andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge changes from topic "sb/threat-model" into integration 

* changes:
  docs(threat-model): remove some redundant text in threat #08
  docs(threat-model): make experimental features out of scope
  docs(threat-model): cosmetic changes
This commit is contained in:
Sandrine Bailleux 2022-05-19 13:09:00 +02:00 committed by TrustedFirmware Code Review
parent 2af8107d40 1b7c82cafe
commit 687cb6bdd3
1 changed files with 188 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

369
docs/threat_model/threat_model.rst
View File

@ -1,9 +1,10 @@
Generic Threat Model
********************
************************
************
Introduction
************************
************
This document provides a generic threat model for TF-A firmware.
.. note::
@ -11,9 +12,10 @@ This document provides a generic threat model for TF-A firmware.
This threat model doesn't consider Root and Realm worlds introduced by
:ref:`Realm Management Extension (RME)`.
************************
********************
Target of Evaluation
************************
********************
In this threat model, the target of evaluation is the Trusted
Firmware for A-class Processors (TF-A). This includes the boot ROM (BL1),
the trusted boot firmware (BL2) and the runtime EL3 firmware (BL31) as
@ -34,8 +36,12 @@ assumptions:
- There is no Secure-EL2. We don't consider threats that may come with
Secure-EL2 software.
- No experimental features are enabled. We do not consider threats that may come
from them.
Data Flow Diagram
======================
=================
Figure 1 shows a high-level data flow diagram for TF-A. The diagram
shows a model of the different components of a TF-A-based system and
their interactions with TF-A. A description of each diagram element
@ -51,26 +57,26 @@ are considered untrusted by TF-A.
+-----------------+--------------------------------------------------------+
| Diagram Element | Description |
+=================+========================================================+
| ``DF1`` | | At boot time, images are loaded from non-volatile |
| DF1 | | At boot time, images are loaded from non-volatile |
| | memory and verified by TF-A boot firmware. These |
| | images include TF-A BL2 and BL31 images, as well as |
| | other secure and non-secure images. |
+-----------------+--------------------------------------------------------+
| ``DF2`` | | TF-A log system framework outputs debug messages |
| DF2 | | TF-A log system framework outputs debug messages |
| | over a UART interface. |
+-----------------+--------------------------------------------------------+
| ``DF3`` | | Debug and trace IP on a platform can allow access |
| DF3 | | Debug and trace IP on a platform can allow access |
| | to registers and memory of TF-A. |
+-----------------+--------------------------------------------------------+
| ``DF4`` | | Secure world software (e.g. trusted OS) interact |
| DF4 | | Secure world software (e.g. trusted OS) interact |
| | with TF-A through SMC call interface and/or shared |
| | memory. |
+-----------------+--------------------------------------------------------+
| ``DF5`` | | Non-secure world software (e.g. rich OS) interact |
| DF5 | | Non-secure world software (e.g. rich OS) interact |
| | with TF-A through SMC call interface and/or shared |
| | memory. |
+-----------------+--------------------------------------------------------+
| ``DF6`` | | This path represents the interaction between TF-A and|
| DF6 | | This path represents the interaction between TF-A and|
| | various hardware IPs such as TrustZone controller |
| | and GIC. At boot time TF-A configures/initializes the|
| | IPs and interacts with them at runtime through |
@ -78,9 +84,10 @@ are considered untrusted by TF-A.
+-----------------+--------------------------------------------------------+
*********************
***************
Threat Analysis
*********************
***************
In this section we identify and provide assessment of potential threats to TF-A
firmware. The threats are identified for each diagram element on the
data flow diagram above.
@ -91,7 +98,8 @@ that represents the impact and likelihood of that threat. We also discuss
potential mitigations.
Assets
==================
======
We have identified the following assets for TF-A:
.. table:: Table 2: TF-A Assets
@ -99,21 +107,22 @@ We have identified the following assets for TF-A:
+--------------------+---------------------------------------------------+
| Asset | Description |
+====================+===================================================+
| ``Sensitive Data`` | | These include sensitive data that an attacker |
| Sensitive Data | | These include sensitive data that an attacker |
| | must not be able to tamper with (e.g. the Root |
| | of Trust Public Key) or see (e.g. secure logs, |
| | debugging information such as crash reports). |
+--------------------+---------------------------------------------------+
| ``Code Execution`` | | This represents the requirement that the |
| Code Execution | | This represents the requirement that the |
| | platform should run only TF-A code approved by |
| | the platform provider. |
+--------------------+---------------------------------------------------+
| ``Availability`` | | This represents the requirement that TF-A |
| Availability | | This represents the requirement that TF-A |
| | services should always be available for use. |
+--------------------+---------------------------------------------------+
Threat Agents
=====================
=============
To understand the attack surface, it is important to identify potential
attackers, i.e. attack entry points. The following threat agents are
in scope of this threat model.
