# blackhat ASIA 2024

APRIL 18-19, 2024 BRIEFINGS

# What the TrustZone-M Doesn't See, the **MCU Does Grieve Over**

Lessons Learned from Assessing a Microcontroller TEE

Cristiano Rodrigues | Sandro Pinto, PhD

(Centro ALGORITMI / LASI, Universidade do Minho)

#BHASIA @BlackHatEvents

# What the TrustZone-M Doesn't See, the **MCU Does Grieve Over** Lessons Learned from Assessing a Microcontroller TEE

**Cristiano Rodrigues | Sandro Pinto, PhD** 

(Centro ALGORITMI / LASI, Universidade do Minho)







# AGENDA

## Introduction

01

02

03

()4

05

Background and Motivation

A Bumpy but Revealing Journey Weak Protections, TEE Assessment and our Responsible Disclosure Journey

What Can Go Wrong

Attack Examples and "Live" Demo

Lessons Learned

Advices for HW & SW providers and System Designers

Summary Final Thoughts and BH Sound Bytes

# Introduction

Background and Motivation



**SMART** AGRICULTURE



INTERNET OF THINGS

DEVICES

AI-ENABLED

•-] [\*•

•<u>•</u>



APPLIANCES

WEARABLES

VEHICLES

### HARDWARE WALLETS







MORE ~

SIGN IN

# Millions of Parent and Child

# IT | MOBILE TECH | REVIEWS | SECURITY PRIVACY er Takes FTC's Heat **-Things Security**

MORE ~

SIGN IN

SUBSC



SMART AGRICULTURE



INTERNET OF THINGS

MEDICAL DEVICES

AI-ENABLED

EDGE DEVICES

•**]**[•

•<u>•</u>



HOME APPLIANCES

 $\widehat{\mathbf{r}}$ 

WEARABLES

AUTONOMOUS VEHICLES



### HARDWARE WALLETS



# INTERNET OF THINGS



# INTERNET OF THINGS





Armv6/7-M Processor Modes





Armv6/7-M Processor Modes

THREAD

### ESRGv3

Armv6/7-M Processor Modes



ESRGv3

Armv6/7-M Processor Modes

Armv6/7-M Privileges Levels



ESRGv3

Armv6/7-M Privileges Levels

Armv6/7-M Processor Modes



ESRGv3

Armv6/7-M Privileges Levels

Armv6/7-M Processor Modes



ESRGv3

Armv6/7-M Privileges Levels

Armv6/7-M Processor Modes



ESRGv3



### ESRGv3

### Armv6/7-M Base Architecture



ESRGv3

### Armv6/7-M Base Architecture

### UnPriv. THREAD



### ESRGv3

### Armv6/7-M Base Architecture

### UnPriv. THREAD

### Priv. THREAD



ESRGv3



ESRGv3

Armv6/7-M Base Architecture

| UnPriv. THREAD |
|----------------|
| Priv. THREAD   |
| Priv. HANDLER  |

ESRGv3

Armv6/7-M Base Architecture





ESRGv3

### Armv6/7-M Base Architecture



ESRGv3

### Armv6/7-M Base Architecture



ESRGv3

### Armv6/7-M Base Architecture



ESRGv3

### Armv6/7-M Base Architecture



ESRGv3



ESRGv3

| Non-Secure State | Secure State   |
|------------------|----------------|
| UnPriv. THREAD   | UnPriv. THREAD |
| Priv. THREAD     | Priv. THREAD   |
| Priv. HANDLER    | Priv. HANDLER  |
|                  |                |

### ESRGv3



### ESRGv3



### ESRGv3



Memory

### ESRGv3

| Non-Secure State | Secure State   | Armv8-M CPU               |
|------------------|----------------|---------------------------|
|                  |                | Armv8-M Processor Co      |
| UnPriv. THREAD   | UnPriv. THREAD | Access Permissions Checks |
|                  |                |                           |
| Priv. THREAD     | Priv. THREAD   |                           |
| Priv. HANDLER    | Priv. HANDLER  |                           |
|                  |                |                           |
|                  |                |                           |

