Abstract
Processors nowadays are equipped with debugging features to facilitate the program analysis. Meantime, the security of these features is under-examined since it normally requires physical access to use them in the traditional debugging model. However, ARM introduces a new debugging model that requires no physical access since ARMv7, which exacerbates our concern on the security of the debugging features. In this paper, we perform a comprehensive security analysis of the ARM debugging features and summarize the security implications. To understand the impact of the implications, we investigate a series of platforms with ARM-A architecture in different product domains and expose a new attacking surface that universally exists in ARM-A architecture. We further craft Nailgun attack, which achieves arbitrary payload execution in a high-privilege mode from a low-privilege mode via misusing the debugging features. Our experiments show that most platforms we investigated are vulnerable to the attack, and our analysis shows that ARM-R and ARM-M platforms may suffer from the same issue. The potential mitigations are discussed from different perspectives in the ARM ecosystem, and a practical defense mechanism based on ARM virtualization technology is presented. The evaluation result shows that our defense can prevent Nailgun with a negligible performance penalty.
Original language | English |
---|---|
Pages (from-to) | 1-16 |
Number of pages | 16 |
Journal | IEEE Transactions on Dependable and Secure Computing |
Volume | 20 |
Issue number | 1 |
DOIs | |
Publication status | Published - Dec 2021 |
Keywords
- ARM Debugging Architecture
- trusted execution environment
- Privilege Escalation
- Virtualization