“BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M separation

“BUSted” – Everything you need to know on Side-channel attacks to TrustZone-M separation
June 1, 2023 09:00 AM PST
Register Here: https://us02web.zoom.us/webinar/register/2616747721343/WN_GWiCmmLHT0KP98Xydw1B8Q

Join our wolfSSL webinar about BUSted presented by wolfSSL engineer Daniele Lacamera as well as either Dr. Sandro Pinto or Cristiano Rodrigues June 1st at 9AM Pacific.

At the Black Hat Asia conference in Singapore, Dr. Sandro Pinto and Cristiano Rodrigues presented their research that introduced a groundbreaking technique that exploits the shared pipeline on the newest Cortex-M CPUs to place a time based, side-channel attack from an application running in non-secure domain to security code running in secure mode. The researchers named this attack “BUSted”. This is sudden and difficult news hitting the new generations of ARMv8 microcontrollers. The attack was demonstrated live using a Cortex-M33 microcontroller as target.

Due to the nature of the attack, targeting specific micro-architectural design issues, this disclosure has already been compared to “Spectre” and “Meltdown”, well known attacks that have affected more sophisticated architectures in the recent past. All the embedded projects that were counting on hardware-assisted privilege separation through TrustZone-M should now take into account the possibility of leaking information from the trusted components running in the secure world.

According to the researchers, software based countermeasures and mitigations are possible to counter the effects of this micro-architectural design fault. The most important aspect to take into account when dealing with time-based attacks is to avoid as much as possible secret-dependent code in the implementation of security operations. In other words, the time required for a security procedure to run must not depend on the success of the operation or on any secret involved in the operation.

Tune in to this webinar to learn more about the attack from the researchers themselves as well as from cybersecurity experts how wolfSSL has been proactive and already studying the necessary workarounds for our users and customers.

As always we will have a Q&A Session following the webinar

wolfSSL support for STM32 hardware

We’ve expanded our STM32 support for wolfSSL to include the STM32H5 and G0. The STM32WL is also coming soon.

Using STM32 hardware and development boards are easy with our wolfSSL, wolfSSH and wolfMQTT (soon) Cube packs. These packs integrate with the STM32CubeIDE and STM32CubeMX tools for generating a project and code with support for our libraries.

The documentation for using the Cube packs is here:

https://github.com/wolfSSL/wolfssl/tree/master/IDE/STM32Cube

The new wolfSSL build options are:

  • H5: WOLFSSL_STM32H5
  • G0: WOLFSSL_STM32G0

wolfCrypt benchmarks for the H5 and G0 have been posted here:

https://github.com/wolfSSL/wolfssl/blob/master/IDE/STM32Cube/STM32_Benchmarks.md

We’ve also added wolfBoot support for the STM32G0. The wolfBoot STM32H5 support is coming soon. For details on wolfBoot G0 support see: https://github.com/wolfSSL/wolfBoot/pull/286

For any questions please email facts@wolfssl.com

STM32Cube Expansion Packs for more wolfSSL Products

The wolfSSL embedded TLS library has support for most of the STM32 microcontrollers and for their hardware-based cryptography (AES/HASH/PKA) and random number generator (TRNG). Here are the STM32 processors we currently support:

  • STM32F2
  • STM32F4
  • STM32F7
  • STM32F1
  • STM32L4
  • STM32L5
  • STM32WB
  • STM32H7
  • STM32G0
  • STM32U5
  • STM32H5

wolfSSL offers STM32Cube Expansion Packages for the STM32 toolset, letting users pull wolfSSL and wolfSSH directly into STM32CubeMX and STM32CubeIDE projects.

We currently support STM32Cube Expansion packs for wolfSSL and wolfSSH (our lightweight SSHv2/SCP/SFTP library). Soon we will be adding packs for wolfMQTT (our MQTT client implementation) and wolfTPM (our TPM 2.0 library).

For information on our wolfSSL Cube pack see:
https://github.com/wolfSSL/wolfssl/blob/master/IDE/STM32Cube/README.md

For information on our wolfSSH Cube pack see:
https://github.com/wolfSSL/wolfssh/blob/master/ide/STM32CUBE/README.md

Are you looking to improve our STM32 support within wolfSSL products? Reach out to us at facts@wolfssl.com with any questions, comments or suggestions.

wolfSentry: A turnkey dynamic firewall for lwIP

wolfSentry, wolfSSL’s embedded firewall and IDPS, now supports out-of-the-box integration with lwIP!

