lecture: TrustZone is not enough
Hijacking debug components for embedded security
This talk deals with embedded systems security and ARM processors architecture. Most of us know that we can perform security with the ARM TrustZone framework. I will show that most ARM processors include debug components (aka CoreSight components) that can be used to create efficient security mechanisms.
Embedded security is still a hot topic. For several years, ARM have proposed its TrustZone framework. With some colleagues, we have studied how we could use debug components available in most ARM processors to create security mechanisms targeting a wide range of attacks (buffer overflows, ROPs…) with minimal performance overheads.
We use CoreSight debug components in with a technique called dynamic information flow tracking (aka DIFT) which allow us to monitor the execution of an application at runtime. Compared to existing works, we show that there’s no need to modify the main processor (existing binaries will be compatible!). Furthermore, we used a coprocessor implemented in reconfigurable logic (FPGA chip) to speedup the DIFT process.
This ARM/FPGA combo is up to 90% faster than related techniques in terms of instrumentation time. Furthermore, as the ARM CPU has not been modified (while existing works do modify it…), the final user doesn’t have to recompile all his/her programs to be compatible with our approach.
We will also show a few clues to indicate how we could target multi-threaded/multi-processor architectures as it is the case of most embedded systems by now.