@ -123,16 +132,16 @@ in scope of this threat model.
+-------------------+-------------------------------------------------------+
| Threat Agent | Description |
+===================+=======================================================+
| ``NSCode`` | | Malicious or faulty code running in the Non-secure |
| NSCode | | Malicious or faulty code running in the Non-secure |
| | world, including NS-EL0 NS-EL1 and NS-EL2 levels |
+-------------------+-------------------------------------------------------+
| ``SecCode`` | | Malicious or faulty code running in the secure |
| SecCode | | Malicious or faulty code running in the secure |
| | world, including S-EL0 and S-EL1 levels |
+-------------------+-------------------------------------------------------+
| ``AppDebug`` | | Physical attacker using debug signals to access |
| AppDebug | | Physical attacker using debug signals to access |
| | TF-A resources |
+-------------------+-------------------------------------------------------+
| ``PhysicalAccess``| | Physical attacker having access to external device |
| PhysicalAccess | | Physical attacker having access to external device |
| | communication bus and to external flash |
| | communication bus using common hardware |
+-------------------+-------------------------------------------------------+
@ -145,7 +154,8 @@ in scope of this threat model.
considered out-of-scope.
Threat Types
========================
============
In this threat model we categorize threats using the `STRIDE threat
analysis technique`_. In this technique a threat is categorized as one
or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``,
@ -153,7 +163,8 @@ or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``,
``Elevation of privilege``.
Threat Risk Ratings
========================
===================
For each threat identified, a risk rating that ranges
from *informational* to *critical* is given based on the likelihood of the
threat occuring if a mitigation is not in place, and the impact of the
@ -165,7 +176,7 @@ rating in terms of score, impact and likelihood.
+-----------------------+-------------------------+---------------------------+
| **Rating (Score)** | **Impact** | **Likelihood** |
+=======================+=========================+===========================+
| ``Critical (5)`` | | Extreme impact to | | Threat is almost |
| Critical (5) | | Extreme impact to | | Threat is almost |
| | entire organization | certain to be exploited.|
| | if exploited. | |
| | | | Knowledge of the threat |
@ -173,17 +184,17 @@ rating in terms of score, impact and likelihood.
| | | are in the public |
| | | domain. |
+-----------------------+-------------------------+---------------------------+
| ``High (4)`` | | Major impact to entire| | Threat is relatively |
| High (4) | | Major impact to entire| | Threat is relatively |
| | organization or single| easy to detect and |
| | line of business if | exploit by an attacker |
| | exploited | with little skill. |
+-----------------------+-------------------------+---------------------------+
| ``Medium (3)`` | | Noticeable impact to | | A knowledgeable insider |
| Medium (3) | | Noticeable impact to | | A knowledgeable insider |
| | line of business if | or expert attacker could|
| | exploited. | exploit the threat |
| | | without much difficulty.|
+-----------------------+-------------------------+---------------------------+
| ``Low (2)`` | | Minor damage if | | Exploiting the threat |
| Low (2) | | Minor damage if | | Exploiting the threat |
| | exploited or could | would require |
| | be used in conjunction| considerable expertise |
| | with other | and resources |
@ -191,7 +202,7 @@ rating in terms of score, impact and likelihood.
| | perform a more serious| |
| | attack | |
+-----------------------+-------------------------+---------------------------+
| ``Informational (1)`` | | Poor programming | | Threat is not likely |
| Informational (1) | | Poor programming | | Threat is not likely |
| | practice or poor | to be exploited on its |
| | design decision that | own, but may be used to |
| | may not represent an | gain information for |
@ -235,14 +246,15 @@ In this threat model we consider three target environments:
``Internet of Things(IoT)``, ``Mobile`` and ``Server``.
Threat Assessment
============================
=================
The following threats were identified by applying STRIDE analysis on
each diagram element of the data flow diagram.