After simple initialization calls at application startup, all network traffic is evaluated and subject to filtration by the wolfSentry engine.  Prefiltering by network layer, protocol, and event type, allows zero-overhead transparency for selected traffic.  For example, TCP connection requests, inbound and/or outbound, can be fully evaluated by the wolfSentry engine, while traffic within established TCP connections passes freely.

lwIP integration also facilitates stateful and ephemeral rules for safe use of connectionless protocols such as DNS over UDP.  These protections are configuration-driven, automatically managed by wolfSentry-with-lwIP, and are completely transparent to the application and other libraries.

Integration with lwIP is achieved with a simple patchset to the lwIP 2.1.3+ core, bundled with wolfSentry and documented in the lwip/ subdirectory.  lwIP integration also facilitates deep packet inspection by application-installed plugins, which receive pointers to the lwIP connection context and raw packet contents.

The wolfSentry configuration system has also grown with the addition of route table export to reingestable JSON.  A persistent baseline (“factory”) JSON configuration can be supplemented with a separate, mutable rule configuration, for convenient, efficient, and safe checkpointing of rules for reload at next system startup.

wolfSentry on FreeRTOS has further matured, with full support for native heap, timer, and threading facilities.  Portability improvements also prepare wolfSentry for use with QNX, GH integrity, VxWorks, and other embedded realtime OSs.  Portability is further assured with optional strict compliance with C89, now available with the WOLFSENTRY_C89 build option.

All of these new capabilities, and much more, are featured in wolfSentry 1.3. For more details, clone wolfSentry from https://github.com/wolfSSL/wolfsentry, review ChangeLog.md and README.md, and “make test”.

Please contact our team at facts@wolfssl.com to get the conversation started and wolfSentry!

Using wolfSSL on BlackBerry QNX

One of the earliest posts on our blog is this one: https://www.wolfssl.com/wolfssl-supports-the-rim-playbook/

In 2010 it was announced that wolfSSL supported (Research In Motion) RIM’s BlackBerry Playbook and mentions QNX support ever since the first source release of wolfSSL.  That has been close to 20 years of support.

In this post we’d like to mention that it is not just the wolfSSL library that supports QNX; all of our products do!

  • wolfSSL and wolfCrypt with FIPS, DO-178 DAL A or without are all fully supported
  • Running QNX on a board with a TPM on it? Then wolfTPM which supports the TPM 2.0 protocol is something you must use.
  • Need a light-weight SSH implementation on your QNX project? Then wolfSSH is your solution.
  • Want to guarantee the integrity of your QNX firmware image or do over the air updates? Then the wolfBoot bootloader is perfect for you.
  • Looking for an (Intrusion Detection and Prevention System) IDPS to secure your QNX-based deployment? Then wolfSentry is what you’re looking for.
  • Have a need for lightweight data transfer? Try curl or even tiny-curl for those low-resource platforms that QNX is known to run on.

Please reach out to us to learn more about how we can help you secure your QNX deployments! Send us a message at facts@wolfssl.com.

 

WolfBoot vs Das U-Boot

With the myriad of options available for a bootloader today many integrators try and fail to find the most secure and flexible bootloader with the smallest footprint. To help put an end to this search we will be going over wolfBoot’s many advantages compared to its competitors to make clear why wolfBoot is the best fit for your application.

Supported Signature Verification Algorithms

Signature verification in secure boot is the process of verifying and authenticating a boot image using a signature and public key provided by a signing authority. Out of the box Das U-Boot supports RSA image signature verification using SHA-1 or SHA-256 digests. U-Boot can be extended to include any algorithm you wish but that requires the additional effort of including or writing an external crypto library that will inflate code size and increase the time it takes to get a working product.

WolfBoot was built using wolfCrypt, our small embeddable crypto library that powers all of our products, and leverages it to support a wide range of signature verification options including ED25519, ECC and RSA. It does not support the outdated SHA-1 but instead supports the modern SHA-256, SHA-384 and SHA3 hashing algorithms and because its free software can also be extended as you wish.

Encrypted Boot Partition

Both wolfBoot and U-Boot support encrypted images but wolfBoot supports both AES and CHACHA encryption while U-Boot only supports AES.

Beauty and the Bloat

U-Boot has many unnecessary features for a secure bootloader, including a command line interface and a full TCP/IP networking stack. These features increase the amount of code, which increases the number of potential bugs, the size of the image and creates a larger attack surface to compromise your system.

