Arm acknowledges that there is a vulnerability in the Armv8-M architecture that allows information to be extracted from the Secure Zone environment through a side-channel attack. However, the company says that’s not a specific vulnerability in Cortex-M, but a weakness in all CPUs.
Arm responds in a support document on a recent discovery made by security researchers. Sandro Pinto and Cristiano Rodrigues from the Universidade do Minho in Portugal presented last week at the Black Hat Asia security conference an investigation into information leakage from Arm chips. The two researchers found a side channel vulnerability in Arm microcontroller units, or MCUs. The researchers showed how it was possible to leak information from a CPU with an attack on the Cortex-M architecture. This was even possible with information in the Secure Zone, Arm-socs’ trusted execution environment in which sensitive information is stored.
The researchers were able to retrieve information via the BUS connectors. The researchers saw that when information is exchanged between two BUS masters, the chip’s cache that divides two chunks of information and passes it through one at a time. According to the researchers, this prioritization process can provide information about the data that is withheld. During the presentation, the researchers showed how they could find out the secret of a connected door lock in this way. According to Pinto and Rodrigues, it is even possible to automate such an attack and make it easy to execute.
The attack resembles methods such as Specter and Meltdown, two major vulnerabilities in Intel and AMD chips that became known several years ago. It was long believed that such side-channel attacks were reserved for large chips such as the desktop chips from the two major companies, but that it was more difficult for Arm architecture because those chips are simpler and therefore send less data through memory caches.
Arm now acknowledges the vulnerability, but has not yet provided a definitive solution. Such a fix would have to be released through a microcode patch through specific manufacturers. The company acknowledges that this is “the first working side-channel attack in the TrustZone-enabled Cortex-M processor microarchitecture,” but Arm adds that the problem is not specific to the Arm architecture. Side-channel attacks would not target specific chip models, but would occur on all types of CPUs. “The Security Extensions for the Armv8-M architecture are not specifically protected against side channel attacks due to control flow and memory access patterns. Such attacks are not specific to the Armv8-M architecture, but can be applied to any code that uses such patterns of control flows,” the company says. According to the company, that can be mitigated by optimizing certain processes to prevent memory leaks, but manufacturers should already be doing that if they follow best practices, says Arm.