+------------------------+----------------------------------------------------+
| ID | 01 |
+========================+====================================================+
| ``Threat`` | | **An attacker can mangle firmware images to |
| Threat | | **An attacker can mangle firmware images to |
| | execute arbitrary code** |
| | |
| | | Some TF-A images are loaded from external |
@ -252,26 +264,26 @@ each diagram element of the data flow diagram.
| | updating mechanism to modify the non-volatile |
| | images to execute arbitrary code. |
+------------------------+----------------------------------------------------+
| ``Diagram Elements`` | DF1, DF4, DF5 |
| Diagram Elements | DF1, DF4, DF5 |
+------------------------+----------------------------------------------------+
| ``Affected TF-A | BL2, BL31 |
| Components`` | |
| Affected TF-A | BL2, BL31 |
| Components | |
+------------------------+----------------------------------------------------+
| ``Assets`` | Code Execution |
| Assets | Code Execution |
+------------------------+----------------------------------------------------+
| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode |
| Threat Agent | PhysicalAccess, NSCode, SecCode |
+------------------------+----------------------------------------------------+
| ``Threat Type`` | Tampering, Elevation of Privilege |
| Threat Type | Tampering, Elevation of Privilege |
+------------------------+------------------+-----------------+---------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+------------------+-----------------+---------------+
| ``Impact`` | Critical (5) | Critical (5) | Critical (5) |
| Impact | Critical (5) | Critical (5) | Critical (5) |
+------------------------+------------------+-----------------+---------------+
| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) |
| Likelihood | Critical (5) | Critical (5) | Critical (5) |
+------------------------+------------------+-----------------+---------------+
| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) |
| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
+------------------------+------------------+-----------------+---------------+
| ``Mitigations`` | | TF-A implements the `Trusted Board Boot (TBB)`_ |
| Mitigations | | TF-A implements the `Trusted Board Boot (TBB)`_ |
| | feature which prevents malicious firmware from |
| | running on the platform by authenticating all |
| | firmware images. In addition to this, the TF-A |
@ -283,33 +295,33 @@ each diagram element of the data flow diagram.
+------------------------+----------------------------------------------------+
| ID | 02 |
+========================+====================================================+
| ``Threat`` | | **An attacker may attempt to boot outdated, |
| Threat | | **An attacker may attempt to boot outdated, |
| | potentially vulnerable firmware image** |
| | |
| | | When updating firmware, an attacker may attempt |
| | to rollback to an older version that has unfixed |
| | vulnerabilities. |
+------------------------+----------------------------------------------------+
| ``Diagram Elements`` | DF1, DF4, DF5 |
| Diagram Elements | DF1, DF4, DF5 |
+------------------------+----------------------------------------------------+
| ``Affected TF-A | BL2, BL31 |
| Components`` | |
| Affected TF-A | BL2, BL31 |
| Components | |
+------------------------+----------------------------------------------------+
| ``Assets`` | Code Execution |
| Assets | Code Execution |
+------------------------+----------------------------------------------------+
| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode |
| Threat Agent | PhysicalAccess, NSCode, SecCode |
+------------------------+----------------------------------------------------+
| ``Threat Type`` | Tampering |
| Threat Type | Tampering |
+------------------------+------------------+-----------------+---------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+------------------+-----------------+---------------+
| ``Impact`` | Critical (5) | Critical (5) | Critical (5) |
| Impact | Critical (5) | Critical (5) | Critical (5) |
+------------------------+------------------+-----------------+---------------+
| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) |
| Likelihood | Critical (5) | Critical (5) | Critical (5) |
+------------------------+------------------+-----------------+---------------+
| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) |
| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
+------------------------+------------------+-----------------+---------------+
| ``Mitigations`` | | TF-A supports anti-rollback protection using |
| Mitigations | | TF-A supports anti-rollback protection using |
| | non-volatile counters (NV counters) as required |
| | by `TBBR-Client specification`_. After a firmware|
| | image is validated, the image revision number |
@ -324,7 +336,7 @@ each diagram element of the data flow diagram.
