Faults in Our Bus: Novel Bus Fault Attack to Break Trusted Execution Environments

-

Explore how novel bus fault attacks can compromise Trusted Execution Environments through register sweeping, enabling decryption of encrypted communications and signature bypass.

Key takeaways
  • Two main types of faults can target system buses:

    • Data bus faults causing incorrect data
    • Address bus faults leading to segmentation faults
  • Traditional fault points were limited to processors and memories, but system bus presents a new vulnerable attack surface in SOCs

  • Fault characteristics vary by:

    • Granularity (single bit, multiple bits, bytes, words)
    • Duration (temporary vs persistent)
    • Type (stuck at zero/one, random bit flips)
  • Successful attack chain demonstrated:

    • Loading malicious trusted application (TA) into TEE
    • Making TA identifier collide with legitimate TAs
    • Redirecting encrypted communication
    • Accessing encryption keys before surrender
  • Novel “register sweeping” fault model discovered:

    • Can zero out entire 64-bit registers
    • 35% success rate in completely clearing register values
    • Enables bypassing signature verification
  • Key security implications:

    • Breaks TEE security guarantees even with compromised kernel
    • Enables decryption of communications meant for other TAs
    • Affects systems following Global Platform API spec
    • Impacts post-quantum crypto implementations like Kyber
  • Attack requirements:

    • Must be non-invasive to avoid detection
    • Device must remain online throughout
    • Combines power side-channel analysis with fault injection
  • Countermeasure recommendations:

    • Rethink API specifications considering combined SCA/fault attacks
    • Implement additional integrity checks for segmentation faults
    • Protect system bus as a new attack surface
  • Demonstrated on Raspberry Pi 3 using electromagnetic fault injection with exposed system bus on PCB

  • Impacts embedded/IoT systems meant to be secure without human supervision