Memory

### ESRGv3

# Core y Access



Memory

### ESRGv3

# Access



Memory

### ESRGv3

# Access



ESRGv3



ESRGv3



ESRGv3



#### ESRGv3

#### ESRGv3

Armv8-M CPU





Armv8-M CPU

Armv8-M Processor Core

| SAU | MPU |
|-----|-----|
|     |     |
|     |     |

Armv8-M Memory Protection Controllers





Armv8-M CPU





Armv8-M CPU



#### ESRGv3



#### ESRGv3

















































#### ESRGv3



#### ESRGv3





ESRGv3



ESRGv3











#### ESRGv3



#### ESRGv3





#### ESRGv3

| ł | ۰. | 1 | ÷   | ¢  | ۰. | 1 | . ' | 2 | ÷ |   | ð | 2 | ¢  | 2 |   | 1 | ÷ | ۰. |        | ÷.                  |  |
|---|----|---|-----|----|----|---|-----|---|---|---|---|---|----|---|---|---|---|----|--------|---------------------|--|
|   | •  |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2      | ×* -                |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | ۶      | <ul> <li></li></ul> |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 5      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | Þ      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 5      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | Þ      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | Þ      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | ×      | ٠.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 5      | ٠.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 5      | ۰.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2      | ۰.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 5      | ۰.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        | ÷.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2<br>2 |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    |        | ÷.                  |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2      |                     |  |
|   |    |   |     |    |    |   |     |   |   |   |   |   |    |   |   |   |   |    | 2      |                     |  |
|   | ۰. | * | e 7 | e. | ۰. | * |     | * | 4 | 1 |   | * | e. | • |   | * | 4 | 1  | 1      |                     |  |
|   | ۰. | ŝ | è   | ÷  |    | 2 | ċ   |   |   |   | Ċ | 2 | ŝ  | 2 |   | > |   | ٩. | 1      |                     |  |
|   |    | • |     |    |    | • |     | • |   |   |   | • |    | • | 1 | • |   | •  |        |                     |  |





#### ESRGv3

UNPRIV.

PRIV



# **Unprivileged Secure Software**

#### ESRGv3



PRIV.



#### **Unprivileged Secure Software**

**Privileged Secure Services** 

#### ESRGv3





### ESRGv3



### ESRGv3



### ESRGv3



### ESRGv3



### ESRGv3



### ESRGv3



### ESRGv3

PSA Level 1



## PSA Level 1

|     | SECURE WORLD |  |  |  |  |  |  |
|-----|--------------|--|--|--|--|--|--|
|     |              |  |  |  |  |  |  |
|     |              |  |  |  |  |  |  |
| SW  |              |  |  |  |  |  |  |
|     |              |  |  |  |  |  |  |
|     |              |  |  |  |  |  |  |
| -   |              |  |  |  |  |  |  |
| CΡι | J            |  |  |  |  |  |  |
|     | SW           |  |  |  |  |  |  |



## PSA Level 1



### ESRGv3

## PSA Level 1



### ESRGv3



PSA Level 2

### ESRGv3



### ESRGv3



### ESRGv3



### ESRGv3

## PSA Level 3



### ESRGv3



### ESRGv3

## PARADOXAL OBSERVATIONS



ESRGv3

# Armv8-M Only Defines Protection

Vendors Are Forced to Develop System Protection Controllers (PPCs,

PSA Level 2/3 Need CPU- and Systemlevel Memory Protection Controllers (the latter isn't defined by Armv8-M)

While System-Wide protections are a must, Armv8-M only defines CPU-level memory protections. We hypothesize that this dichotomy (together with a lack of understanding of the PSA isolation levels) may open security holes in modern TrustZone-M systems

## Hypothesis

## A Bumpy but Revealing Journey

Weak Protections, TEE Assessment and our Responsible Disclosure Journey



# **MICROCHIP**

# MICROCHIP **CTRUSTONIC**



# MICROCHIP **CTRUSTONIC**

## SAML11



# MICROCHIP **CTRUSTONIC**

## SAML11

Kinibi-M





| Security <b>Informed</b> .com<br>Making The World A Safer Place | Products           | Companies  | News       | insignts | Markets        | Events         |
|-----------------------------------------------------------------|--------------------|------------|------------|----------|----------------|----------------|
|                                                                 | Artificial Intelli | gence (Al) | Mobile Acc | ess Heal | thcare Securit | <b>y</b> Cyber |

## Mircochip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers

# MICROCHIP C TRUSTONIC

## SAML11

Kinibi-M







LOGIN IO



LOGIN IO















### ESRGv3



## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

### ESRG<sub>v3</sub>





## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

### ESRG<sub>v3</sub>





## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

### ESRG<sub>v3</sub>



## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

### ESRGv3



## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

### ESRGv3

## **MICROCHIP SAML11**





## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

## ESRGv3

## **MICROCHIP SAML11**





## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

## ESRGv3

## **MICROCHIP SAML11**





## **Overview**

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

## ESRGv3



Pag. 17 - Microchip. SAM L10/L11 Family Data Sheet. Tech. rep. Microchip, June 2020.





Pag. 17 - Microchip. SAM L10/L11 Family Data Sheet. Tech. rep. Microchip, June 2020.





Pag. 17 - Microchip. SAM L10/L11 Family Data Sheet. Tech. rep. Microchip, June 2020.





Pag. 17 - Microchip. SAM L10/L11 Family Data Sheet. Tech. rep. Microchip, June 2020.





Pag. 17 - Microchip. SAM L10/L11 Family Data Sheet. Tech. rep. Microchip, June 2020.





Pag. 17 - Microchip. SAM L10/L11 Family Data Sheet. Tech. rep. Microchip, June 2020.



