Author: João Sousa, University of Minho
TrustZone is an Arm hardware technology widely adopted in billions of mobile devices [2] and, more recently, in industrial control systems [3] and servers [4] to protect the integrity and confidentiality of applications. Unfortunately, these systems have been frequent targets of attacks, including control-flow, rollback, and privilege escalation attacks, involving the hijacking of Android's Linux Kernel [5] or even compromising the TEE kernel [6,7,8]. A few years ago, the University of Minho conducted a comprehensive study on the vulnerabilities affecting the TrustZone-assisted TEE system for Arm Cortex-A processors(APUs) [1]. This study revealed significant TEE bug reports (a total of 207) affecting these systems disclosed between 2013 and 2018, particularly in implementations by well-known vendors like Qualcomm, Trustonic, Huawei, Nvidia, and Linaro. 6 years later, one might be wondering: "TEE vulnerabilities, are you still there?."
Exploring TrustZone-M: Vulnerabilities and New Implementation Paradigms in MCUs
To fully understand the overall picture, it is vital to consider not only TZ-assisted technologies for high-performance devices like APUs but also those targeting lower-end devices. Currently, ARM has continued to push forward in TZ TEE innovation, particularly by extending TrustZone to the (Armv8) Cortex-M family, known as TrustZone-M [9], targeting more resource-constrained devices like microcontrollers (MCUs). While this advancement aims to address security challenges in IoT devices, such as UAVs and smart locks, it raises an important question: are the vulnerabilities found in earlier TrustZone implementations still a concern for these newer, smaller MCUs?
For MCUs, TEE implementations can follow either a dual-domain or multi-domain approach. The dual-domain model relies on the traditional separation between the secure and normal worlds. At the same time, the multi-domain approach expands this concept to include multiple non-secure domains to run normal or trusted applications. Notable dual-domain implementations include ATF-M [10], Kinibi-M [11], ProvenCore-M [12], and mTower [13], whereas the multi-domain approach, although less common, is exemplified by uTango [14] and MultiZone [15].
Despite the growing adoption of TEEs in embedded IoT devices, the security of Trusted OSes in MCUs remains unclear, especially considering the vulnerabilities and hardware security limitations highlighted in recent studies [16,17,27]. At CROSSCON, we are committed to revisiting and expanding upon the previous University of Minho analysis of TrustZone-assisted TEE systems, enlarging the scope to include both Arm APU devices and MCUs with TrustZone-M. Building upon the previous UMinho study from 2019, CROSSCON has compiled a comprehensive list of TEE-related vulnerabilities from Common Vulnerabilities and Exposures (CVE) reports in TrustZone-assisted systems, spanning up to the year 2023. We focus on vulnerabilities in trusted components, including Trusted Applications (TAs), Trusted OSes (which provide APIs and runtime support for managing TAs), and Trusted Firmware implementations. To date, we have analyzed nearly an additional 180 vulnerabilities across various TEE implementations. Major vendors continue to appear with several TEE issues, such as Qualcomm (QSEE [18]), AMD (PSP [19]), Samsung (mTower [10] and TEEGRIS [20]), Trustonic (Kinibi [11]), Google (Trusty [21]), Nvidia (TZVault [22], TLK [23]), and TrustedFirmware (OP-TEE [24] and TF-M [25]).
Our analysis categorizes vulnerabilities according to the same taxonomy presented by Cerdeira et al. [1]:
- Class: We classify vulnerabilities at two levels—architecture and implementation. The architectural class involves vulnerabilities stemming from design flaws, such as large interfaces between TEE components or data leakage via debugging channels. The implementation class covers bugs like improper validation or flawed security mechanisms.
- Criticality Score: Vulnerabilities are rated as Critical, Severe, Medium, or Low based on their Common Vulnerability Scoring System (CVSS) scores.
Common Weakness Enumeration (CWE): Each vulnerability is associated with a relevant CWE category to facilitate understanding of the flaw.
CROSSCON’s Approach to TEE Security: Addressing TrustZone Vulnerabilities through Virtualization
In conclusion, despite ongoing efforts to create a more secure system stack, these components still suffer from various flaws, potentially enabling attackers to exploit vulnerabilities, escalate privileges, and compromise the integrity and confidentiality of sensitive information. Possible consequences include data leakage, arbitrary code execution, Denial of Service (DoS), and memory corruption. Soon, some concrete conclusions on this CVE analysis will be published. For those eager to explore, a draft of this analysis is available in our D3.1 deliverable. Stay tuned to our social media for updates.
To address these security challenges and mitigate many of these TEE vulnerabilities, CROSSCON proposes decomposing the monolithic design of TrustZone TEEs into multiple domains for both MCU and APU devices. This approach will allow numerous trusted OSes to coexist securely, materializing the decomposition of trusted OS stacks into various isolated environments, e.g., to isolate system functionality TA from third‐party TA. This approach will rely on virtualization technology, powered by CROSSCON's core component, the CROSSCON Hypervisor (based on the Bao Hypervisor [26]), already deployed on platforms such as Raspberry Pi 4B, ZCU102, and QEMU and openly and freely available on our GitHub page.
References
[1] D. Cerdeira, N. Santos, P. Fonseca and S. Pinto, "SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems," 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2020
[2] Pinto, S. and Santos, N.. “Demystifying arm trustzone: A comprehensive survey”. ACM computing surveys (CSUR), 2019.
