understanding the security of arm debugging features
play

Understanding the Security of ARM Debugging Features Zhenyu Ning and - PowerPoint PPT Presentation

Feb 06, 2024 •399 likes •1.03k views

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles in

  1. Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1

  2. Outline ◮ Introduction ◮ Obstacles in Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 2

  3. Outline ◮ Introduction ◮ Obstacles for Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 3

  4. Introduction Modern processors are equipped with hardware-based debugging features to facilitate on-chip debugging process. - e.g. debug registers, debug exceptions and hardware-based trace. - It normally requires JTAG [1] connection to make use of these features. Understanding the Security of ARM Debugging Features, S&P 19 4

  5. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 5

  6. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 6

  7. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 7

  8. Traditional Debugging Debug Authentication JTAG Interface Debug Target Debug Host (TARGET) (HOST) What makes it secure? Understanding the Security of ARM Debugging Features, S&P 19 8

  9. Introduction What makes it secure? ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Do these obstacles work? Understanding the Security of ARM Debugging Features, S&P 19 9

  10. Introduction What makes it secure? ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Do these obstacles work? Understanding the Security of ARM Debugging Features, S&P 19 10

  11. Outline ◮ Introduction ◮ Obstacles for Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 11

  12. Obstacles for Traditional Debugging Model It is due to two general assumptions: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Does it really require physical access? Understanding the Security of ARM Debugging Features, S&P 19 12

  13. Inter-Processor Debugging We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging . ◮ Memory-mapped debugging registers. - Introduced since ARMv7. ◮ No JTAG, No physical access. Understanding the Security of ARM Debugging Features, S&P 19 13

  14. Obstacles for Traditional Debugging Model It is due to two general assumptions: ◮ Obstacle 1 : Physical access. ◮ Obstacle 2 : Debug authentication. Does debug authentication work as expected? Understanding the Security of ARM Debugging Features, S&P 19 14

  15. ARM Debug Authentication TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... TARGET is executing instructions pointed by pc Understanding the Security of ARM Debugging Features, S&P 19 15

  16. ARM Debug Authentication TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Non-invasive Debugging : Monitoring without control Understanding the Security of ARM Debugging Features, S&P 19 16

  17. ARM Debug Authentication TARGET (Debug State) ... MOV x3, #3 pc x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Invasive Debugging : Control and change status Understanding the Security of ARM Debugging Features, S&P 19 17

  18. ARM Debug Authentication TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Debug Authentication Signal : Whether debugging is allowed Understanding the Security of ARM Debugging Features, S&P 19 18

  19. ARM Debug Authentication TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Four signals for: Secure/Non-secure, Invasive/Non-invasive Understanding the Security of ARM Debugging Features, S&P 19 19

  20. ARM Ecosystem ARM SoC Vendor OEM User ◮ ARM licenses technology to the SoC Vendors. - e.g., ARM architectures and Cortex processors ◮ Defines the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 20

  21. ARM Ecosystem ARM SoC Vendor OEM User ◮ The SoC Vendors develop chips for the OEMs. - e.g., Qualcomm Snapdragon SoCs ◮ Implement the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 21

  22. ARM Ecosystem ARM SoC Vendor OEM User ◮ The OEMs produce devices for the users. - e.g., Samsung Galaxy Series and Huawei Mate Series ◮ Configure the debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 22

  23. ARM Ecosystem ARM SoC Vendor OEM User ◮ Finally, the User can enjoy the released devices. - Tablets, smartphones, and other devices ◮ Learn the status debug authentication signals. Understanding the Security of ARM Debugging Features, S&P 19 23

  24. Debug Authentication Signals ◮ What is the status of the signals in real-world device? ◮ How to manage the signals in real-world device? Understanding the Security of ARM Debugging Features, S&P 19 24

  25. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 25

  26. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 26

  27. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board ✔ ✔ ✔ ✔ Development Boards NXP i.MX53 QSB ✖ ✔ ✖ ✖ IoT Devices Raspberry PI 3 B+ ✔ ✔ ✔ ✔ 64-bit ARM miniNode ✔ ✔ ✔ ✔ Cloud Packet Type 2A Server ✔ ✔ ✔ ✔ Platforms Scaleway ARM C1 Server ✔ ✔ ✔ ✔ Google Nexus 6 ✖ ✔ ✖ ✖ Samsung Galaxy Note 2 ✔ ✔ ✖ ✖ Mobile Huawei Mate 7 ✔ ✔ ✔ ✔ Devices Motorola E4 Plus ✔ ✔ ✔ ✔ Xiaomi Redmi 6 ✔ ✔ ✔ ✔ Understanding the Security of ARM Debugging Features, S&P 19 27