+------------------------+-------------------------------------------------------+
| ID | 03 |
+========================+=======================================================+
| ``Threat`` | | **An attacker can use Time-of-Check-Time-of-Use |
| Threat | | **An attacker can use Time-of-Check-Time-of-Use |
| | (TOCTOU) attack to bypass image authentication |
| | during the boot process** |
| | |
@ -336,33 +348,33 @@ each diagram element of the data flow diagram.
| | after the integrity and authentication check has |
| | been performed. |
+------------------------+-------------------------------------------------------+
| ``Diagram Elements`` | DF1 |
| Diagram Elements | DF1 |
+------------------------+-------------------------------------------------------+
| ``Affected TF-A | BL1, BL2 |
| Components`` | |
| Affected TF-A | BL1, BL2 |
| Components | |
+------------------------+-------------------------------------------------------+
| ``Assets`` | Code Execution, Sensitive Data |
| Assets | Code Execution, Sensitive Data |
+------------------------+-------------------------------------------------------+
| ``Threat Agent`` | PhysicalAccess |
| Threat Agent | PhysicalAccess |
+------------------------+-------------------------------------------------------+
| ``Threat Type`` | Elevation of Privilege |
| Threat Type | Elevation of Privilege |
+------------------------+---------------------+-----------------+---------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+---------------------+-----------------+---------------+
| ``Impact`` | N/A | Critical (5) | Critical (5) |
| Impact | N/A | Critical (5) | Critical (5) |
+------------------------+---------------------+-----------------+---------------+
| ``Likelihood`` | N/A | Medium (3) | Medium (3) |
| Likelihood | N/A | Medium (3) | Medium (3) |
+------------------------+---------------------+-----------------+---------------+
| ``Total Risk Rating`` | N/A | High (15) | High (15) |
| Total Risk Rating | N/A | High (15) | High (15) |
+------------------------+---------------------+-----------------+---------------+
| ``Mitigations`` | | TF-A boot firmware copies image to on-chip |
| Mitigations | | TF-A boot firmware copies image to on-chip |
| | memory before authenticating an image. |
+------------------------+-------------------------------------------------------+
+------------------------+-------------------------------------------------------+
| ID | 04 |
+========================+=======================================================+
| ``Threat`` | | **An attacker with physical access can execute |
| Threat | | **An attacker with physical access can execute |
| | arbitrary image by bypassing the signature |
| | verification stage using glitching techniques** |
| | |
@ -381,26 +393,26 @@ each diagram element of the data flow diagram.
| | points where the image is validated against the |
| | signature. |
+------------------------+-------------------------------------------------------+
| ``Diagram Elements`` | DF1 |
| Diagram Elements | DF1 |
+------------------------+-------------------------------------------------------+
| ``Affected TF-A | BL1, BL2 |
| Components`` | |
| Affected TF-A | BL1, BL2 |
| Components | |
+------------------------+-------------------------------------------------------+
| ``Assets`` | Code Execution |
| Assets | Code Execution |
+------------------------+-------------------------------------------------------+
| ``Threat Agent`` | PhysicalAccess |
| Threat Agent | PhysicalAccess |
+------------------------+-------------------------------------------------------+
| ``Threat Type`` | Tampering, Elevation of Privilege |
| Threat Type | Tampering, Elevation of Privilege |
+------------------------+---------------------+-----------------+---------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+---------------------+-----------------+---------------+
| ``Impact`` | N/A | Critical (5) | Critical (5) |
| Impact | N/A | Critical (5) | Critical (5) |
+------------------------+---------------------+-----------------+---------------+
| ``Likelihood`` | N/A | Medium (3) | Medium (3) |
| Likelihood | N/A | Medium (3) | Medium (3) |
+------------------------+---------------------+-----------------+---------------+
| ``Total Risk Rating`` | N/A | High (15) | High (15) |
| Total Risk Rating | N/A | High (15) | High (15) |
+------------------------+---------------------+-----------------+---------------+
| ``Mitigations`` | | The most effective mitigation is adding glitching |
| Mitigations | | The most effective mitigation is adding glitching |
| | detection and mitigation circuit at the hardware |
| | level. However, software techniques, |
| | such as adding redundant checks when performing |
@ -413,7 +425,7 @@ each diagram element of the data flow diagram.
+------------------------+---------------------------------------------------+
| ID | 05 |
+========================+===================================================+
| ``Threat`` | | **Information leak via UART logs such as |
| Threat | | **Information leak via UART logs such as |
| | crashes** |
| | |
| | | During the development stages of software it is |
@ -426,26 +438,26 @@ each diagram element of the data flow diagram.
