Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense
DescriptionThe ARM Cortex-M microcontroller architecture is designed for embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimization. For example, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we demonstrate how this fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We experimentally confirmed the feasibility of four variants of ret2ns attacks on two Cortex-M hardware systems.
Event Type
Research Manuscript
TimeThursday, July 13th4:55pm - 5:10pm PDT
Location3002, 3rd Floor
Hardware Security: Attack and Defense