This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals: ٠
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings ٠
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using **CRC** checks

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals: ٠
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings ٠
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using **CRC** checks

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals: ٠
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using **CRC** checks

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals: ٠
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access -Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using **CRC** checks



This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals: ٠
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using **CRC** checks



This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

## What about Privilege and Non-SAM L11-specific security features Privileged??

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals: ٠
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using **CRC** checks





This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

## What about Privilege and Non-SAM L11-specific security features Privileged??

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of What about Memory Protection
  - Up to six regions for the
  - Up to two regions for the at the System-Level??
  - Up to two regions for the order
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks



This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

## What about Privilege and Non-SAM L11-specific security features Privileged??

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of What about Memory Protection
  - Up to six regions for the
  - Up to two regions for the at the System-Level??
  - Up to two regions for the Order
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing: •
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specifi mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks





















# PSA Certification SAML11





SAML11

SAML11-KPH MICROCHIP

level one

SILICON



SILICON

SAML11-KPH



# level one





## PSA Certification







SILICON

SAML11-KPH



# level one





## PSA Certification

## SAML11 + Kinibi-M



### SILICON

## SAM L11-KPH with Kinibi-M v1.0





## SAML11 + Kinibi-M



### SILICON

## SAM L11-KPH with Kinibi-M v1.0





## SAML11 + Kinibi-M



### SILICON

## SAM L11-KPH with Kinibi-M v1.0





## SAML11 + Kinibi-M



## **PSA** Certification

## SAML11 + Kinibi-M



## **PSA** Certification

## SAML11 + Kinibi-M





#### ESRGv3



#### ESRGv3



#### ESRGv3





We report to Microchip that the lack of a MPC may create security issues, special in PSA level 2/3, Microchip didn't take any actions!

### Responsible Disclosure: Microchip

# **v** Trustonic Kinibi-M



Figure 1: Kinibi-M Architecture Overview.

Image: Pag. 3 - Kinibi-M Developer's Guide

### PSA Level 2



Figure 1: Kinibi-M Architecture Overview.

Image: Pag. 3 - Kinibi-M Developer's Guide

-

#### SECURE WORLD



Figure 1: Kinibi-M Architecture Overview.

#### PSA Level 2



Image: Pag. 3 - Kinibi-M Developer's Guide

-

#### SECURE WORLD



Figure 1: Kinibi-M Architecture Overview.

#### PSA Level 2



#### .

#### SECURE WORLD

#### Kernel



Figure 1: Kinibi-M Architecture Overview.

#### PSA Level 2



Image: Pag. 3 - Kinibi-M Developer's Guide

#### **BLACKHAT24**

### PRoTs

#### Kernel



Figure 1: Kinibi-M Architecture Overview.

#### PSA Level 2



### PSA Level 2



Secure-World l Non-secure Non-secure Callable World Memory Attestation Crypto module module module Secure gateway ARM TrustZone<sup>®</sup> enabled MCU

Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### **BLACKHAT24**

### Kernel

#### PRoTs

#### **ARoTs**



which looks for the secure module that will handle this command. As every secure module runs in unprivileged mode, the Kinibi-M kernel switches to unprivileged and sends the command to the handler of the secure module. When the secure module has finished handling the command, a system call



Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### **BI ACKHA**

#### Kernel



Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### BLACKHA

#### Kernel

### PSA Level 2



Secure-World l Non-secure Non-secure Callable World Memory Attestation Crypto module module module Secure gateway ARM TrustZone<sup>®</sup> enabled MCU

Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### **BLACKHAT24**

### Kernel

#### PRoTs

#### **ARoTs**



Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide



Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide







secure module can execute its code and has access to its stack, but it cannot read other secure modules' code or access any other part of the secure RAM. If the secure module needs to access a peripheral to

Text: Pag. 5 - Kinibi-M Developer's Guide CPU ARM TrustZone<sup>®</sup> enabled MCU

Figure 1: Kinibi-M Architecture Overview.

### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### ΒΙ ΑСΚΗΑ







### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### **BI ACKHA**





### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

#### **BI ACKHA**





### Kinibi-M Refers to PRoT and ARoT as a Secure Module

Image: Pag. 3 - Kinibi-M Developer's Guide

### ΒΙ ΑCKHA



### **RIACKHA**







### Microkernel-like Architecture

Text: Pag. 4 - Kinibi-M Developer's Guide



### Microkernel-like Architecture

Text: Pag. 4 - Kinibi-M Developer's Guide





Text: Pag. 4 - Kinibi-M Developer's Guide





### Kinibi-M Architecture

ESRGv3



### Kinibi-M Architecture

Seems Probably More then PSA Level 3

ESRGv3



### Kinibi-M Architecture

Seems Probably More then PSA Level 3

ESRGv3



### **Kinibi-M Architecture**

Microchip SAML11

Seems Probably More then PSA Level 3

ESRGv3



### **Kinibi-M Architecture**

Seems Probably More then PSA Level 3

Microchip SAML11 Only PSA Level 1 & No MPC

ESRGv3



### **BLACKHAT24**

# & No MPC



# **TRUSTONIC KINIBI-M**



### **Kinibi-M Architecture**

Seems Probably More then PSA Level 3

Microchip SAML11 Only PSA Level 1 & No MPC

ESRGv3

# **TRUSTONIC KINIBI-M**





### **Kinibi-M Architecture**

Seems Probably More then PSA Level 3

Microchip SAML11 Only PSA Level 1 & No MPC

ESRGv3



### **Kinibi-M Architecture**

Seems Probably More then PSA Level 3

Microchip SAML11 Only PSA Level 1 & No MPC

ESRGv3



### **Kinibi-M Architecture**

Seems Probably More then PSA Level 3

Microchip SAML11 Only PSA Level 1 & No MPC

ESRGv3

With this gap of protection, a Secure Unprivileged application that has been granted a DMA can bypass all Kinibi-M security mechanism and achieve arbitrary read, write or execute capabilities

