Arm acknowledges side-channel attack but denies Cortex-M is crocked

Black Hat Asia Arm issued a statement last Friday declaring that a successful side attack on its TrustZone-enabled Cortex-M based systems was "not a failure of the protection offered by the architecture."

"The Security Extensions for the Armv8-M architecture do not claim to protect against side-channel attacks due to control flow or memory access patterns. Indeed, such attacks are not specific to the Armv8-M architecture; they may apply to any code with secret-dependent control flow or memory access patterns," argued Arm.

Arm issued the statement after a presentation at the Black Hat Asia infosec conference last week – titled "Hand Me Your Secret, MCU! Microarchitectural Timing Attacks on Microcontrollers are Practical" – alleged that the chip design firm's microcontrollers are susceptible to side-channel attacks.

Building on the 2018 discovery of Spectre and Meltdown – the Intel CPU architecture vulnerabilities that opened a Pandora's box of microarchitecture transient state side-attacks – researchers from Portugal's Universidade do Minho (UdM) were successful at setting out to prove that MCUs were at risk of similar attacks.

Historically, microarchitectural attacks mainly affected servers, PCs and mobiles. Microcontrollers (MCUs) like Arm's Cortex-M were seen as an unlikely target because of the simplicity of the systems. However, a successful attack would have significant consequences because, as UdM researchers Sandro Pinto and Cristiano Rodrigues explained at Black Hat Asia last Friday, MCUs can be found in pretty much every IoT device.

The researchers are calling their discovery the first microarchitectural side-channel attack for MCUs. A side-channel attack is a technique which uses observation to recover or steal information about a system, thus bypassing CPU memory isolation protections.

"The best analogy here is: think about one road with a single lane. If two cars arrive at the same time, one needs to go in front of the other – thus, one will be delayed. If we control the car that goes in the front (this car is the spy), we can delay the other that comes behind (the victim), as much as we want," Pinto explained to The Reg.

The attack the researchers outlined leverages the timing differences exposed via bus interconnect arbitration logic. When two bus masters inside the MCU – for example the CPU and Direct Memory Access (DMA) block – issue a transaction to access a value in memory, the bus interconnect cannot handle both at the same time. It prioritizes one and delays the other.

The researchers used this logic to observe how much the victim application – in this case the trusted application that interfaces with the trusted keypad in a smart lock – was delayed, and thus infer the secret PIN.

The process was automated by using the peripherals to automate the spy logic in the background independently of the CPU.

Arm has vast market share for MCU CPUs and bus interconnect designs. The chippie has pitched its TrustZone-M technology, teamed with other measures, as delivering tamper-proof protection for the entire MCU – including for side attacks. At the very least, Arm aims to make such attacks "uneconomical."

But at Black Hat Asia, the researchers contested Arm's claims.

"We can basically break all security isolation guarantees in Arm MCUs, including the state-of-art ones with the TEE TrustZone-M technology," Pinto told The Register.

• Apple gets lawsuit over Meltdown and Spectre dismissed
• Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
• Linux kernel logic allowed Spectre attack on 'major cloud provider'
• Arm to IoT devs: Go faster with our pre-made chip subsystems
• Millions of mobile phones come pre-infected with malware, say researchers

The researchers have disclosed the hack to Tf-m and STMicroelectronics, as well as Arm. They indicated that what has transpired since is a lot of finger pointing.

Rodrigues and Pinot said Tf-m acknowledged the hack, but said its root cause was a memory trace problem so an application was at fault. STMicroelectronics also pointed the finger at Arm and an application. Meanwhile, Arm told the team side-attacks are outside the threat model and its security is aligned to industry standards – a tactic Pinto said Intel also tried to use initially when news of Spectre and Meltdown hit.

"We kind of agree with Tf-m," said Pinto, who also pointed out it would be quite costly for Arm to implement necessary changes.

In its statement, Arm advised that the attack can be mitigated by ensuring that the program's control flow and memory accesses patterns do not depend on secret state.

"This is already a common feature in security critical code like cryptography libraries," said Arm.

"Arm works to improve security and enable the ecosystem to build more secure solutions. One example of this is the 'Data Independent Timing' feature that was introduced in the Armv8.1-M architecture. Although this feature does not mitigate the specific attack referred to in this article, it helps to protect against data dependent timing side-channel attacks," added the silicon slinger.

The boffins revealed that they may be able to twist Arm to change its approach – if they can demonstrate a similar variant of the attack in an application without a secret dependent memory path.

"That's our main motivation and challenge now," Pinto told The Register, smiling. ®