| | attacker to develop a working exploit if left |
| | in the production version. |
+------------------------+---------------------------------------------------+
| ``Diagram Elements`` | DF2 |
| Diagram Elements | DF2 |
+------------------------+---------------------------------------------------+
| ``Affected TF-A | BL1, BL2, BL31 |
| Components`` | |
| Affected TF-A | BL1, BL2, BL31 |
| Components | |
+------------------------+---------------------------------------------------+
| ``Assets`` | Sensitive Data |
| Assets | Sensitive Data |
+------------------------+---------------------------------------------------+
| ``Threat Agent`` | AppDebug |
| Threat Agent | AppDebug |
+------------------------+---------------------------------------------------+
| ``Threat Type`` | Information Disclosure |
| Threat Type | Information Disclosure |
+------------------------+------------------+----------------+---------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+------------------+----------------+---------------+
| ``Impact`` | N/A | Low (2) | Low (2) |
| Impact | N/A | Low (2) | Low (2) |
+------------------------+------------------+----------------+---------------+
| ``Likelihood`` | N/A | High (4) | High (4) |
| Likelihood | N/A | High (4) | High (4) |
+------------------------+------------------+----------------+---------------+
| ``Total Risk Rating`` | N/A | Medium (8) | Medium (8) |
| Total Risk Rating | N/A | Medium (8) | Medium (8) |
+------------------------+------------------+----------------+---------------+
| ``Mitigations`` | | In TF-A, crash reporting is only enabled for |
| Mitigations | | In TF-A, crash reporting is only enabled for |
| | debug builds by default. Alternatively, the log |
| | level can be tuned at build time (from verbose |
| | to no output at all), independently of the |
@ -455,7 +467,7 @@ each diagram element of the data flow diagram.
+------------------------+----------------------------------------------------+
| ID | 06 |
+========================+====================================================+
| ``Threat`` | | **An attacker can read sensitive data and |
| Threat | | **An attacker can read sensitive data and |
| | execute arbitrary code through the external |
| | debug and trace interface** |
| | |
@ -468,27 +480,27 @@ each diagram element of the data flow diagram.
| | attacker to read sensitive data and execute |
| | arbitrary code. |
+------------------------+----------------------------------------------------+
| ``Diagram Elements`` | DF3 |
| Diagram Elements | DF3 |
+------------------------+----------------------------------------------------+
| ``Affected TF-A | BL1, BL2, BL31 |
| Components`` | |
| Affected TF-A | BL1, BL2, BL31 |
| Components | |
+------------------------+----------------------------------------------------+
| ``Assets`` | Code Execution, Sensitive Data |
| Assets | Code Execution, Sensitive Data |
+------------------------+----------------------------------------------------+
| ``Threat Agent`` | AppDebug |
| Threat Agent | AppDebug |
+------------------------+----------------------------------------------------+
| ``Threat Type`` | Tampering, Information Disclosure, |
| Threat Type | Tampering, Information Disclosure, |
| | Elevation of privilege |
+------------------------+------------------+---------------+-----------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+------------------+---------------+-----------------+
| ``Impact`` | N/A | High (4) | High (4) |
| Impact | N/A | High (4) | High (4) |
+------------------------+------------------+---------------+-----------------+
| ``Likelihood`` | N/A | Critical (5) | Critical (5) |
| Likelihood | N/A | Critical (5) | Critical (5) |
+------------------------+------------------+---------------+-----------------+
| ``Total Risk Rating`` | N/A | Critical (20) | Critical (20) |
| Total Risk Rating | N/A | Critical (20) | Critical (20) |
+------------------------+------------------+---------------+-----------------+
| ``Mitigations`` | | Configuration of debug and trace capabilities is |
| Mitigations | | Configuration of debug and trace capabilities is |
| | platform specific. Therefore, platforms must |
| | disable the debug and trace capability for |
| | production releases or enable proper debug |
@ -498,7 +510,7 @@ each diagram element of the data flow diagram.
+------------------------+------------------------------------------------------+
| ID | 07 |
+========================+======================================================+
| ``Threat`` | | **An attacker can perform a denial-of-service |
| Threat | | **An attacker can perform a denial-of-service |
| | attack by using a broken SMC call that causes the |
| | system to reboot or enter into unknown state.** |
| | |
@ -508,26 +520,26 @@ each diagram element of the data flow diagram.
