Revisiting ARM Debugging Features: Nailgun and its Defense

Processors nowadays are consistently equipped with debugging features to facilitate program analysis. Specifically, the ARM architecture involves a series of CoreSight components and debug registers aid system debugging, group authentication signals designed restrict usage these registers. Meanwhile, security is under-examined since it normally requires physical access use in traditional model. However, introduces new model that no ARMv7, which exacerbates our concern on features. In this article, we perform comprehensive analysis summarize implications. To understand impact implications, also investigate platforms ARM-A different product domains (i.e., development boards, IoT devices, cloud servers, mobile devices). We consider investigation expose attacking surface universally exists architecture. verify concern, further craft Nailgun attack, obtains sensitive information (e.g., AES encryption key fingerprint image) achieves arbitrary payload execution high-privilege mode from low-privilege via misusing This attack does not rely software bugs, experiments show almost all investigated vulnerable attack. Our indicates ARM-R ARM-M may suffer same issue. defend against discuss potential mitigations perspectives ecosystem. Finally, practical defense mechanism based virtualization technology presented, evaluation result shows can prevent negligible performance penalty.