Researchers from NCC Group
Recall that ARM TrustZone technology allows you to create hardware-isolated secure environments that are completely separated from the main system and run on a separate virtual processor using a separate specialized operating system. The main purpose of TrustZone is to provide isolated execution of handlers for encryption keys, biometric authentication, payment data and other sensitive information. Interaction with the main OS is carried out indirectly through the dispatching interface. The private encryption keys are stored inside a hardware-isolated keystore, which, if properly implemented, prevents them from being leaked if the underlying system is compromised.
The vulnerability is associated with a flaw in the implementation of the elliptic curve processing algorithm, which led to the leakage of information about the progress of data processing. Researchers have developed a side-channel attack technique that allows using existing indirect leaks to recover the contents of private keys located in a hardware-isolated
The main cause of the problem is the sharing of common hardware components and cache for calculations in the TrustZone and in the main system - isolation is performed at the level of logical separation, but using common computing units and with the settlement of traces of calculations and information about jump addresses in a common processor cache. Using the Prime + Probe method, based on assessing the change in access time to cached information, it is possible to track data flows and signs of code execution associated with computing digital signatures in the TrustZone with a sufficiently high accuracy by checking for the presence of certain patterns in the cache.
Most of the digital signature generation time using ECDSA keys in Qualcomm chips is spent on performing multiplication operations in a loop using an initialization vector that is unchanged for each signature (
In the case of Qualcomm, two places of leakage of such information in the multiplication algorithm were revealed: when performing search operations in tables and in the conditional data extraction code based on the value of the last bit in the nonce vector. Although Qualcomm's code contains measures to counteract leaks of information through third-party channels, the developed attack method allows you to bypass these measures and determine a few bits of the "nonce" value, which are enough to recover 256-bit ECDSA keys.
Source: opennet.ru