back

TrustZone is not enough

Hijacking debug components for embedded security

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:31:24
Language
English
Abstract
This talk deals with embedded systems security and ARM processors architecture. Most of us know that we can perform security with the ARM TrustZone framework. I will show that most ARM processors include debug components (aka CoreSight components) that can be used to create efficient security mechanisms.

Embedded security is still a hot topic. For several years, ARM have proposed its TrustZone framework. With some colleagues, we have studied how we could use debug components available in most ARM processors to create security mechanisms targeting a wide range of attacks (buffer overflows, ROPs…) with minimal performance overheads.
We use CoreSight debug components in with a technique called dynamic information flow tracking (aka DIFT) which allow us to monitor the execution of an application at runtime. Compared to existing works, we show that there’s no need to modify the main processor (existing binaries will be compatible!). Furthermore, we used a coprocessor implemented in reconfigurable logic (FPGA chip) to speedup the DIFT process.
This ARM/FPGA combo is up to 90% faster than related techniques in terms of instrumentation time. Furthermore, as the ARM CPU has not been modified (while existing works do modify it…), the final user doesn’t have to recompile all his/her programs to be compatible with our approach.
We will also show a few clues to indicate how we could target multi-threaded/multi-processor architectures as it is the case of most embedded systems by now.

Talk ID
8831
Event:
34c3
Day
4
Room
Saal Adams
Start
1 p.m.
Duration
00:30:00
Track
Security
Type of
lecture
Speaker
Pascal Cotret
Talk Slug & media link
34c3-8831-trustzone_is_not_enough

Talk & Speaker speed statistics

Very rough underestimation:
117.3 wpm
646.5 spm
122.0 wpm
670.8 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
117.3 wpm
646.5 spm
talkcodeprocessorbasicallycomponentsflowtimesecurityinstrumentationtracefpgaoverheaddebugworkworkstrustzoneleveldatatrackingcoprocessorredapplicationnormalembeddedarmcasememoryprocessorsdiftsoftwaresystemprivatemainapproachptmtagtagspublicsideideasimpleanalysiscorecalledgreenpascalstaticbitosinstance
Pascal Cotret:
122.0 wpm
670.8 spm
talkcodeprocessorbasicallycomponentsflowfpgaoverheadinstrumentationtracetimeworksecuritydebugworksdatatrustzoneleveltrackingredcasecoprocessorcorenormalapplicationsystemarmprivatetagsdiftmainmemorycalledprocessorssoftwareapproachpublicptmembeddedgreensidesimpleideastaticanalysisslideosinstancetransmitcourse