Thrust (iv) - Advanced Side-Channels to Evaluate Security and Privacy Features of Modern Processors

Secure boot ensures trusted execution environment (TEE) by execution of series of signed and authenticated binaries before handling the control to the user application. In some cases, user application can keep part of sensitive data in trusted memory zone. Recently, some advances have been made such as laser-based fault injection to bypass secure boot of a modern smartphone or exploiting dynamic voltage/frequency scaling for violating the trust links. Besides these, various speculative execution-based performance boosting techniques have resulted in myriads of security breaches, e.g., Meltdown, Spectre, Foreshadow. It was demonstrated that even the so-called secure enclaves from commercial processors cannot guarantee the security in the face of determined attackers. Currently, these breaches are fixed by either turning the speculative execution modes off, or careful rewriting of the kernel codes. Fundamentally, due to the semantic gap originating from the ‘artificial separation’ between the OS and the hardware, there are plenty of vulnerabilities that are lurking in state-of-the-art TEEs. We study these attack techniques and the forensics to determine when/how the attacks are happening.

• Investigate the possibility to violate remote attestation (e.g. signature forgery, denial-of-service, unauthorised patch);
• Investigate the vulnerabilities of address space partitioning (e.g. data boundaries, access pattern).