Observation

# Responsible Disclosure Trustonic A Journey



# We Contact Trustonic Reporting our Findings



🕨 Jan 🛛

Jan 3

🕨 Jan 3

Feb 9

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>



# Trustonic Security Team Acknowledged the Reception of Our Report



Jan 12<sup>th</sup>

Jan 30

Jan 31°

Feb 9<sup>t</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>



# Trustonic Security Team Provided 1<sup>st</sup> Feedback



Feb 16<sup>th</sup>



# We Respond to 1<sup>st</sup> Feedback



### Feb 16<sup>th</sup>



# Trustonic Security Team Provided 2<sup>nd</sup> Feedback



Feb 16<sup>th</sup>



# We Respond to 2<sup>nd</sup> Feedback



### Feb 16<sup>th</sup>



# Trustonic Security Team Provided 3rd and last Feedback





# We Sent a Last Response Wrapping up the Responsible Disclosure









# 2 **Topic:** Attestation Secure Modules



Feb 16<sup>th</sup>

2 **Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions



Feb 16<sup>th</sup>

## 2 **Topic:** Attestation Secure Modules

# **3 Topic:** DMA Permissions



Feb 16<sup>th</sup>



"We note that you are using the Kinibi-M evaluation SDK, not the full (commercial) production SDK. (...) Kinibi-M evaluation (...) is deliberately more flexible than a commercial (...) production SDK"





"We note that you are using the Kinibi-M evaluation SDK, not the full (commercial) production SDK. (...) Kinibi-M evaluation (...) is deliberately more flexible than a commercial (...) production SDK"

## DISCLAIMER

We were only granted access to the evaluation SDK, thus all assessments and conclusions presented on this talk are derived form documentation and artifacts from the Evaluation SDK.





"We note that you are using the Kinibi-M evaluation SDK, not the full (commercial) production SDK. (...) Kinibi-M evaluation (...) is deliberately more flexible than a commercial (...) production SDK"

## DISCLAIMER

We were only granted access to the evaluation SDK, thus all assessments and conclusions presented on this talk are derived form documentation and artifacts from the Evaluation SDK.

We still think commercial version may suffer from the same problem (the underlying architecture problem is the same, weak hardware protections on SAML11)





## 2 **Topic:** Attestation Secure Modules

# **3 Topic:** DMA Permissions



Feb 16<sup>th</sup>

# 2 **Topic:** Attestation Secure Modules

# **3 Topic:** DMA Permissions



Feb 16<sup>th</sup>





You cannot install malicious modules because, "all modules must be signed, and are validated at install time against a protected list of signing keys" (attestation).





You cannot install malicious modules because, "all modules must be signed, and are validated at install time against a protected list of signing keys" (attestation).

## DISCLAIMER

The Evaluation SDK doesn't support attestation of secure modules so we could freely instantiate secure modules, but in the Commercial SDK only OEMs can instantiate modules and they are all signed and validated.





You cannot install malicious modules because, "all modules must be signed, and are validated at install time against a protected list of signing keys" (attestation).

## DISCLAIMER

The Evaluation SDK doesn't support attestation of secure modules so we could freely instantiate secure modules, but in the Commercial SDK only OEMs can instantiate modules and they are all signed and validated.

Attesting OEMs' Secure Modules offers no guarantees that the Secure Module has no defects.









You cannot install malicious modules because, "all modules must be signed, and are validated at install time against a protected list of signing keys" (attestation).

## DISCLAIMER

The Evaluation SDK doesn't support attestation of secure modules so we could freely instantiate secure modules, but in the **Commercial SDK only OEMs can** instantiate modules and they are all signed and validated.

Attesting OEMs' Secure Modules offers no guarantees that the Secure Module has no defects.

Unless OEMs code is formally verified (which, as far as we know, is not the industry standard) we should (by probability) expect bugs and vulnerabilities.











We argue that there is a **naive trust in OEM developers**. Even if there is no malicious intent, unintended bugs may be introduced in the code which may lead to a vulnerability, e.g., privileged escalation.



