugging architecture
KW - privilege escalation
KW - trusted execution environment
KW - virtualization
UR - https://www.scopus.com/pages/publications/85122577839
U2 - 10.1109/TDSC.2021.3139840
DO - 10.1109/TDSC.2021.3139840
M3 - 文章
AN - SCOPUS:85122577839
SN - 1545-5971
VL - 20
SP - 574
EP - 589
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 1
ER -