Revisiting ARM Debugging Features: Nailgun and its Defense

Abstract

Processors nowadays are consistently equipped with debugging features to facilitate program analysis. Specifically, the ARM debugging architecture involves a series of CoreSight components and debug registers to aid the system debugging, and a group of debug authentication signals are designed to restrict the usage of these components and registers. Meanwhile, the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model. However, ARM introduces a new debugging model that requires no physical access since ARMv7, which exacerbates our concern on the security of the debugging features. In this article, we perform a comprehensive security analysis of the ARM debugging features and summarize the security implications. To understand the impact of the implications, we also investigate a series of platforms with ARM-A architecture in different product domains (i.e., development boards, IoT devices, cloud servers, and mobile devices). We consider that the analysis and investigation expose a new attacking surface that universally exists in platforms with ARM-A architecture. To verify our concern, we further craft <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Nailgun</small> attack, which obtains sensitive information (e.g., AES encryption key and fingerprint image) and achieves arbitrary payload execution in a high-privilege mode from a low-privilege mode via misusing the debugging features. This attack does not rely on software bugs, and our experiments show that almost all the platforms we investigated are vulnerable to the attack. Our analysis also indicates that ARM-R and ARM-M platforms may suffer from the same issue. To defend against the attack, we discuss potential mitigations from different perspectives in the ARM ecosystem. Finally, a practical defense mechanism based on ARM virtualization technology is presented, and the evaluation result shows that our defense can prevent <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Nailgun</small> with a negligible performance penalty.