Trusted Firmware-A profile Vulnerabilities

[sysnoob]

Dear All

i am currently working on a project to find vulnerability in the ARM architecture TrustZone specifically speaking Trusted Firmware A profile a while ago i read an article that titled return2user attack which mainly buffer overflows the non secure world application to call a secure function and overwrite its return address but this works on trusted firmware M profile. i want to replicate this idea to trusted Firmware A profile which basically uses secure monitor as EL3 while switching from non secure to secure and vice versa. now as i got deep i understood that my main surface of attack will be on the SMCCC generic calls . Each SMCCC call is a 'C' code and the parameters from the 'non secure world' (REE) should be sanity checked before use, before the use in the 'secure world' (TEE).
my attack vectors are the parameters to these routines.

Now my question is where exactly can i find the SMCC page in the source code since its bit lost in the organization.
second would be in my attack i need to write a vulnerable c code running on the trusted firmware that would call a secure world service that i could buffer overflow and rewrite its return address does anyone know where can i find the service and give me basically an example on how would an attack like this work

Thank you in advance

 

[weaver]

Now my question is where exactly can i find the SMCC page in the source code since its bit lost in the organization.

In ARM, in general, you can behave as you like and come up with any exchange concepts, but there is an accepted exchange mechanism described in the ARM SMC calling convention. It describes which registers are used to transfer the command code, data, return values, and so on.

I think you have already read this document.

infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf


Search for the assembly instruction "SMC" in the code. It is usually followed by a number that represents the function ID or service ID being called.

SMC #0

SMC Function IDs or Service IDs: Each secure service or function is typically identified by a unique ID. Search for definitions or enumerations of these IDs, which are used as arguments to the SMC instruction.

example

   enum smc_func_id {
       SMC_FUNC_ID_SECURE_SERVICE1 = 0,
       SMC_FUNC_ID_SECURE_SERVICE2 = 1,
       ...
   };

Look for functions or code blocks that handle SMC instructions and dispatch them to the appropriate secure services. The calling convention also defines how arguments are passed to the secure services. Search for code that demonstrates how arguments are passed to the SMC instruction and how they are accessed in the secure world.

second would be in my attack i need to write a vulnerable c code running on the trusted firmware that would call a secure world service that i could buffer overflow and rewrite its return address does anyone know where can i find the service and give me basically an example on how would an attack like this work

You'll have to figure these out yourself. You will need to change the value of the SCR (Secure Configuration Register) from one to zero, reset the register, for example, an xor operation, perhaps with some gadget.

 

[sysnoob]

Thank you for your reply, i have a question theoretically speaking if i want to add a secure world code do i need to modify the TF-A source code adding it in the SPM and then defining it in the SPCI so that it would be callable as a secure service is there any other way to do so ?

since i read in a research paper called return to user attack, an attack that basically does what i am looking forward to do but it is implemented in TF-M, while i was reading the attack i saw this int32_t print_LCD_nsc(char *msg) __attribute__((cmse_nonsecure_entry)); which basically as i understood that it an attribute that u use to define a non secure callable is there something like that in TF-A ?

 

[weaver]

After studying your question in more depth, I realized that you need to focus not on the exploitation technique return-to-user (ret2usr), but on its analogue, which was, by the way, based on the same principle.

We are talking about the so-called exploitation technique Return-to-Non-Secure (ret2ns).

paper "Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense"

https://cactilab.github.io/assets/pdf/ret2ns2023.pdf

git repository

GitHub - CactiLab/ret2ns-Cortex-M-TrustZone: This repo demonstrates the Return-to-Non-Secure (ret2ns) vulnerability on ARM Cortex-M TrustZone. It contains the attack and defense demonstration, as well as the defense overhead evaluation.

This repo demonstrates the Return-to-Non-Secure (ret2ns) vulnerability on ARM Cortex-M TrustZone. It contains the attack and defense demonstration, as well as the defense overhead evaluation. - Cac...

github.com

What I talked about earlier about the register SCR (Secure Configuration Register)... Actually, NS bit allows you to set the mode. If the NS bit is 1, we are in Non-Secure mode, and if the NS bit is 0, then we are in Secure mode.

 

[sysnoob]

exactly !! this was the research paper i was looking at so basically what i am trying to figure out is if this attack can be applied in theory this attack on the TF-A so at the moment what i am trying to figure out is where the secure services are in https://github.com/ARM-software/arm-trusted-firmware so that i potentially write a secure service my self and try to fuzz around and understand how the API is communicating, now for the SCR yes its really important as i searched it contains the control bit and the NS bit which makes it priv or non priv and sec world or not but the attack of ret2user was stack overflow to corrupt the blxns pointer location

my question is where are the secure services and where is the SMC handler so i can understand how can we potentially fuzz around and if it uses the bx , blxns instruction or not

Thank you for your reply