[3] A. Fitzek, F. Achleitner, J. Winter, and D. Hein, “The ANDIX research OS - ARM TrustZone meets industrial control systems security,” in IEEE International Conference on Industrial Informatics, July 2015
[4] Z. Hua, J. Gu, Y. Xia, H. Chen, B. Zang, and H. Guan, “vTZ: Virtualizing ARM TrustZone,” in USENIX Security Symposium. USENIX Association, 2017
[5] ——, “War of the Worlds - Hijacking the Linux Kernel from QSEE,” 2016, accessed: Oct 9th 2024. [Online]. Available: https://bits-please.blogspot.com/2016/05/war-Of-worlds-hijacking-linux-kernel.html
[6] Stajnrod, Ron, Raz Ben Yehuda, and Nezer Jacob Zaidenberg. "Attacking TrustZone on devices lacking memory protection". Journal of Computer Virology and Hacking Techniques, 2022
[7] Daniel Komaromy, “Unbox Your Phone,” 2018, accessed: Oct 9th 2024. [Online].Available: https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c
[8] Gal Beniamini, “TrustZone Kernel Privilege Escalation (CVE-2016-2431),” 2016, accessed: Oct 9th 2024. [Online].Available:http://bits-please.blogspot.com/2016/06/trustzone-kernel-privilege-escalation.html
[9] Arm., “TrustZone for Cortex-M – Arm®”, Accessed: Sep. 30th 2024. [Online] Available: https://www.arm.com/technologies/trustzone-for-cortex-m
[10] Arm. “Arm Trusted Firmware”. Accessed: Sep. 30th 2024. [Online]. Available: www.trustedfirmware.org/
[11] Trustonic. “Not just droning on! The rise of Kinibi-M”, Accessed: Sep. 30th 2024. [Online]. Available: https://www.trustonic.com/opinion/not-just-droning-rise-kinibi-m/
[12] Prove & Run,“. ProvenCore-M”, Accessed: Sep. 30th 2024. Available: https://provenrun.com/provencore-m/
[13] T. A. Drozdovskyi and O.S. Moliavko, “mTower: Trusted Execution Environment for MCU-based devices”, Journal of Open Source Software, 2019
[14] Daniel Oliveira, Tiago Gomes, and Sandro Pinto. "uTango: an open-source TEE for IoT devices." IEEE Access, 2022
[15] Sandro Pinto and Garlat iCesare. "Multi zone security for arm cortex-m devices." Embedded World Conference, 2020.
[16] Wang, Qinying, Boyu Chang, Shouling Ji, Yuan Tian, Xuhong Zhang, Binbin Zhao, Gaoning Pan et al. "SyzTrust: State-aware fuzzing on trusted OS designed for IoT devices." In 2024 IEEE Symposium on Security and Privacy (SP), 2024
[17] Fatima Khalid, and Masood Ammar. "Vulnerability analysis of qualcomm secure execution environment (QSEE)." Computers & Security, 2022
[18] Qualcomm,“Guard Your Data with the Qualcomm Snapdragon Mobile Platform”, Accessed: Sep. 30, 2024. Available: https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/guard_your_data_with_the_qualcomm_snapdragon_mobile_platform2.pdf
[19] Balisane, Ranjbar A., and Andrew Martin. "Trusted execution environment-based authentication gauge (TEEBAG)." In Proceedings of the 2016 New Security Paradigms Workshop, 2016.
[20] Samsung,“SAMSUNG TEEGRIS”, Accessed: Sep. 30th 2024. Available: https://developer.samsung.com/teegris/overview.html
[21] Android, “Trusty TEE”, Accessed: Sep. 30th 2024. Available: https://source.android.com/docs/security/features/trusty
[22] NVIDIA, “TZVault”, Accessed: Sep. 30th 2024. Available:
https://docs.nvidia.com/drive/archive/drive_os_5.1.15.0L/drive-os/index.html#page/DRIVE_OS_Linux_SDK_Development_Guide%2FSecurity%2Fsecurity_concepts.html%23wwpID0E0MP0HA
[23] NVIDIA, “Trusted Little Kernel (TLK)”, , Accessed: Sep. 30th 2024. Available: https://trustedfirmware-a.readthedocs.io/en/latest/components/spd/tlk-dispatcher.html
[24] TrustedFirmware.org, “OP-TEE documentation”,Accessed: Sep. 30th 2024. Available:
https://optee.readthedocs.io/en/latest/general/about.html
[25] TrustedFirmware.org, “TrustedFirmware-M (TF-M)”, Accessed:Sep. 30th 2024. Available: https://www.trustedfirmware.org/projects/tf-m/
[26] Martins, José, et al. "Bao: A lightweight static partitioning hypervisor for modern multi-core embedded systems.", Workshop on next generation real-time embedded systems (NG-RES 2020), 2020.
[27] Tan, Xi, Zheyuan Ma, Sandro Pinto, Le Guan, Ning Zhang, Jun Xu, Zhiqiang Lin, Hongxin Hu, and Ziming Zhao. "SoK:Where’s the “up”?! A Comprehensive (bottom-up) Study on the Security of Arm {Cortex-M} Systems." In 18th USENIX WOOT Conference on Offensive Technologies (WOOT 24), 2024.