Arm admits its Cortex M can be attacked by side channel but denies it has been cracked

Arm issued a statement on Friday saying that a successful side-channel attack on its TrustZone-based Cortex-M system "does not mean that the protection provided by the architecture has failed."

"Security extensions to the Armv8-M architecture are not meant to protect against side-channel attacks due to control flow or memory access patterns. In fact, such attacks are not specific to the Armv8-M architecture; they may apply to any code, depending on cryptographic control flow or memory access patterns," Arm said.

Arm issued a statement at last week's Black Hat Asia infosec conference - titled "Give me your secrets, MCU! Microarchitectural timing attacks on microcontrollers are practical" - claiming that the chip design The company's microcontrollers are vulnerable to side-channel attacks.

Building on the discovery of Specter and Meltdown in 2018 - Intel CPU architectural vulnerabilities that opened a Pandora's box of microarchitectural transient side-channel attacks - researchers from the University of Minho (UdM) in Portugal successfully set out to prove that MCUs present similar risk attacks.

Historically, microarchitectural attacks have primarily affected servers, PCs, and mobile devices. Microcontrollers (MCUs) like Arm's Cortex-M are unlikely targets due to their simplicity. However, a successful attack would have significant consequences because, as UdM researchers Sandro Pinto and Cristiano Rodrigues explained at Black Hat Asia last Friday, MCUs can be found in almost every IoT device.

The researchers call their discovery the first microarchitectural side-channel attack on an MCU, a technique that uses observation to recover or steal system information to bypass CPU memory isolation protections.

The researchers outline that the attack exploits timing differences exposed through bus interconnect arbitration logic. When two bus masters within an MCU (eg CPU and direct memory access (DMA)) issue transactions to access values ​​in memory, the bus interconnect cannot handle both at the same time. It prioritizes one and delays the other.

The researchers used this logic to observe how much a compromised application—in this case, a trusted application that interfaced with the trusted keypad in a smart lock—was delayed in order to infer a password PIN.

This process is automated by using peripherals to automatically execute spy logic in the background, independent of the CPU.

Arm has a huge market share in MCU, CPU and bus interconnect designs. Its TrustZone-M technology combines with other measures to protect the entire MCU against tampering - including side-channel attacks. At the very least, Arm aims to make such attacks "uneconomical."

But at the Black Hat Asia conference, researchers disputed Arm's claims.

"We can basically break all the security isolation guarantees in Arm MCUs, including state-of-the-art technology with TEE TrustZone-M technology," Pinto told The Register.

Researchers have disclosed hacking information to Tf-m and STMicroelectronics, as well as Arm.

Rodrigues and Pinot said Tf-m acknowledged the hack but said the root cause was a memory tracking issue and therefore the application was at fault. STMicroelectronics is also targeting Arm and an application. Arm, meanwhile, told the team that side-channel attacks were not within the threat model and that its security was in line with industry standards — a tactic that Pinto said Intel was initially trying to use when news of Specter and Meltdown broke.

“We kind of agree with Tf-m,” Pinto said, noting that it would be costly for Arm to implement the necessary changes.

In its announcement, Arm suggested that attacks can be mitigated by ensuring that a program's control flow and memory access patterns do not rely on secret state.

“This is already a common feature in security-critical code such as cryptographic libraries,” Arm said.

"Arm is committed to improving security and enabling the ecosystem to build more secure solutions. An example of this is the 'Data Independent Timing' feature introduced in the Armv8.1-M architecture. Although this feature does not mitigate the specific attacks, but it helps prevent data-dependent timing side-channel attacks,” Arm added.

The researchers revealed that if they could demonstrate a similar attack variant in an application that didn't secretly rely on memory paths, they might be able to change Arm's mind.

"This is our main motivation and challenge now," Pinto told The Register.