WolfBoot was built by security experts and thus was designed to boot into the application image as fast and securely as possible. By constraining wolfBoot to the essentials we are able to keep code size down leading to less bugs in the first place and less attack vectors open to compromise your system. Keeping code size down leaves more room for such features in the application image where they belong.

Portability

Porting U-Boot to a new system is a complicated process as U-Boot takes responsibility for bringing up the system’s peripherals ahead of the OS being loaded. WolfBoot takes a hands off approach and leaves those tasks to the application image, making it system and OS agnostic. Getting wolfBoot running on a new target only requires adding a new Hardware Abstraction Layer (HAL) file for setting the clock up and reading and writing flash. HALs are straightforward to write with the right documentation and usually come in under 600 lines of code.

Interruptible Update Process

While both U-Boot and wolfBoot support image updates, only wolfBoot has an interruptible update process that allows it to complete an update even in the event of a power failure during the update. In this event of an unfortunately timed power failure this makes the difference between a working board and a paperweight.

Delta Updates

In addition to being interrupt safe, wolfBoot also has the additional feature of delta updates, which chunks and strips an updated image down to only the parts that differ from the last image. WolfBoot will then apply this new image to the old one as a patch, which leads to significantly smaller update images that save space in environments where flash memory is scarce.

FIPS Support

FIPS (Federal Information Processing Standards) is a cryptography standard that firms who deal with the United States government are often required to comply with in order to sell to them. WolfCrypt is FIPS compliant (when built with the correct options) and therefore wolfBoot is FIPS compliant without any additional work required, saving a lot of time on compliance. U-Boot on the other hand uses a standalone cryptography library that would need to be manually replaced with a fips compliant library, which is a costly and time consuming process.

DO-178 Certification

In addition to FIPS, wolfCrypt, and by extension wolfBoot, is DO-178 Certifiable. DO-178 is a strict aviation standard that the FAA (Federal Aviation Administration) and EASA (European Union Aviation Safety Agency) require for software components that run inside aircraft approved to fly in their airspace. WolfSSL itself is DO-178 DAL A certified on numerous operating environments and our expert DO-178 engineers are available for consulting to help get your operating environment certified. U-Boot’s standalone cryptography library would need to be brought through the certification process from scratch or an external library would need to be swapped out for a certifiable one.

If you need need a secure and flexible bootloader, with the smallest footprint, wolfSSL can help. Please contact our team at facts@wolfssl.com to get the conversation started!

BUSted: Side-channel attacks to TrustZone-M separation

Recent research from Universidade do Minho in Portugal was presented at the Black Hat Asia conference in Singapore. The work of Dr. Sandro Pinto and Cristiano Rodrigues brought to the surface a groundbreaking technique that exploits the shared pipeline on the newest Cortex-M CPUs to place a time based, side-channel attack from an application running in non-secure domain to security code running in secure mode. The researchers named this attack “BUSted”. This is sudden and difficult news hitting the new generations of ARMv8 microcontrollers. The attack was demonstrated live using a Cortex-M33 microcontroller as target.

Due to the nature of the attack, targeting specific microarchitectural design issues, this disclosure has already been compared to “Spectre” and “Meltdown”, well known attacks that have affected more sophisticated architectures in the recent past. All the embedded projects that were counting on hardware-assisted privilege separation through TrustZone-M should now take into account the possibility of leaking information from the trusted components running in the secure world.

According to the researchers, software based countermeasures and mitigations are possible to counter the effects of this microarchitectural design fault. The most important aspect to take into account when dealing with time-based attacks is to avoid as much as possible secret-dependent code in the implementation of security operations. In other words, the time required for a security procedure to run must not depend on the success of the operation or on any secret involved in the operation.

wolfCrypt cryptography functions are already secret-independent. Our implementation ensures that all the critical operations that involve secrets are run in constant-time, unless specifically disabled. When using wolfSSL software, you should expect these types of countermeasures to be activated by default. This specific attack however may be even more subtle, because it can target custom code built around hardened code, e.g. if wolfCrypt cryptography is accessed through a custom wrapper in non-secure-callable code. In this case even the smallest time difference between two branches of a single ‘if’ instruction may be sufficient to make assumptions on the results of the underlying secure operation or on any of the keys. As the authors of the research suggest, there might be additional specific mitigations needed.

