Revisiting ARM Debugging Features: Nailgun and Its Defense

Zhenyu Ning, Chenxu Wang, Yinhua Chen, Fengwei Zhang, Jiannong Cao

Research output: Journal article publicationJournal articleAcademic researchpeer-review

Abstract

Processors nowadays are equipped with debugging features to facilitate the program analysis. Meantime, the security of these features is under-examined since it normally requires physical access to use them in the traditional debugging model. However, ARM introduces a new debugging model that requires no physical access since ARMv7, which exacerbates our concern on the security of the debugging features. In this paper, we perform a comprehensive security analysis of the ARM debugging features and summarize the security implications. To understand the impact of the implications, we investigate a series of platforms with ARM-A architecture in different product domains and expose a new attacking surface that universally exists in ARM-A architecture. We further craft Nailgun attack, which achieves arbitrary payload execution in a high-privilege mode from a low-privilege mode via misusing the debugging features. Our experiments show that most platforms we investigated are vulnerable to the attack, and our analysis shows that ARM-R and ARM-M platforms may suffer from the same issue. The potential mitigations are discussed from different perspectives in the ARM ecosystem, and a practical defense mechanism based on ARM virtualization technology is presented. The evaluation result shows that our defense can prevent Nailgun with a negligible performance penalty.
Original languageEnglish
Pages (from-to)1-16
Number of pages16
JournalIEEE Transactions on Dependable and Secure Computing
DOIs
Publication statusPublished - Dec 2021

Keywords

  • ARM Debugging Architecture
  • trusted execution environment
  • Privilege Escalation
  • Virtualization

Cite this