# 2 **Topic:** Attestation Secure Modules

# **3 Topic:** DMA Permissions



Feb 16<sup>th</sup>

2 **Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions



Feb 16<sup>th</sup>

### **Topic:** DMA Permissions

It's true that a Secure Module with access to a DMA "can effectively access any part of the system", it is "a common limitation of low-cost hardware, however it is far from an open door"

3

2

1



### **Topic:** DMA Permissions

It's true that a Secure Module with access to a DMA "can effectively access any part of the system", it is "a common limitation of low-cost hardware, however it is far from an open door"

3

"Access to the DMA controller needs to be granted, and the best practice guidance in the production SDK (which we acknowledge you do not have) explains how to lock down access to devices from less trusted developers"





Jan 31<sup>st</sup>

Jan 30<sup>th</sup>



### **Topic:** DMA Permissions

It's true that a Secure Module with access to a DMA "can effectively access any part of the system", it is "a common limitation of low-cost hardware, however it is far from an open door"

"Access to the DMA controller needs to be granted, and the best practice guidance in the production SDK (which we acknowledge you do not have) explains how to lock down access to devices from less trusted developers"

Contradictory ideas, on one side, Trustonic admits that a Secure Module with DMA access has full access to the system, and, on the other side, Trustonic claims that it is not an open door.

DMA access should not need to be granted but MEDIATED (because lack of hardware mechanisms). Kinibi-B should mediate access from ALL Secure Modules via DMA interposer.

| Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Jan 31 <sup>st</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|----------------------|----------------------|----------------------|---------------------|----------------------|





## **Topic:** DMA Permissions

It's true that a Secure Module with access to a DMA "can effectively access any part of the system", it is "a common limitation of low-cost hardware, however it is far from an open door"

"Access to the DMA controller needs to be granted, and the best practice guidance in the production SDK (which we acknowledge you do not have) explains how to lock down access to devices from less trusted developers"

Contradictory ideas, on one side, Trustonic admits that a Secure Module with DMA access has full access to the system, and, on the other side, Trustonic claims that it is not an open door.

DMA access should not need to be granted but MEDIATED (because lack of hardware mechanisms). Kinibi-B should mediate access from ALL Secure Modules via DMA interposer.

We proposed to share the DMA interposer mechanism to fix the DMA issue.



















We argue that there is a lack of understanding of the limitations of the underlying hardware (where Kinibi-M runs) and the necessary Software mechanisms needed to enforce claimed protections.













## Feb 16<sup>th</sup>



**Topic:** Native FLASH Access Mediation but not Native DMA 3 mediation.

| Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Jan 31 <sup>st</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|----------------------|----------------------|----------------------|---------------------|----------------------|



**Topic:** Native FLASH Access Mediation but not Native DMA 3 mediation.

| Jan 10 <sup>th</sup> J | an 12 <sup>th</sup> Jan 30 <sup>th</sup> | Jan 31 <sup>st</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|------------------------|------------------------------------------|----------------------|---------------------|----------------------|



# **Topic:** No Native DMA Support



"Kinibi-M for SAML11 does not ship with a Secure World DMA module, and it is left up to customers to source one or do without."









Feb 14<sup>th</sup>



















We argue that there is a lack of understanding of multi-OEM threat model. In a multistakeholder scenario (i.e., multiple OEMs) OEMs don't trust each other.





**Topic:** Native FLASH Access Mediation but not Native DMA 3 mediation.



## **Topic:** No Native DMA Support

**Topic:** No System MMU & DMA permissions 2

**Topic:** Native FLASH Access Mediation but not Native DMA 3 mediation.

| Jan 10 <sup>th</sup> Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|-------------------------------------------|----------------------|---------------------|----------------------|

"You have at most revealed that this device has no system MMU (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"



"You have at most revealed that this device has no system MMU (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"

System MMU is an access control IP used in platforms with virtual memory, In Cortex-M (MCU) platforms, there are no SMMU, but MPC (Memory Protection Controller) and PPC (Peripheral **Protection Controller**)





"You have at most revealed that this device has no system MMU (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"

System MMU is an access control IP used in platforms with virtual memory, In Cortex-M (MCU) platforms, there are no SMMU, but MPC (Memory Protection Controller) and PPC (Peripheral **Protection Controller**)

The PPC/MPC in SAML11 cannot enforce access control in terms of privilege levels. If you directly assign a DMA device to an OEM you are basically granting them full control of the system







"You have at most revealed that this device has no system MMU (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"

System MMU is an access control IP used in platforms with virtual memory, In Cortex-M (MCU) platforms, there are no SMMU, but MPC (Memory Protection Controller) and PPC (Peripheral **Protection Controller**)

The PPC/MPC in SAML11 cannot enforce access control in terms of privilege levels. If you directly assign a DMA device to an OEM you are basically granting them full control of the system

Kinibi-M should provide native DMA support once it is a critical piece of infrastructure for Microcontrollers, due to the power and resource-constrained nature of this devices.



















We argue there is a lack of understanding about the memory protection controllers of Microcontrollers (system wide protection mechanisms).



