Introduction: Unveiling Secrets in the Secure World

ARM TrustZone technology establishes a Secure World and a Normal World on a single processor, creating a Trusted Execution Environment (TEE) for sensitive operations like DRM, mobile payments, and secure boot. While TrustZone aims to isolate critical data and computations from the potentially compromised Normal World, the physical execution of these operations is not immune to side-channel attacks. These attacks exploit information leakage through physical phenomena such as power consumption, electromagnetic radiation, or execution timing. This article delves into the practicalities of conducting side-channel analysis on TrustZone TEE operations, focusing on timing attacks to demonstrate how even subtle variations can reveal sensitive information.

TrustZone Architecture: A Brief Overview

At its core, ARM TrustZone leverages hardware isolation to create two distinct execution environments: the Normal World and the Secure World. The Normal World, where general-purpose operating systems like Android or Linux run, has limited access to system resources. The Secure World, on the other hand, hosts a Trusted OS (T-OS) and Trusted Applications (TAs), providing a highly privileged environment for secure operations. Communication between the Normal World (Client Application or CA) and the Secure World (TA) occurs via a defined API, often following the GlobalPlatform TEE Client API specification.

Key components:

• Secure World: Runs a Trusted OS (e.g., OP-TEE, Trusty) and Trusted Applications (TAs). Handles sensitive data and cryptographic operations.
• Normal World: Runs a rich OS (e.g., Android) and Client Applications (CAs). Initiates requests to TAs.
• Monitor Mode: A privileged mode that acts as a gatekeeper, switching the CPU between Normal and Secure Worlds.

Identifying Side-Channel Vulnerabilities in TEEs

Side-channel analysis targets the physical implementation of cryptographic algorithms or secret-dependent operations rather than their mathematical weaknesses. For TEEs, common attack vectors include:

• Timing Attacks:

  Exploiting variations in execution time of operations based on secret data. Cache misses, branch predictions, and instruction-level differences can all contribute to measurable timing discrepancies.

• Power Analysis (DPA/CPA):

  Analyzing the instantaneous power consumption of the device, which correlates with the operations being performed.

• Electromagnetic Analysis (EMA):

  Similar to power analysis, but measures electromagnetic emanations from the device, often providing higher spatial and temporal resolution.

Our hands-on approach will focus on timing attacks due to their relatively lower barrier to entry for practical demonstration, often requiring only software instrumentation and a target TEE operation.

Practical Scenario: Timing Attack on a Hypothetical TEE Operation

Consider a hypothetical Trusted Application designed to verify a