| | by calling unimplemented SMC call or by passing |
| | invalid arguments. |
+------------------------+------------------------------------------------------+
| ``Diagram Elements`` | DF4, DF5 |
| Diagram Elements | DF4, DF5 |
+------------------------+------------------------------------------------------+
| ``Affected TF-A | BL31 |
| Components`` | |
| Affected TF-A | BL31 |
| Components | |
+------------------------+------------------------------------------------------+
| ``Assets`` | Availability |
| Assets | Availability |
+------------------------+------------------------------------------------------+
| ``Threat Agent`` | NSCode, SecCode |
| Threat Agent | NSCode, SecCode |
+------------------------+------------------------------------------------------+
| ``Threat Type`` | Denial of Service |
| Threat Type | Denial of Service |
+------------------------+-------------------+----------------+-----------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+-------------------+----------------+-----------------+
| ``Impact`` | Medium (3) | Medium (3) | Medium (3) |
| Impact | Medium (3) | Medium (3) | Medium (3) |
+------------------------+-------------------+----------------+-----------------+
| ``Likelihood`` | High (4) | High (4) | High (4) |
| Likelihood | High (4) | High (4) | High (4) |
+------------------------+-------------------+----------------+-----------------+
| ``Total Risk Rating`` | High (12) | High (12) | High (12) |
| Total Risk Rating | High (12) | High (12) | High (12) |
+------------------------+-------------------+----------------+-----------------+
| ``Mitigations`` | | The generic TF-A code validates SMC function ids |
| Mitigations | | The generic TF-A code validates SMC function ids |
| | and arguments before using them. |
| | Platforms that implement SiP services must also |
| | validate SMC call arguments. |
@ -536,20 +548,15 @@ each diagram element of the data flow diagram.
+------------------------+------------------------------------------------------+
| ID | 08 |
+========================+======================================================+
| ``Threat`` | | **Memory corruption due to memory overflows and |
| Threat | | **Memory corruption due to memory overflows and |
| | lack of boundary checking when accessing resources |
| | could allow an attacker to execute arbitrary code, |
| | modify some state variable to change the normal |
| | flow of the program, or leak sensitive |
| | information** |
| | |
| | | Like in other software, the Trusted Firmware has |
| | multiple points where memory corruption security |
| | errors can arise. Memory corruption is a dangerous |
| | security issue since it could allow an attacker |
| | to execute arbitrary code, modify some state |
| | variable to change the normal flow of the program, |
| | or leak sensitive information. |
| | | Like in other software, TF-A has multiple points |
| | where memory corruption security errors can arise. |
| | |
| | | Some of the errors include integer overflow, |
| | buffer overflow, incorrect array boundary checks, |
@ -558,27 +565,27 @@ each diagram element of the data flow diagram.
| | validations might also result in these kinds of |
| | errors in release builds. |
+------------------------+------------------------------------------------------+
| ``Diagram Elements`` | DF4, DF5 |
| Diagram Elements | DF4, DF5 |
+------------------------+------------------------------------------------------+
| ``Affected TF-A | BL1, BL2, BL31 |
| Components`` | |
| Affected TF-A | BL1, BL2, BL31 |
| Components | |
+------------------------+------------------------------------------------------+
| ``Assets`` | Code Execution, Sensitive Data |
| Assets | Code Execution, Sensitive Data |
+------------------------+------------------------------------------------------+
| ``Threat Agent`` | NSCode, SecCode |
| Threat Agent | NSCode, SecCode |
+------------------------+------------------------------------------------------+
| ``Threat Type`` | Tampering, Information Disclosure, |
| Threat Type | Tampering, Information Disclosure, |
| | Elevation of Privilege |
+------------------------+-------------------+-----------------+----------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+-------------------+-----------------+----------------+
| ``Impact`` | Critical (5) | Critical (5) | Critical (5) |
| Impact | Critical (5) | Critical (5) | Critical (5) |
+------------------------+-------------------+-----------------+----------------+
| ``Likelihood`` | Medium (3 | Medium (3) | Medium (3) |
| Likelihood | Medium (3 | Medium (3) | Medium (3) |
+------------------------+-------------------+-----------------+----------------+
| ``Total Risk Rating`` | High (15) | High (15) | High (15) |
| Total Risk Rating | High (15) | High (15) | High (15) |
+------------------------+-------------------+-----------------+----------------+
| ``Mitigations`` | | TF-A uses a combination of manual code reviews and |
| Mitigations | | TF-A uses a combination of manual code reviews and |
| | automated program analysis and testing to detect |
| | and fix memory corruption bugs. All TF-A code |
| | including platform code go through manual code |
@ -607,7 +614,7 @@ each diagram element of the data flow diagram.