Our secure bootloader, wolfBoot, is capable of configuring and managing the separation between the two execution domains on Cortex-M23, M33 and M35 targets. In future releases wolfBoot will also feature a secure domain monitor that handles cross-domain calls from the application, protecting cryptography code and keys from direct access from the non-secure world.

wolfBoot’s main responsibility is of course to secure the boot process by ensuring that no unauthorized application code can execute in the non-secure domain. Our recommendation is to always enforce public-key based authentication of all the software running on the system, to cut the origin of these attacks as much as possible, by preventing rogue code to be run on the system. By using wolfcrypt, all the necessary mitigations against side-channel attacks are already integrated and activated by default.

You can download wolfBoot today from our download page or from our github repository

Has your design been affected by “BUSted”? Is your embedded system currently relying on TEE to enforce privilege separation between software modules? Share your story with us and let us know. Ask us anything about time-based attacks, hardened code and side-channel prevention!  Drop us a line at facts@wolfssl.com.

AWS wolfMQTT client support for MQTT v5.0

Around the end of last year, Amazon announced MQTT v5.0 support for its AWS IoT Core MQTT Broker. Support for this protocol was added to the AWS wolfMQTT client example with a recent effort here at wolfSSL.

The wolfMQTT library is a client implementation of MQTT written in C for embedded use, with support for SSL/TLS via the wolfSSL library. wolfMQTT supports both the MQTT 3.1.1 specification as well as the MQTT v5.0 specification. And with the recent updates, the AWS client can now be used to test out AWS IoT Core’s new protocol support and its functionality. Note that we updated our AWS host instance to use an ATS endpoint, as they are the only ones that support MQTT v5.0 as of now.

For more information about wolfMQTT or its MQTT v5.0 support, please contact facts@wolfssl.com.

Reference
wolfMQTT GitHub Repository
wolfMQTT User Manual
AWS MQTT v5.0 Upgrade
AWS IoT Core ATS
MQTT v5.0 specification
HiveMQ: “MQTT 5: Upgrade now. Here’s why.”

wolfSSL at Xponential 2023

WolfSSL will attend Xponential at booth 3014 May 9th to May 11th in Denver, CO. At Xponential 2023, the focus is on new developments in unmanned vehicle systems.

WolfSSL offers highly optimized TLS and cryptography libraries that secure IoT devices and embedded systems against cyber attacks. At both tradeshows, the wolfSSL team will meet with attendees and discuss how their products can support their projects. They have the expertise and experience to help you achieve your security goals and enhance system performance.

By scheduling a meeting with the wolfSSL team attendees can gain valuable insights into the latest trends and technologies in cybersecurity. Don’t miss out on this opportunity to meet with wolfSSL and explore the latest advancements in unmanned vehicle security.

Email facts@wolfssl.com to schedule a meeting with the wolfSSL team.

wolfSSL Inc: Latest news on FIPS cert #3389

wolfSSL is extremely proud to announce that an additional 18 OEs (Operating Environments) have been added to cert #3389 with only a 62-day turnaround from the CMVP between submission and approval: Feb 23 2023 – April 26 2023.

INFO:

Cert Location: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3389
SunSet Date: 3/3/2024

Operating Environments validated (raw count): 73
Operating Environments validated (non-PAA specific): 50

The 18 OEs that were added to cert #3389 are as follows:

