# Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense

Zheyuan Ma, Xi Tan, Lukasz Ziarek, Ning Zhang, Hongxin Hu, Ziming Zhao

{zheyuanm, xitan, lziarek, hongxinh, zimingzh}@buffalo.edu, zhang.ning@wustl.edu

## (1) Introduction

Exploring the security landscape of ARM Cortex-M TrustZone, we uncover a new class of vulnerabilities, termed as 'return-tonon-secure' (ret2ns) attacks. These attacks exploit the fast state switch mechanism of the TrustZone, leading to arbitrary code execution with escalated privilege in the non-secure state. We not only confirm the feasibility of ret2ns attacks but also propose effective countermeasures, introducing two address sanitizing mechanisms with a minimal performance impact.

## (3) Threat Model

Goal: a user-space attacker in NS conducts privilege escalation

#### Assumptions:

- memory corruption vulnerability in S
- attacker utilizes NS system calls (SVC)
  - for S interaction



#### **4** Overview

Handler-mode-originated attacks

IPSR is shared between states

#### Thread-mode-originated attacks

CONTROL. nPRIV is banked between states



## **2**Background

- Cortex-M's rapid state switch has security implications
- The semantic gap results in potential confused-deputy attacks



arbitrary code execution in S is not possible for an attacker

Target: to corrupt code pointer used by bxns/blxns in S

## **(5)** A Walking Example

IPSR=0

User Input

print\_LCD

① SVC call



- IPSR != 0, Handler mode
- IPSR = 0, Thread mode
- IPSR register is shared between states; CONTROL register is banked for each state



Non-secure state

IPSR=11

SVC\_Handler

**(6)** Defense 1 - MPU-assisted Address Sanitizer

- Validate memory access permissions for NS target
- Verify NS destination address against NS MPU configuration before bxns/blxns executes

**Defense 2** - Address Masking

- Assume user/kernel space programs in distinct, known memory regions
- Apply bit-wise masking to NS target

|   | T, N        | Blinky        | MPU-assisted Addr Sanitizer | Address Masking        |
|---|-------------|---------------|-----------------------------|------------------------|
|   | $10^7,10^7$ | 1,200,503,441 | 1,200,508,359 (0.0004%)     | 1,200,506,190 (0.0002% |
| , | 105 105     |               |                             |                        |

Secure state

Non-secure state

#define MAX\_LEN 128 int32\_t \_driver\_LCD\_ready(); int32\_t \_driver\_LCD\_print(char \*);

/\* Non-secure callable function \*/ int32\_t print\_LCD\_nsc(char \*msg) \_\_\_attribute\_\_((cmse\_nonsecure\_entry));

int32\_t print\_LCD\_nsc (char \*msg)

char buf[MAX\_LEN] = {0};

if (\_driver\_LCD\_ready())

sprintf(buf, "%s %s: %s", \_TIME\_STAMP, \_SYSTEM\_STATUS, msg); /\* Buffer overflow \*/

return \_driver\_LCD\_print(buf); /\* bxns return \*/ else return -1; /\* bxns return \*/

#### (8)Summary

- The semantic gap in Cortex-M TrustZone results in potential confused-deputy attacks
- Four types of ret2ns attacks



# **University at Buffalo** The State University of New York

