We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Faults in Our Bus: Novel Bus Fault Attack to Break Trusted Execution Environments
Explore how novel bus fault attacks can compromise Trusted Execution Environments through register sweeping, enabling decryption of encrypted communications and signature bypass.
-
Two main types of faults can target system buses:
- Data bus faults causing incorrect data
- Address bus faults leading to segmentation faults
-
Traditional fault points were limited to processors and memories, but system bus presents a new vulnerable attack surface in SOCs
-
Fault characteristics vary by:
- Granularity (single bit, multiple bits, bytes, words)
- Duration (temporary vs persistent)
- Type (stuck at zero/one, random bit flips)
-
Successful attack chain demonstrated:
- Loading malicious trusted application (TA) into TEE
- Making TA identifier collide with legitimate TAs
- Redirecting encrypted communication
- Accessing encryption keys before surrender
-
Novel “register sweeping” fault model discovered:
- Can zero out entire 64-bit registers
- 35% success rate in completely clearing register values
- Enables bypassing signature verification
-
Key security implications:
- Breaks TEE security guarantees even with compromised kernel
- Enables decryption of communications meant for other TAs
- Affects systems following Global Platform API spec
- Impacts post-quantum crypto implementations like Kyber
-
Attack requirements:
- Must be non-invasive to avoid detection
- Device must remain online throughout
- Combines power side-channel analysis with fault injection
-
Countermeasure recommendations:
- Rethink API specifications considering combined SCA/fault attacks
- Implement additional integrity checks for segmentation faults
- Protect system bus as a new attack surface
-
Demonstrated on Raspberry Pi 3 using electromagnetic fault injection with exposed system bus on PCB
-
Impacts embedded/IoT systems meant to be secure without human supervision