TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments

Quentin Forcioli; Sumanta Chaudhuri; Jean Luc Danger

doi:10.1109/ISQED60706.2024.10528744

TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments

Quentin Forcioli
, Sumanta Chaudhuri
, Jean Luc Danger

Telecom Paris

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In this article, we present a tool to analyze cache timing vulnerabilities in trusted execution environments. First, we present a platform based on the well-known gem5 simulator capable of booting GlobalPlatform Compliant TEEs for ARMV8 architecture. Next, we present the associated GDB instrumentation which allows us to dynamically reconfigure the gem5 simulator and access detailed micro-architectural state after each simulation step. Unmodified Linux/TEE binaries can be run on this platform, from which detailed execution and cache access traces are gathered and analyzed on-the-fly.We demonstrate the usage of this tool, first with an in-vitro experiment to explain the concepts of Key-Cache lines, Key-Execution Points, a method to rank these lines in an increasing order of vulnerability, and code coverage. We show that real vulnerabilities can be detected with our tool, in an otherwise constant-time RSA implementation inside an open Source TEE called OP-TEE.

Original language	English
Title of host publication	Proceedings of the 25th International Symposium on Quality Electronic Design, ISQED 2024
Publisher	IEEE Computer Society
ISBN (Electronic)	9798350309270
DOIs	https://doi.org/10.1109/ISQED60706.2024.10528744
Publication status	Published - 1 Jan 2024
Event	25th International Symposium on Quality Electronic Design, ISQED 2024 - Hybrid, San Francisco, United States Duration: 3 Apr 2024 → 5 Apr 2024

Publication series

Name	Proceedings - International Symposium on Quality Electronic Design, ISQED
ISSN (Print)	1948-3287
ISSN (Electronic)	1948-3295

Conference

Conference	25th International Symposium on Quality Electronic Design, ISQED 2024
Country/Territory	United States
City	Hybrid, San Francisco
Period	3/04/24 → 5/04/24

Access to Document

10.1109/ISQED60706.2024.10528744

Cite this

Forcioli, Q., Chaudhuri, S., & Danger, J. L. (2024). TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments. In Proceedings of the 25th International Symposium on Quality Electronic Design, ISQED 2024 (Proceedings - International Symposium on Quality Electronic Design, ISQED). IEEE Computer Society. https://doi.org/10.1109/ISQED60706.2024.10528744

@inproceedings{d4fd6edca5e544c7b61218872942735c,

title = "TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments",

abstract = "In this article, we present a tool to analyze cache timing vulnerabilities in trusted execution environments. First, we present a platform based on the well-known gem5 simulator capable of booting GlobalPlatform Compliant TEEs for ARMV8 architecture. Next, we present the associated GDB instrumentation which allows us to dynamically reconfigure the gem5 simulator and access detailed micro-architectural state after each simulation step. Unmodified Linux/TEE binaries can be run on this platform, from which detailed execution and cache access traces are gathered and analyzed on-the-fly.We demonstrate the usage of this tool, first with an in-vitro experiment to explain the concepts of Key-Cache lines, Key-Execution Points, a method to rank these lines in an increasing order of vulnerability, and code coverage. We show that real vulnerabilities can be detected with our tool, in an otherwise constant-time RSA implementation inside an open Source TEE called OP-TEE.",

author = "Quentin Forcioli and Sumanta Chaudhuri and Danger, \{Jean Luc\}",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 25th International Symposium on Quality Electronic Design, ISQED 2024 ; Conference date: 03-04-2024 Through 05-04-2024",

year = "2024",

month = jan,

day = "1",

doi = "10.1109/ISQED60706.2024.10528744",

language = "English",

series = "Proceedings - International Symposium on Quality Electronic Design, ISQED",

publisher = "IEEE Computer Society",

booktitle = "Proceedings of the 25th International Symposium on Quality Electronic Design, ISQED 2024",

}

Forcioli, Q, Chaudhuri, S & Danger, JL 2024, TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments. in Proceedings of the 25th International Symposium on Quality Electronic Design, ISQED 2024. Proceedings - International Symposium on Quality Electronic Design, ISQED, IEEE Computer Society, 25th International Symposium on Quality Electronic Design, ISQED 2024, Hybrid, San Francisco, United States, 3/04/24. https://doi.org/10.1109/ISQED60706.2024.10528744

TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments. / Forcioli, Quentin; Chaudhuri, Sumanta; Danger, Jean Luc.
Proceedings of the 25th International Symposium on Quality Electronic Design, ISQED 2024. IEEE Computer Society, 2024. (Proceedings - International Symposium on Quality Electronic Design, ISQED).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - TEE-Time

T2 - 25th International Symposium on Quality Electronic Design, ISQED 2024

AU - Forcioli, Quentin

AU - Chaudhuri, Sumanta

AU - Danger, Jean Luc

PY - 2024/1/1

Y1 - 2024/1/1

N2 - In this article, we present a tool to analyze cache timing vulnerabilities in trusted execution environments. First, we present a platform based on the well-known gem5 simulator capable of booting GlobalPlatform Compliant TEEs for ARMV8 architecture. Next, we present the associated GDB instrumentation which allows us to dynamically reconfigure the gem5 simulator and access detailed micro-architectural state after each simulation step. Unmodified Linux/TEE binaries can be run on this platform, from which detailed execution and cache access traces are gathered and analyzed on-the-fly.We demonstrate the usage of this tool, first with an in-vitro experiment to explain the concepts of Key-Cache lines, Key-Execution Points, a method to rank these lines in an increasing order of vulnerability, and code coverage. We show that real vulnerabilities can be detected with our tool, in an otherwise constant-time RSA implementation inside an open Source TEE called OP-TEE.

AB - In this article, we present a tool to analyze cache timing vulnerabilities in trusted execution environments. First, we present a platform based on the well-known gem5 simulator capable of booting GlobalPlatform Compliant TEEs for ARMV8 architecture. Next, we present the associated GDB instrumentation which allows us to dynamically reconfigure the gem5 simulator and access detailed micro-architectural state after each simulation step. Unmodified Linux/TEE binaries can be run on this platform, from which detailed execution and cache access traces are gathered and analyzed on-the-fly.We demonstrate the usage of this tool, first with an in-vitro experiment to explain the concepts of Key-Cache lines, Key-Execution Points, a method to rank these lines in an increasing order of vulnerability, and code coverage. We show that real vulnerabilities can be detected with our tool, in an otherwise constant-time RSA implementation inside an open Source TEE called OP-TEE.

U2 - 10.1109/ISQED60706.2024.10528744

DO - 10.1109/ISQED60706.2024.10528744

M3 - Conference contribution

AN - SCOPUS:85194087544

T3 - Proceedings - International Symposium on Quality Electronic Design, ISQED

BT - Proceedings of the 25th International Symposium on Quality Electronic Design, ISQED 2024

PB - IEEE Computer Society

Y2 - 3 April 2024 through 5 April 2024

ER -

TEE-Time: A Dynamic Cache Timing Analysis Tool for Trusted Execution Environments

Abstract

Publication series

Conference

Access to Document

Fingerprint

Cite this