Processors nowadays are equipped with debugging features to facilitate the program analysis. Meantime, the security of these features is under-examined since it normally requires physical access to use them in the traditional debugging model. However, ARM introduces a new debugging model that requires no physical access since ARMv7, which exacerbates our concern on the security of the debugging features. In this paper, we perform a comprehensive security analysis of the ARM debugging features and summarize the security implications. To understand the impact of the implications, we investigate a series of platforms with ARM-A architecture in different product domains and expose a new attacking surface that universally exists in ARM-A architecture. We further craft Nailgun attack, which achieves arbitrary payload execution in a high-privilege mode from a low-privilege mode via misusing the debugging features. Our experiments show that most platforms we investigated are vulnerable to the attack, and our analysis shows that ARM-R and ARM-M platforms may suffer from the same issue. The potential mitigations are discussed from different perspectives in the ARM ecosystem, and a practical defense mechanism based on ARM virtualization technology is presented. The evaluation result shows that our defense can prevent Nailgun with a negligible performance penalty.
|Number of pages||16|
|Journal||IEEE Transactions on Dependable and Secure Computing|
|Publication status||Published - Dec 2021|
- ARM Debugging Architecture
- trusted execution environment
- Privilege Escalation