Prime+Count: A Low Noise, No Shared Memory Needed Cache Attack for Cross-world Covert Channels
Published
Annual Computer Security Applications Conference (ACSAC)
Abstract
The security of ARM TrustZone relies on the idea of splitting system-on-chip hardware and software into two worlds, namely normal world and secure world. In this paper, we report cross-world covert channels, which exploit the world-shared cache in the TrustZone architecture. We design a Prime+Count technique that only cares about how many cache sets or lines have been occupied. The coarser-grained approach significantly reduces the noise introduced by the pseudo-random replacement policy and world switching. Using our Prime+Count technique, we build covert channels in single-core and cross-core scenarios in the TrustZone architecture. Our results demonstrate that Prime+Count is an effective technique for enabling cross-world covert channels on ARM TrustZone.