  28. Debug Authentication Signals How to manage the signals in real-world device? ◮ For both development boards with manual, we cannot fully control the debug authentication signals. - Signals in i.MX53 QSB can be enabled by JTAG. - The DBGEN and NIDEN in ARM Juno board cannot be disabled. ◮ In some mobile phones, we find that the signals are controlled by One-Time Programmable (OTP) fuse. For all the other devices, nothing is publicly available. Understanding the Security of ARM Debugging Features, S&P 19 28

  29. Obstacles for Traditional Debugging Model To summarize, ◮ We don’t need physical access to debug a processor. ◮ The debug authentication also allows us to debug the processor. Understanding the Security of ARM Debugging Features, S&P 19 29

  30. Outline ◮ Introduction ◮ Obstacles for Traditional Debugging Model ◮ Nailgun Attack ◮ Mitigations ◮ Conclusion Understanding the Security of ARM Debugging Features, S&P 19 30

  31. Nailgun Attack Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Understanding the Security of ARM Debugging Features, S&P 19 31

  32. Nailgun Attack Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Understanding the Security of ARM Debugging Features, S&P 19 32

Recommend

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&P 19 1 Outline Introduction Obstacles for

679 views • 65 slides
Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good

Language-specific debugging Most languages include some features/support for debugging, good idea to know what they are Special variables with key information Special functions/libraries that can be used Special options that can be

422 views • 7 slides
Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview

451 views • 28 slides
CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and disassembling programs Today: General debugging for C with GDB 2 scanf and sscanf() Lab 2 uses sscanf ( s tring scan f ormat), which parses

430 views • 16 slides
Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15.

772 views • 28 slides
Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia

Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia

Identifying Features of Android Apps from Execution Traces Qi Xin, Farnaz Behrang, Mattia Fazzini, and Alessandro Orso Understanding a Program & its Features Debugging Refactoring Debloating Testing Documentation Functionality

637 views • 40 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image features are useful descriptions of local or global image properties designed to accomplish a certain task You may want to choose different features

1.09k views • 71 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image features are useful descriptions of local or global image properties designed (or learned!) to accomplish a certain task You may want to choose di ff

941 views • 70 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing

Visual Debugging Software What is Debugging Visualization Visualizing Program State Incremental interactive unfolding (DDD) Visual Memory Abstract representations (traversal-based) Debugging Focusing: memory

433 views • 5 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination.

Debugging Techniques for C Programs Debugging Basics Will focus on the gcc/gdb combination. Will also talk about the ddd gui for gdb (lots of value added to gdb). First, debugging in the abstract: Program state is a snapshot

475 views • 20 slides
AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text

AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text

AT ATI TEAS READING REVIEW PART 4 UNDERSTANDING TEXT FEATURES and REFERENCE SOURCES Text features are defined as the elements that stand out in a text because the passage uses a tool to emphasize them. Several purposes for text features include

391 views • 3 slides
ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene

ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene

ccTLD Security Understanding the Anxiety and Consequences Barry Raveendran Greene bgreene@isc.org Agenda ccTLD Security is not new Cybercriminal Toolkit Understanding why security people are irritated might help to provide

751 views • 46 slides
CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with

CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with

CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with CodeBlocks Part 2 : Porting, compiling and testing in Dijkstra Part 3 : Using and understanding header files Part 1: Writing and debugging code with

1.03k views • 74 slides
1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

Debugging and debuggers Debugging in the development cycle You have probably already had the experience of making Edit a mistake in a program Speaking roughly, debugging is the process: After you know that your code is wrong

911 views • 3 slides
Coroutines Update Seva Tolstopyatov @qwwdfsad October 13, 2020 Coroutines debugging Coroutines

Coroutines Update Seva Tolstopyatov @qwwdfsad October 13, 2020 Coroutines debugging Coroutines

Kotlin 1.4 Online Event Coroutines Update Seva Tolstopyatov @qwwdfsad October 13, 2020 Coroutines debugging Coroutines debugging Coroutines debugging Coroutines debugging Coroutines debugging IDEA 2020.1 Coroutines debugging Debugging

737 views • 41 slides
Understanding Goods and Services Tax Agenda Design of GST Main features of GST Law

Understanding Goods and Services Tax Agenda Design of GST Main features of GST Law

Understanding Goods and Services Tax Agenda Design of GST Main features of GST Law Administration and IT Network Benefits of GST and Way Forward 1 The Effort and Work Done 18000 + 30 + Man Hours of 10 Years Sub-Groups &

708 views • 23 slides
Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0

Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0

Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0 Debugging or Sleeping? Debugging Debugging: examining (program state, design, code, output) to identify and remove errors from software.

464 views • 31 slides
Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director,

Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director,

Advanced Production Debugging About Me Co-founder Takipi, JVM Production Debugging. Director, AutoCAD Web & Mobile. Software Architect at IAI Aerospace. Coding for the past 16 years - C++, Delphi, .NET, Java. Focus on real-time,

460 views • 35 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group Grace Hopper 1947 2 Overview Debugging techniques Debugging a distributed system Preparation for the exam Debugging Write good code!

733 views • 45 slides

More recommend