BUSted: Side-channel attacks to TrustZone-M separation

Recent research from Universidade do Minho in Portugal was presented at the Black Hat Asia conference in Singapore. The work of Dr. Sandro Pinto and Cristiano Rodrigues brought to the surface a groundbreaking technique that exploits the shared pipeline on the newest Cortex-M CPUs to place a time based, side-channel attack from an application running in non-secure domain to security code running in secure mode. The researchers named this attack “BUSted”. This is sudden and difficult news hitting the new generations of ARMv8 microcontrollers. The attack was demonstrated live using a Cortex-M33 microcontroller as target.

Due to the nature of the attack, targeting specific microarchitectural design issues, this disclosure has already been compared to “Spectre” and “Meltdown”, well known attacks that have affected more sophisticated architectures in the recent past. All the embedded projects that were counting on hardware-assisted privilege separation through TrustZone-M should now take into account the possibility of leaking information from the trusted components running in the secure world.

According to the researchers, software based countermeasures and mitigations are possible to counter the effects of this microarchitectural design fault. The most important aspect to take into account when dealing with time-based attacks is to avoid as much as possible secret-dependent code in the implementation of security operations. In other words, the time required for a security procedure to run must not depend on the success of the operation or on any secret involved in the operation.

wolfCrypt cryptography functions are already secret-independent. Our implementation ensures that all the critical operations that involve secrets are run in constant-time, unless specifically disabled. When using wolfSSL software, you should expect these types of countermeasures to be activated by default. This specific attack however may be even more subtle, because it can target custom code built around hardened code, e.g. if wolfCrypt cryptography is accessed through a custom wrapper in non-secure-callable code. In this case even the smallest time difference between two branches of a single ‘if’ instruction may be sufficient to make assumptions on the results of the underlying secure operation or on any of the keys. As the authors of the research suggest, there might be additional specific mitigations needed.

Our secure bootloader, wolfBoot, is capable of configuring and managing the separation between the two execution domains on Cortex-M23, M33 and M35 targets. In future releases wolfBoot will also feature a secure domain monitor that handles cross-domain calls from the application, protecting cryptography code and keys from direct access from the non-secure world.

wolfBoot’s main responsibility is of course to secure the boot process by ensuring that no unauthorized application code can execute in the non-secure domain. Our recommendation is to always enforce public-key based authentication of all the software running on the system, to cut the origin of these attacks as much as possible, by preventing rogue code to be run on the system. By using wolfcrypt, all the necessary mitigations against side-channel attacks are already integrated and activated by default.

You can download wolfBoot today from our download page or from our github repository

Has your design been affected by “BUSted”? Is your embedded system currently relying on TEE to enforce privilege separation between software modules? Share your story with us and let us know. Ask us anything about time-based attacks, hardened code and side-channel prevention!  Drop us a line at facts@wolfssl.com.