## **Topic:** No Native DMA Support

**Topic:** No System MMU & DMA permissions 2

**Topic:** Native FLASH Access Mediation but not Native DMA 3 mediation.

| Jan 10 <sup>th</sup> Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|-------------------------------------------|----------------------|---------------------|----------------------|

# **1 Topic:** No Native DMA Support

2 **Topic:** No System MMU & DMA permissions

# **3 Topic:** Native FLASH Access Mediation but not Native DMA mediation.

| Jan 10 <sup>th</sup> Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> Jan 31 <sup>st</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|-------------------------------------------|-------------------------------------------|---------------------|----------------------|

Feb 16<sup>th</sup>

## **Topic:** Native FLASH Access Mediation but not Native DMA mediation. (3) 2

"Kinibi-M fully supports secure identification of module-to-module caller identity precisely to support this sort of use case. For example this is the pattern we use to mediated access to flash storage provided by our secure storage module."



## **Topic:** Native FLASH Access Mediation but not Native DMA mediation. 3



"Kinibi-M fully supports secure identification of module-to-module caller identity precisely to support this sort of use case. For example this is the pattern we use to mediated access to flash storage provided by our secure storage module."

## Kinibi-M provides mediation for flash storage, but why doesn't it offer similar mediation for DMA? DMA is also a critical service, arguably even more.





















# **Topic:** Clarification of Kinibi-M isolation levels



## Feb 16<sup>th</sup>



**Topic:** Clarification of who should provide DMA mediator 2







| Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Jan 31 <sup>st</sup> | Feb |
|----------------------|----------------------|----------------------|-----|









# **Topic:** Clarification of Kinibi-M isolation levels



"Kinibi-M pre-dates Arm PSA and was not built on the PSA architecture. (...) In some areas we do more that PSA (any level) in others we do less. That is why we do not claim PSA Level 3 and have not certified against it."

























| Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Jan 31 <sup>st</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|----------------------|----------------------|----------------------|---------------------|----------------------|
|                      |                      |                      |                     |                      |



### **↓ 2 ≯ Topic:** Clarification of who should provide DMA mediator 3 1)

"This device has only (at most) 64kb of flash and a 16kb of ram. There are very few use cases for secure world DMA. In practice most customers simply disable the use of DMA in the secure world, preventing any potential abuse."







### **Topic:** Clarification of who should provide DMA mediator 3 2 1



"This device has only (at most) 64kb of flash and a 16kb of ram. There are very few use cases for secure world DMA. In practice most customers simply disable the use of DMA in the secure world, preventing any potential abuse."



"If needed, DMA access should be provided and mediated by a "system" module. That is what we have said all along. However, that module needs to be provided by an OEM. It is not provided by Trustonic."











### **Topic:** Clarification of who should provide DMA mediator 3



"This device has only (at most) 64kb of flash and a 16kb of ram. There are very few use cases for secure world DMA. In practice most customers simply disable the use of DMA in the secure world, preventing any potential abuse."



"If needed, DMA access should be provided and mediated by a "system" module. That is what we have said all along. However, that module needs to be provided by an OEM. It is not provided by Trustonic."

We strongly believe that **not providing DMA mediation** is **not** a **good security practice**.











### **Topic:** Clarification of who should provide DMA mediator 3



"This device has only (at most) 64kb of flash and a 16kb of ram. There are very few use cases for secure world DMA. In practice most customers simply disable the use of DMA in the secure world, preventing any potential abuse."



"If needed, DMA access should be provided and mediated by a "system" module. That is what we have said all along. However, that module needs to be provided by an OEM. It is not provided by Trustonic."

We strongly believe that **not providing DMA mediation** is **not** a **good security practice**.

DMAs are key components in MCUs (but bus masters!!). Not providing DMA module is limiting the system's capabilities from one side and leaving an open threat vector on the other side.









Feb 16<sup>th</sup>



| Jan 12 <sup>th</sup> | Jan 30 <sup>th</sup> | Jan 31 <sup>st</sup> | Feb 9 <sup>th</sup> | Feb 14 <sup>th</sup> |
|----------------------|----------------------|----------------------|---------------------|----------------------|
|                      |                      |                      |                     |                      |







































### Feb 16<sup>th</sup>

















Feb 16<sup>th</sup>



Feb 16<sup>th</sup>

# DMA Mediation



## ESRGv3



## ESRGv3

## **DMA Mediator**



### ESRGv3

### MEMORY RANGE



### ESRGv3

### MEMORY RANGE



Unused

Unused

Unused

Unused





### ESRGv3

### MEMORY RANGE







ESRGv3

### MEMORY RANGE









## ESRGv3

### MEMORY RANGE





### 1 NS calls ARoT 1

- **2** ARoT 1 requests access to DMA mediator
- **3** TEE Kernel Invokes DMA Mediator

ESRGv3

### MEMORY RANGE





**1** NS calls ARoT 1

ESRGv3



**4** DMA Mediator Checks Access Permissions and Memory Range

- **2** ARoT 1 requests access to DMA mediator
- **3** TEE Kernel Invokes DMA Mediator

### MEMORY RANGE





### **1** NS calls ARoT 1

ESRGv3

**4** DMA Mediator Checks Access Permissions and Memory Range



- **5** DMA Memory Access Granted to ARoT 1
- **3** TEE Kernel Invokes DMA Mediator

### MEMORY RANGE





### 1 NS calls ARoT 1

- **2** ARoT 1 requests access to DMA mediator
- **3** TEE Kernel Invokes DMA Mediator

