back

Microarchitectural Attacks on Trusted Execution Environments

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:55:02
Language
English
Abstract
Trusted Execution Environments (TEEs), like those based on ARM TrustZone or Intel SGX, intend to provide a secure way to run code beyond the typical reach of a computer’s operating system.
However, when trusted and untrusted code runs on shared hardware, it opens the door to the same microarchitectural attacks that have been exploited for years. This talk provides an overview of these attacks as they have been applied to TEEs, and it additionally demonstrates how to mount these attacks on common TrustZone implementations. Finally, we identify new techniques which allow us to peer within TrustZone TEEs with greater resolution than ever before.

The goals of this talk are twofold. First, it will build up an understanding of microarchitectural attacks, Trusted Execution Environments, and the existing research into the two. The talk assumes only basic knowledge of processor operation, and presents the information needed to understand the many variants of attacks against the cache and more. We will also cover key similarities and differences between ARM TrustZone and Intel SGX technologies and how these can be abused by microarchitectural attacks. This is a relatively new field of research, but it is growing quickly, and we hope to explain the significant contributions and accomplishments that have been achieved already.

The second goal of the talk is to demonstrate how to perform these attacks in practice. We will take the TrustZone-based TEE implementation on the Nexus 5X as an example and explain how to write software which performs these side-channel attacks. We then push beyond the existing research and develop new methods to perform attacks on ARM TrustZone with greater precision than seen before. Our setup is relatively easy to implement, and we aim for this demonstration to encourage and enable further research into the software running within these trusted environments.

By the end of the talk, the audience will recognize the risks presented by microarchitectural attacks and the ease with which issues can be exploited. We hope to leave the audience appreciating the tension between processor security and performance and understanding the difficulty of truly securing a Trusted Execution Environment from this powerful class of attack.

Talk ID
8950
Event:
34c3
Day
1
Room
Saal Borg
Start
10:15 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Keegan Ryan
Talk Slug & media link
34c3-8950-microarchitectural_attacks_on_trusted_execution_environments

Talk & Speaker speed statistics

Very rough underestimation:
171.5 wpm
958.5 spm
179.2 wpm
995.6 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
171.5 wpm
958.5 spm
cacheattackcodeattacksattackermemorysecureringvictimtrustedaccessexecutionsgxenclavetimeresolution1address0orderperformanceoperatingprocessbranchsetsystemkernelhardwaretrustzonekeegansharedlevelcoreinterruptsnoisequestionkeymicsortrunningpowerfulprivilegedenvironmentsaccessessecretsaesnon-securetemporalnumberthing
Keegan Ryan:
179.2 wpm
995.6 spm
cacheattackattackercodeattacksmemoryringsecurevictimaccesssgxenclaveresolutiontimeaddresstrustedexecution0operatingorderprocessbranchsetsystemkernelperformancehardwarecoresharedlevelnoiseprivilegedsecretssortpowerfulaccessestemporal1runningbitcallednon-securereadinterruptsprivilegeideatargetexceptionthingtrustzone