+------------------------+------------------------------------------------------+
| ID | 09 |
+========================+======================================================+
| ``Threat`` | | **Improperly handled SMC calls can leak register |
| Threat | | **Improperly handled SMC calls can leak register |
| | contents** |
| | |
| | | When switching between secure and non-secure |
@ -615,26 +622,26 @@ each diagram element of the data flow diagram.
| | register contents of other normal world clients |
| | can be leaked. |
+------------------------+------------------------------------------------------+
| ``Diagram Elements`` | DF5 |
| Diagram Elements | DF5 |
+------------------------+------------------------------------------------------+
| ``Affected TF-A | BL31 |
| Components`` | |
| Affected TF-A | BL31 |
| Components | |
+------------------------+------------------------------------------------------+
| ``Assets`` | Sensitive Data |
| Assets | Sensitive Data |
+------------------------+------------------------------------------------------+
| ``Threat Agent`` | NSCode |
| Threat Agent | NSCode |
+------------------------+------------------------------------------------------+
| ``Threat Type`` | Information Disclosure |
| Threat Type | Information Disclosure |
+------------------------+-------------------+----------------+-----------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+-------------------+----------------+-----------------+
| ``Impact`` | Medium (3) | Medium (3) | Medium (3) |
| Impact | Medium (3) | Medium (3) | Medium (3) |
+------------------------+-------------------+----------------+-----------------+
| ``Likelihood`` | High (4) | High (4) | High (4) |
| Likelihood | High (4) | High (4) | High (4) |
+------------------------+-------------------+----------------+-----------------+
| ``Total Risk Rating`` | High (12) | High (12) | High (12) |
| Total Risk Rating | High (12) | High (12) | High (12) |
+------------------------+-------------------+----------------+-----------------+
| ``Mitigations`` | | TF-A saves and restores registers |
| Mitigations | | TF-A saves and restores registers |
| | by default when switching contexts. Build options |
| | are also provided to save/restore additional |
| | registers such as floating-point registers. |
@ -643,7 +650,7 @@ each diagram element of the data flow diagram.
+------------------------+-----------------------------------------------------+
| ID | 10 |
+========================+=====================================================+
| ``Threat`` | | **SMC calls can leak sensitive information from |
| Threat | | **SMC calls can leak sensitive information from |
| | TF-A memory via microarchitectural side channels**|
| | |
| | | Microarchitectural side-channel attacks such as |
@ -652,26 +659,26 @@ each diagram element of the data flow diagram.
| | use this kind of attack to leak sensitive |
| | data from TF-A memory. |
+------------------------+-----------------------------------------------------+
| ``Diagram Elements`` | DF4, DF5 |
| Diagram Elements | DF4, DF5 |
+------------------------+-----------------------------------------------------+
| ``Affected TF-A | BL31 |
| Components`` | |
| Affected TF-A | BL31 |
| Components | |
+------------------------+-----------------------------------------------------+
| ``Assets`` | Sensitive Data |
| Assets | Sensitive Data |
+------------------------+-----------------------------------------------------+
| ``Threat Agent`` | SecCode, NSCode |
| Threat Agent | SecCode, NSCode |
+------------------------+-----------------------------------------------------+
| ``Threat Type`` | Information Disclosure |
| Threat Type | Information Disclosure |
+------------------------+-------------------+----------------+----------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+-------------------+----------------+----------------+
| ``Impact`` | Medium (3) | Medium (3) | Medium (3) |
| Impact | Medium (3) | Medium (3) | Medium (3) |
+------------------------+-------------------+----------------+----------------+
| ``Likelihood`` | Medium (3) | Medium (3) | Medium (3) |
| Likelihood | Medium (3) | Medium (3) | Medium (3) |
+------------------------+-------------------+----------------+----------------+
| ``Total Risk Rating`` | Medium (9) | Medium (9) | Medium (9) |
| Total Risk Rating | Medium (9) | Medium (9) | Medium (9) |
+------------------------+-------------------+----------------+----------------+
| ``Mitigations`` | | TF-A implements software mitigations for Spectre |
| Mitigations | | TF-A implements software mitigations for Spectre |
| | type attacks as recommended by `Cache Speculation |
| | Side-channels`_ for the generic code. SiPs should |
| | implement similar mitigations for code that is |
@ -681,7 +688,7 @@ each diagram element of the data flow diagram.