- 4 DMA Mediator Checks Access Permissions and Memory Range
- **5** DMA Memory Access Granted to ARoT 1
- A RoT 2 requests access to DMA mediator

ESRGv3

### **MEMORY RANGE**





1 NS calls ARoT 1

ESRGv3

- **2** ARoT 1 requests access to DMA mediator
- **3** TEE Kernel Invokes DMA Mediator

- 4 DMA Mediator Checks Access Permissions and Memory Range
- **5** DMA Memory Access Granted to ARoT 1
- ARoT 2 requests access to DMA mediator





# What Can Go Wrong



Attack Examples and "Live" Demo

# WHEN WE WANT "PSA 3+" ISOLATION



## **Kinibi-M Architecture** Seems Probably More then PSA Level 3

# BUT THE MCU HAS NO MPC



## NO MPC

# AND FIRMWARE HAS NO DMA MEDIATION



# AND FIRM NO DMA





|    |                                                                                                                                                                                                                                                    | A |
|----|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| 02 | <b>Steal Proprietary Code from a Secure Module</b><br><b>Demonstrates</b> the capability to <b>read arbitrary CODE memory</b> from other<br>secure modules and entirely bypass Kinibi-M's system memory protections.                               | A |
| 03 | <b>Steal Cryptographic Keys from Kinibi-M Secure Storage</b><br><b>Demonstrates</b> the capability to <b>read</b> and <b>write arbitrary DATA memory</b><br>from other secure modules and entirely bypass Kinibi-M's system memory<br>protections. | A |

#### ESRGv3

#### ttack 1

ttack 2

#### ttack 3

#### Arbitrary Code Execution in Secure Privilege Mode

**01 Demonstrates** the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution** in **secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

## Steal Proprietary Code from a Secure Module

Demonstrates the capability to read arbitrary CODE memory from other secure modules and entirely bypass Kinibi-M's system memory protections.

|  | A |
|--|---|

#### ESRGv3

#### Attack 1

#### ttack 2

#### ttack 3

#### Arbitrary Code Execution in Secure Privilege Mode

#### 01 **Demonstrates** the capability to directly tamper with Kinibi-M and achieve arbitrary code execution in secure privileged mode, rendering all Kinibi-M memory protections ineffective.



02 **Demonstrates** the capability to **read arbitrary CODE memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.



|  | A |
|--|---|
|  |   |

#### ESRG<sub>v3</sub>

#### Attack 1

#### Attack 2

#### Arbitrary Code Execution in Secure Privilege Mode

## **01 Demonstrates** the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution** in **secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

#### Steal Proprietary Code from a Secure Module

02 Demonstrates the capability to read arbitrary CODE memory from other secure modules and entirely bypass Kinibi-M's system memory protections.

#### 03 Steal Cryptographic Keys from Kinibi-M Secure Storage Demonstrates the capability to read and write arbitrary DATA memory from other secure modules and entirely bypass Kinibi-M's system memory protections.

#### ESRGv3

#### Attack 1

## Attack 2

#### Attack 3

|                                                                                                                                                                                                                      | At                                                                                                                                                                                                                                                                                                               |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>Steal Proprietary Code from a Secure Module</b><br><b>Demonstrates</b> the capability to <b>read arbitrary CODE memory</b> from other<br>secure modules and entirely bypass Kinibi-M's system memory protections. | At                                                                                                                                                                                                                                                                                                               |
|                                                                                                                                                                                                                      | Demonstrates the capability to directly tamper with Kinibi-M and achieve<br>arbitrary code execution in secure privileged mode, rendering all Kinibi-M<br>memory protections ineffective.<br>Steal Proprietary Code from a Secure Module<br>Demonstrates the capability to read arbitrary CODE memory from other |

|    | Steal Cryptographic Keys from Kinibi-M Secure Storage                                                                                                                        |  |
|----|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 03 | <b>Demonstrates</b> the capability to <b>read</b> and <b>write arbitrary DATA memory</b> from other secure modules and entirely bypass Kinibi-M's system memory protections. |  |

#### ESRGv3

#### ttack 1

ttack 2

## Attack 3

Steal Cryptographic Keys from Kinibi-M Secure Storage





ESRGv3





ESRGv3



ESRGv3





ESRGv3





ESRGv3









ESRGv3



Note that each module has its own 'directory' within the secure storage system, and one module cannot read/write to another module's directory.







Note that each module has its own 'directory' within the secure storage system, and one module cannot read/write to another module's directory.







Note that each module has its own 'directory' within the secure storage system, and one module cannot read/write to another module's directory.





ESRGv3



ESRGv3









# Live Demo







# Lessons Learned

#### Advices for HW & SW providers and System Designers



#### ESRGv3





#### ESRGv3



## For Firmware Providers



ESRGv3



## For Firmware Providers

LESSONS







## For Hardware Providers

#1

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**.

