Researchers from NCC Group vulnerabilities () in Qualcomm chips, which allows you to determine the contents of private encryption keys located in an isolated Qualcomm QSEE (Qualcomm Secure Execution Environment) enclave based on ARM TrustZone technology. The problem manifests itself in SoC Snapdragon, which have become widespread in smartphones based on the Android platform. The fixes that fix the problem are already in the April Android update and in new firmware releases for Qualcomm chips. It took Qualcomm more than a year to prepare the patch - the vulnerability was originally reported to Qualcomm on March 19, 2018.
Recall that ARM TrustZone technology allows you to create hardware-isolated secure environments that are completely separated from the main system and run on a separate virtual processor using a separate specialized operating system. The main purpose of TrustZone is to provide isolated execution of handlers for encryption keys, biometric authentication, payment data and other sensitive information. Interaction with the main OS is carried out indirectly through the dispatching interface. The private encryption keys are stored inside a hardware-isolated keystore, which, if properly implemented, prevents them from being leaked if the underlying system is compromised.
The vulnerability is associated with a flaw in the implementation of the elliptic curve processing algorithm, which led to the leakage of information about the progress of data processing. Researchers have developed a side-channel attack technique that allows using existing indirect leaks to recover the contents of private keys located in a hardware-isolated . Leaks are determined based on the analysis of the activity of the branch prediction block and the change in the time of access to data in memory. During the experiment, the researchers successfully demonstrated the recovery of 224-bit and 256-bit ECDSA keys from a hardware-isolated keystore used in the Nexus 5X smartphone. It took about 12 digital signatures to recover the key, which took more than 14 hours. Tools used to carry out the attack .
The main cause of the problem is the sharing of common hardware components and cache for calculations in the TrustZone and in the main system - isolation is performed at the level of logical separation, but using common computing units and with the settlement of traces of calculations and information about jump addresses in a common processor cache. Using the Prime + Probe method, based on assessing the change in access time to cached information, it is possible to track data flows and signs of code execution associated with computing digital signatures in the TrustZone with a sufficiently high accuracy by checking for the presence of certain patterns in the cache.
Most of the digital signature generation time using ECDSA keys in Qualcomm chips is spent on performing multiplication operations in a loop using an initialization vector that is unchanged for each signature (). If the attacker can recover at least a few bits with information about this vector, it becomes possible to perform an attack to sequentially recover the entire private key.
In the case of Qualcomm, two places of leakage of such information in the multiplication algorithm were revealed: when performing search operations in tables and in the conditional data extraction code based on the value of the last bit in the nonce vector. Although Qualcomm's code contains measures to counteract leaks of information through third-party channels, the developed attack method allows you to bypass these measures and determine a few bits of the "nonce" value, which are enough to recover 256-bit ECDSA keys.
Source: opennet.ru