Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone

Editor’s note: This work was also presented at ACM CCS 2019.

Written by Keegan Ryan

Trusted Execution Environments (TEEs) such as ARM TrustZone are in widespread use
in both mobile and embedded devices, and they are used to protect sensitive secrets
while often sharing the same computational hardware as untrusted code. Although
there has been limited research in the area, the threat of microarchitectural attacks
against ARM TrustZone has not been thoroughly studied. This is not the case for other
TEEs, such as Intel SGX, where the security promises of the TEE have been violated
numerous times by the academic community, showing that it is possible to use sidechannel attacks to gain detailed insight into the microarchitectural behavior of trusted
code. In this work, we show that TrustZone is susceptible to similar attacks, and we
demonstrate the ability to achieve cache attacks with high temporal precision, high
spatial precision, and low noise. These tools make it easy to monitor the data flow
and code flow of TrustZone code with great resolution, and we apply our techniques
to investigate the security of a real-world application. We examine ECDSA signing in
Qualcomm’s implementation of Android’s hardware-backed keystore and identify a
series of vulnerabilities that leak sensitive cryptographic information through shared
microarchitectural structures. By using the powerful attacks developed in this paper,
we are able to successfully extract this sensitive information and fully recover a 256-bit
private key from Qualcomm’s version of the hardware-backed keystore.

This whitepaper may be downloaded below: