Overview
Processors nowadays are consistently equipped with debugging features to facilitate the program debugging and analysis. Specifically, the ARM debugging architecture involves a series of CoreSight components and debug registers to aid the system debugging, but the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model.
The idea of Nailgun Attack is to misuse the debugging architecture with the inter-processor debugging model. In the inter-processor debugging model, a processor (debug host) is able to pause and debug another processor (debug target) on the same chip even when the debug target owns a higher privilege. With Nailgun, we are able to obtain sensitive information (e.g., AES encryption key and fingerprint image) and achieve arbitrary payload execution in a high-privilege mode.
FAQ
(1) What are the prerequisites of Nailgun attack?
(a) Firstly, Nailgun attack requires that the debug authentication signals are enabled. In our paper, we design both non-invasive and invasive debugging attacks, and these attacks require the related debug authentication signals are enabled.
(b) Secondly, the related CoreSight components and debug registers should be available to perform Nailgun attack.
(c) Finally, the invasive debugging attack requires the system to contain more than one processor.
(2) What are the debugging authentication signals?
The ARM debugging architecture defines SPIDEN, SPNIDEN, DBGEN, and NIDEN signals to control the secure invasive debugging, secure non-invasive debugging, non-secure invasive debugging, and non-secure non-invasive debugging, respectively. Once a debugging authentication signal is enabled on a processor, the corresponding debugging is allowed on that processor. Note that ARM did not specify a standard for how to enable/disable the debugging authentication signals, and the management of these signals varies in different SoCs. The system register DBGAUTHSTATUS can be used to determine the current status of the debug authentication signals.
(3) How to access the CoreSight components and debug registers?
In most SoCs, the CoreSight components and debug registers are implemented as a group of memory-mapped registers, and the access to these registers can be achieved by mapping the physical addresses of the registers to the virtual memory space. Normally, the physical addresses of the related registers can be collected from the SoC specification and device tree files in the Linux kernel. In some SoCs, the addresses can also be calculated from the values in the Debug Rom table stored in MDRAR register.
(4) Is physical access required to perform Nailgun attack?
No. Nailgun attack leverages one processor in the system to debug another processor in the same system and promote its privilege. The attack process is achieved remotely, and no physical access is required.
(5) What is the root cause of Nailgun attack?
(a) An application in the low-privilege mode is able to learn information about the high-privilege execution via Performance Monitor Unit and Embedded Trace Macrocell.
(b) A low-privilege processor can make an arbitrary processor (even a high-privilege processor) enter the debug state via Embedded Cross Trigger.
(c) In the inter-processor debugging, the instruction execution and resource access in the debug target does not take the privilege of the debug host into account.
(d) The privilege escalation instructions enable a processor running in the debug state to gain a high privilege without any restriction.
Proof of Concept
We will make two PoCs available on Github:
(a) Reading the SCR_EL3 register with a kernel module running in non-secure EL1 on Raspberry PI 3.
(b) Extracting the fingerprint image stored in TEE with a kernel module running in non-secure EL1 on Huawei Mate 7.
Publication
Understanding the Security of ARM Debugging Features
Zhenyu Ning and Fengwei Zhang
To appear in the 40th IEEE Symposium on Security & Privacy (S&P'19), San Francisco, California, May, 2019.
Bibtex for citation:
@InProceedings{nailgun19, Title = {Understanding the security of ARM debugging features}, Author = {Zhenyu Ning and Fengwei Zhang}, Booktitle = {Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P'19)}, Year = {2019} }
Attack Demo
Demo #1: Reading Secure Configuration Register with a non-secure kernel module
Demo #2: Extracting fingerprint image from TEE of Huawei Mate 7