## For Firmware Providers



ESRGv3



For Hardware Providers

## RECOMENDED

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

For Firmware Providers



ESRGv3



## or System's Users

For Hardware Providers

## RECOMENDED

# For System's Users

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

For Firmware Providers



ESRGv3



## NXP LPC5500



# For System's Users

## Firmware oviders

#### ESRGv3



#### LESSONS **NXP LPC5500 MICROCHIP SAML11**





#### ESRGv3



## For Hardware Providers

#1

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**.

## For Firmware Providers



ESRGv3



## For Hardware Providers

#1

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**. Firmware providers should implement mechanisms that **enforce isolation defined in the PSA standard.** 

## For Firmware Providers



ESRGv3



For Hardware Providers

## RECOMENDED

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

# hanismsFor System'solationUserse PSAUsersd.NOT RECOMENDED

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**.

For Firmware Providers



ESRGv3





## Ox5 HEX-Five Security

"To enforce system separation policies, MultiZone built-in support for protected DMA transfers traps all DMA requests and emulates the PMP logic in software"

Pag. 19 - MultiZone. MultiZone® Security Reference Manual, RISC-V. Tech. rep. MultiZone, Nov 2021.

ESRGv3

re providers should nent mechanisms enforce isolation ned in the PSA standard.

## For System's Users NOT RECOMENDED

r Firmware Providers







**MULTIZONE** 

"To enforce system separation policies, MultiZone built-in support for protected DMA transfers traps all DMA requests and emulates the PMP logic in software"

Pag. 19 - MultiZone. MultiZone® Security Reference Manual, RISC-V. Tech. rep. MultiZone, Nov 2021.



#### ESRGv3

## LESSONS

### For Hardware Providers

#1

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**. Firmware providers should implement mechanisms that **enforce isolation defined in the PSA standard.** 

### For Firmware Providers



ESRGv3



## LESSONS

### **For Hardware Providers**

#1

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

ESRGv3

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

### **For Firmware Providers**

#2

# #3

### For System's Users

#### **Users** (OEMs and software developers) should be cautious in choosing the system where they want to deploy their software.

### LESSONS

Firmware providers should implement mechanisms that enforce isolation defined in the PSA

# WHY NOT AN EXTRA PSA LEVEL?

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

For Firmware Providers Users (OEMs and software developers) should be cautious in choosing the system where they want to deploy their software.

ESRGv3



### or System's Users \_EVEL?



ESRGv3

### **BLACKHAT24**

ers) should be n choosing the here they want by their software.

As and software

### oT Jsers



#### Final Thoughts and BH Sound Bytes

#### ESRGv3













ESRGv3



It would be a Good Security Practice to Provide DMA MEDIATION



It would be a Good Security Practice to Provide DMA MEDIATION

TRUSTONIC

### ATTESTATTION

We signed all OEMs Secure Modules

DMA Module is Responsibility

of Developers

Problem of the SW

It would be a Good **Security Practice to** Provide a MPC

**MICROCHIP** 

ESRGv3

**OEMs** 

#### **ATTESTATION** is **ORTHOGONAL** to the problem

#### It would be a Good Security **Practice to Provide DMA MEDIATION**

TRUSTONIC

### **ATTESTATTION**

We signed all OEMs Secure Modules

DMA Module is Responsibility

of Developers

Problem of the SW

It would be a Good **Security Practice to** Provide a MPC

**MICROCHIP** 

ESRGv3

**EVALUATION SDK** 

You Just Proved in an **Unsecure SDK Version** 

**OEMs** 

#### **ATTESTATION** is **ORTHOGONAL** to the problem

#### It would be a Good Security **Practice to Provide DMA MEDIATION**

TRUSTONIC

### **ATTESTATTION**

We signed all OEMs Secure Modules

DMA Module is Responsibility

of Developers

Problem of the SW

It would be a Good **Security Practice to** Provide a MPC

**MICROCHIP** 

You Didn't Provide us COMERCIAL SDK

**OEMs** 

#### **EVALUATION SDK**

You Just Proved in an **Unsecure SDK Version** 

ESRGv3

#### **ATTESTATION** is **ORTHOGONAL** to the problem

#### It would be a Good Security **Practice to Provide DMA MEDIATION**

1. We shared our journey on fully assessing an MCU-based TEE (Kinibi-M) targeting a reference TrustZone-M hardware platform (SAML11)

2. We presented how it is possible to bypass CPUlevel isolation primitives, and explain the design of a TEE core mechanism (DMA Mediator) to offer such protection;

3. We perform a live demo of one potential exploit that retrieves a cryptographic key from other Secure Partitions bypassing all hardware and software TEE isolation boundaries.

# Black Hat SOUND BYTES

# THANK YOU!

Cristiano Rodrigues | Sandro Pinto, PhD (Centro ALGORITMI / LASI, Universidade do Minho)

id9492@alunos.uminho.pt



**@\_CRodrigues\_\_** 

#### sandro.pinto@dei.uminho.pt



@sandro2pinto





Cristiano Rodrigues | Sandro Pinto, PhD (Centro ALGORITMI / LASI, Universidade do Minho)



**Cristiano Rodrigues** 



Sandro Pinto