+------------------------+----------------------------------------------------+
| ID | 11 |
+========================+====================================================+
| ``Threat`` | | **Misconfiguration of the Memory Management Unit |
| Threat | | **Misconfiguration of the Memory Management Unit |
| | (MMU) may allow a normal world software to |
| | access sensitive data or execute arbitrary |
| | code** |
@ -692,26 +699,26 @@ each diagram element of the data flow diagram.
| | execute code if the proper security mechanisms |
| | are not in place. |
+------------------------+----------------------------------------------------+
| ``Diagram Elements`` | DF5, DF6 |
| Diagram Elements | DF5, DF6 |
+------------------------+----------------------------------------------------+
| ``Affected TF-A | BL1, BL2, BL31 |
| Components`` | |
| Affected TF-A | BL1, BL2, BL31 |
| Components | |
+------------------------+----------------------------------------------------+
| ``Assets`` | Sensitive Data, Code execution |
| Assets | Sensitive Data, Code execution |
+------------------------+----------------------------------------------------+
| ``Threat Agent`` | NSCode |
| Threat Agent | NSCode |
+------------------------+----------------------------------------------------+
| ``Threat Type`` | Information Disclosure, Elevation of Privilege |
| Threat Type | Information Disclosure, Elevation of Privilege |
+------------------------+-----------------+-----------------+----------------+
| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` |
| Application | Server | IoT | Mobile |
+------------------------+-----------------+-----------------+----------------+
| ``Impact`` | Critical (5) | Critical (5) | Critical (5) |
| Impact | Critical (5) | Critical (5) | Critical (5) |
+------------------------+-----------------+-----------------+----------------+
| ``Likelihood`` | High (4) | High (4) | High (4) |
| Likelihood | High (4) | High (4) | High (4) |
+------------------------+-----------------+-----------------+----------------+
| ``Total Risk Rating`` | Critical (20) | Critical (20) | Critical (20) |
| Total Risk Rating | Critical (20) | Critical (20) | Critical (20) |
+------------------------+-----------------+-----------------+----------------+
| ``Mitigations`` | | In TF-A, configuration of the MMU is done |
| Mitigations | | In TF-A, configuration of the MMU is done |
| | through a translation tables library. The |
| | library provides APIs to define memory regions |
| | and assign attributes including memory types and |
@ -729,7 +736,7 @@ each diagram element of the data flow diagram.
+------------------------+-----------------------------------------------------+
| ID | 12 |
+========================+=====================================================+
| ``Threat`` | | **Incorrect configuration of Performance Monitor |
| Threat | | **Incorrect configuration of Performance Monitor |
| | Unit (PMU) counters can allow an attacker to |
| | mount side-channel attacks using information |
| | exposed by the counters** |
@ -741,24 +748,24 @@ each diagram element of the data flow diagram.
| | software) to potentially carry out |
| | side-channel timing attacks against TF-A. |
+------------------------+-----------------------------------------------------+
| ``Diagram Elements`` | DF5, DF6 |
| Diagram Elements | DF5, DF6 |
+------------------------+-----------------------------------------------------+
| ``Affected TF-A | BL31 |
| Components`` | |
| Affected TF-A | BL31 |
| Components | |
+------------------------+-----------------------------------------------------+
| ``Assets`` | Sensitive Data |
| Assets | Sensitive Data |
+------------------------+-----------------------------------------------------+
| ``Threat Agent`` | NSCode |
| Threat Agent | NSCode |
+------------------------+-----------------------------------------------------+
| ``Threat Type`` | Information Disclosure |
| Threat Type | Information Disclosure |
+------------------------+-------------------+----------------+----------------+
| ``Impact`` | Medium (3) | Medium (3) | Medium (3) |
| Impact | Medium (3) | Medium (3) | Medium (3) |
+------------------------+-------------------+----------------+----------------+
| ``Likelihood`` | Low (2) | Low (2) | Low (2) |
| Likelihood | Low (2) | Low (2) | Low (2) |
+------------------------+-------------------+----------------+----------------+
| ``Total Risk Rating`` | Medium (6) | Medium (6) | Medium (6) |
| Total Risk Rating | Medium (6) | Medium (6) | Medium (6) |
+------------------------+-------------------+----------------+----------------+
| ``Mitigations`` | | TF-A follows mitigation strategies as described |
| Mitigations | | TF-A follows mitigation strategies as described |
| | in `Secure Development Guidelines`_. General |
| | events and cycle counting in the Secure world is |
| | prohibited by default when applicable. However, |
@ -774,7 +781,7 @@ each diagram element of the data flow diagram.
--------------
*Copyright (c) 2021, Arm Limited. All rights reserved.*
*Copyright (c) 2021-2022, Arm Limited. All rights reserved.*
.. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model