Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense

Zheyuan Ma; Xi Tan; Lukasz Ziarek; Ning Zhang; Hongxin Hu; Ziming Zhao

doi:10.1109/DAC56929.2023.10247972

Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense

Zheyuan Ma
, Xi Tan
, Lukasz Ziarek
, Ning Zhang
, Hongxin Hu
, Ziming Zhao

Department of Computer Science & Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Scopus citations

Abstract

ARM Cortex-M is one of the most popular microcontroller architectures designed for embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimization. In particular, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we demonstrate how this fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in the non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We experimentally confirmed the feasibility of four variants of ret2ns attacks on two Cortex-M hardware systems. To defend against ret2ns attacks, we design two address sanitizing mechanisms that have negligible performance overhead.

Original language	English
Title of host publication	2023 60th ACM/IEEE Design Automation Conference, DAC 2023
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798350323481
DOIs	https://doi.org/10.1109/DAC56929.2023.10247972
State	Published - 2023
Event	60th ACM/IEEE Design Automation Conference, DAC 2023 - San Francisco, United States Duration: Jul 9 2023 → Jul 13 2023

Publication series

Name	Proceedings - Design Automation Conference
Volume	2023-July
ISSN (Print)	0738-100X

Conference

Conference	60th ACM/IEEE Design Automation Conference, DAC 2023
Country/Territory	United States
City	San Francisco
Period	07/9/23 → 07/13/23

Access to Document

10.1109/DAC56929.2023.10247972

Cite this

Ma, Z., Tan, X., Ziarek, L., Zhang, N., Hu, H., & Zhao, Z. (2023). Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense. In 2023 60th ACM/IEEE Design Automation Conference, DAC 2023 (Proceedings - Design Automation Conference; Vol. 2023-July). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DAC56929.2023.10247972

@inproceedings{058d3cce373247a3a5dfa6be69c99620,

title = "Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense",

abstract = "ARM Cortex-M is one of the most popular microcontroller architectures designed for embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimization. In particular, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we demonstrate how this fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in the non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We experimentally confirmed the feasibility of four variants of ret2ns attacks on two Cortex-M hardware systems. To defend against ret2ns attacks, we design two address sanitizing mechanisms that have negligible performance overhead.",

author = "Zheyuan Ma and Xi Tan and Lukasz Ziarek and Ning Zhang and Hongxin Hu and Ziming Zhao",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; 60th ACM/IEEE Design Automation Conference, DAC 2023 ; Conference date: 09-07-2023 Through 13-07-2023",

year = "2023",

doi = "10.1109/DAC56929.2023.10247972",

language = "English",

series = "Proceedings - Design Automation Conference",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2023 60th ACM/IEEE Design Automation Conference, DAC 2023",

}

Ma, Z, Tan, X, Ziarek, L, Zhang, N, Hu, H & Zhao, Z 2023, Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense. in 2023 60th ACM/IEEE Design Automation Conference, DAC 2023. Proceedings - Design Automation Conference, vol. 2023-July, Institute of Electrical and Electronics Engineers Inc., 60th ACM/IEEE Design Automation Conference, DAC 2023, San Francisco, United States, 07/9/23. https://doi.org/10.1109/DAC56929.2023.10247972

Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense. / Ma, Zheyuan; Tan, Xi; Ziarek, Lukasz et al.
2023 60th ACM/IEEE Design Automation Conference, DAC 2023. Institute of Electrical and Electronics Engineers Inc., 2023. (Proceedings - Design Automation Conference; Vol. 2023-July).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone

T2 - 60th ACM/IEEE Design Automation Conference, DAC 2023

AU - Ma, Zheyuan

AU - Tan, Xi

AU - Ziarek, Lukasz

AU - Zhang, Ning

AU - Hu, Hongxin

AU - Zhao, Ziming

PY - 2023

Y1 - 2023

N2 - ARM Cortex-M is one of the most popular microcontroller architectures designed for embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimization. In particular, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we demonstrate how this fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in the non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We experimentally confirmed the feasibility of four variants of ret2ns attacks on two Cortex-M hardware systems. To defend against ret2ns attacks, we design two address sanitizing mechanisms that have negligible performance overhead.

AB - ARM Cortex-M is one of the most popular microcontroller architectures designed for embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimization. In particular, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we demonstrate how this fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in the non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We experimentally confirmed the feasibility of four variants of ret2ns attacks on two Cortex-M hardware systems. To defend against ret2ns attacks, we design two address sanitizing mechanisms that have negligible performance overhead.

UR - https://www.scopus.com/pages/publications/85173067713

U2 - 10.1109/DAC56929.2023.10247972

DO - 10.1109/DAC56929.2023.10247972

M3 - Conference contribution

AN - SCOPUS:85173067713

T3 - Proceedings - Design Automation Conference

BT - 2023 60th ACM/IEEE Design Automation Conference, DAC 2023

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 9 July 2023 through 13 July 2023

ER -

Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this