  1. Linux 3.10 (CentOS 7) Intel® Atom™ CPU D525 @ 1.80GHz with PAA Beckman Coulter PROService RAP BOX 4.3.2
  2. Linux 3.10 (CentOS 7) Intel® Atom™ CPU D525 @ 1.80GHz without PAA Beckman Coulter PROService RAP BOX 4.3.2
  3. Yocto (dunfell) 3.1 AMD GX-412TC SoC with PAA LinkGuard 4.3.2
  4. Yocto (dunfell) 3.1 AMD GX-412TC SoC without PAA LinkGuard 4.3.2
  5. Linux 5.4 Intel® Xeon® Gold 5218 CPU @ 2.30GHz LiveAction LiveNX Appliance 4.3.2
  6. Windows 10 Pro Intel® Core™ i7-1255U @ 1.70 Ghz Dell Precision 3570 4.3.2
  7. Debian GNU/Linux 8 (jessie) Intel® Atom™ C2558 @ 2.40GHz ufiSpace Cloud and Data Center Switch S7810-54QS 4.3.2a
  8. FreeBSD 10.3 on VMWare ESXi 7.0 Intel® Xeon® Silver 4210 @ 2.20GHz Supermicro X11DPH-i 4.3.2a
  9. Linux 5.15 on VMWare ESXi 7.0 Intel® Xeon® Silver 4210 @ 2.20GHz Supermicro X11DPH-i 4.3.2a
  10. Debian GNU/Linux 8 (jessie) Broadcom BCM5634 Corning 1LAN-SDDP24POE 4.3.2a
  11. Linux IPHO00550F22 4.1 Broadcom BCM6858 Corning 1LAN-SDAN-7691 4.3.2a
  12. Linux IPHO00559B23 3.4 Broadcom BCM6838 Corning 1LAN-SDAN-7290 4.3.2a
  13. macOS Monterey 12.5 Intel® Core™ i7-8569U @ 2.80Ghz with PAA Macbook Pro 4.3.2a
  14. Windows 11 Enterprise Intel® Core™ i7-10610U @ 1.80Ghz with PAA Dell Latitude 7410 4.3.2a
  15. macOS Monterey 12.5 Apple M1 Max with PAA Macbook Pro 4.5.4a
  16. VxWorks 7 SR0630 Intel® Core™ i7-5850EQ @ 2.70GHz F-16 WASP 4.3.2a
  17. macOS Monterey 12.5 Apple M1 with PAA Macbook Air 4.5.4b
  18. macOS Monterey 12.5 Apple M1 without PAA Macbook Air 4.5.4b

This brings the total count of OEs tested and validated by wolfSSL Inc (vendor) in collaboration with UL Verification Services Inc (NVLAP accredited FIPS lab) under cert #3389 to a whopping total of 77! 4 OEs that had originally been tested and validated prior to SP800-56A Rev3 requirements were dropped from cert #3389 during the retesting effort leaving a total of 73 tested and validated Operating Environments under FIPS certificate #3389.

For a full list of all 73 tested and validated Operating Environments please checkout FIPS cert #3389 using the link to the certificate at the top of this blog post. If you have any questions about adding an OE please contact wolfSSL at fips@wolfssl.com anytime.

NEWS and the future of FIPS at wolfSSL and cert 3389:

As we approach the SunSet date of cert #3389, which is coming in March of 2024, wolfSSL would like to take this opportunity to address a few topics that regularly come up regarding impact of current and future projects.

  • Once a certificate is moved to the historical list a banner is placed at the top of that cert that states: “Historical – The referenced cryptographic module should not be included by Federal Agencies in new procurements. Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used.
    • This means the certificate is unlikely to be acceptable for NEW contracts/projects, and can sometimes also impact ongoing software/firmware updates on previously closed contracts/projects. It is up to the purchase authority to weigh the RISK of using older FIPS certificates prior to making an acquisition for a project involving a FIPS requirement.
    • It is not unheard of that already fielded products may continue to ship software/firmware updates under a historical certificate.
      • To that end wolfSSL will continue to maintain, test and support cert #3389 FIPS modules long after cert #3389 is moved to the historical list on behalf of any customers still dependent upon it.
    • Those customers looking to close on NEW contracts/projects with a FIPS requirement will be happy to hear that wolfSSL Inc was one of the first 20 vendors in the world to be in process for FIPS 140-3 and estimates are that the wolfCrypt module is currently #16 in the CMVP queue for receiving a FIPS 140-3 certificate.
      • To-date only 3 vendors (Apple, AMD and VMware) have received 140-3 certificates none of which are commercial FIPS module offerings. wolfSSL anticipates being one of the first (if not THE first) commercial FIPS offering in the world for FIPS 140-3!
  • Cert #3389 can not be extended beyond March of 2024 unless the CMVP decides to change their extension policies regarding FIPS 140-2 given that FIPS 140-3 modules are taking SO long to be approved.
    • wolfSSL Inc feels the likelihood of such an extension policy change is small however the probability does exist and is worth mentioning
  • wolfSSL is seeing great demand from the industry for 140-3 as soon as it is available. wolfSSL Inc anticipates adding 25 (or more) OEs in the first year after receiving 140-3 certification for the wolfCrypt module. This means there may be a delay if one hesitates too long, please start planning FIPS projects today and get wolfSSL hardware ASAP to have an OE validated under the wolfSSL Inc 140-3 certificate once it is issued!

Are you interested in FIPS? Contact us at facts@wolfssl.com to find out how we can help you.

Posts navigation

1 2