ARM v8.5-A adds Branch Target Indicators for new security

Security: Limiting Exploits

Once an attacker has found a vulnerability to exploit, their next aim is to execute code to gain control of the machine they have accessed. Techniques used include ROP and JOP Attacks (Return- and Jump-Oriented Programming). These techniques find small sections (called gadgets) of vulnerable programs that chain together to run the code the attacker wants. These methods work because the architecture puts no restrictions on where code can branch to, or where branches can have come from. This enables attackers to use small snippets of functions, which do what they want.

In Armv8.3-A, we introduced the Pointer Authentication feature, which can be used to ensure functions return to the location expected by the program.

In Armv8.5-A, we introduce Branch Target Indicators (BTI). Systems supporting BTI can enforce that indirect branches only go to code locations where the instruction is one of a small acceptable list. This reduces the ability of an attacker to execute arbitrary code.

These two features work together to significantly reduce the number of gadgets available to an attacker. The gadgets that remain available are large in size, making it much harder for an attacker to make a viable exploit, even if they find a vulnerability that lets them gain access to a machine.

ARM Research Summit

The third-annual Arm Research Summit – an academic summit to discuss future trends and disruptive technologies across all sectors of computing – will be returning to Cambridge, UK on 17-19 September 2018.


ARM pulls RISC-V web site?



it appears ARM pulled the site. I can’t see this site anymore:

But the Wayback Machine appears to have made a snapshot:

DIY Root of Trust using ARM Trusted Firmware on the 96Boards Hikey

This is a series of notes designed to be a walkthrough on how to configure the HiKey Kirin 620 to boot securely with ARM Trusted Firmware’s Trusted Board Boot. This does not use any proprietary settings or vendor-specific details about the SoC. Instead, the secure boot path relies on the SoC’s BOOT_SEL configured to boot solely from the eMMC. With this configuration there should be no way to interrupt or bypass the root of trust via runtime changes.[…]

ARM v8.4A spec: online HTML as well as PDF

mbed: Firmware updates for IoT and IETF SUIT Hackathon

See below blog for a few links to new projects.

Improving firmware updates for Internet of Things devices – the IETF SUIT Hackathon in Berlin/Germany
Last updated about 13 hours ago, by Hannes Tschofenig. Arm Research, hackathon

IoT devices commonly require security patches and updates to protect against known vulnerabilities. In this blog post Hannes Tschofenig highlights a recently-launched standardization effort in the Internet Engineering Task Force (IETF): the “Software Updates group for Internet of Things (SUIT)” working group. The report shares experiences from a Hackathon in Berlin, where several working group members met to work on code for firmware updates.

Working Group Formation and IETF London Hackathon

The Internet Engineering Task Force (IETF) met in London from March 17th – 23rd for the first face-to-face meeting of the IETF Software Updates group for Internet of Things (SUIT). The SUIT working group is chartered to develop firmware update solutions that can be implemented into Internet of Things (IoT) devices, especially microcontrollers with limited RAM and flash memory, such as 10 KiB RAM and 100 KiB flash. The focus of the group is simple: since many IoT devices require software updates to fix security vulnerabilities, the group will develop and standardize a secure approach to these updates. For IoT devices, this software update often comes in the form of a monolithic block, where the entire codebase running on the device, i.e. the firmware, is replaced in one shot.[…]



QuarksLab: intro to TEE: ARM’s TrustZone

[…]This starts a series of two blogposts discussing hardware technologies that can be used to support TEE implementations:
* TrustZone from ARM
* SGX from Intel
As suggested by the title, this blogpost tells you more about TrustZone.[…]


Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications

Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications
Schulz, Matthias
Ph.D. Thesis

Smartphones come with a variety of sensors and communication interfaces, which make them perfect candidates for mobile communication testbeds. Nevertheless, proprietary firmwares hinder us from accessing the full capabilities of the underlying hardware platform which impedes innovation. Focusing on FullMAC Wi-Fi chips, we present Nexmon, a C-based firmware modification framework. It gives access to raw Wi-Fi frames and advanced capabilities that we found by reverse engineering chips and their firmware. As firmware modifications pose security risks, we discuss how to secure firmware handling without impeding experimentation on Wi-Fi chips. To present and evaluate our findings in the field, we developed the following applications. We start by presenting a ping-offloading application that handles ping requests in the firmware instead of the operating system. It significantly reduces energy consumption and processing delays. Then, we present a software-defined wireless networking application that enhances scalable video streaming by setting flow-based requirements on physical-layer parameters. As security application, we present a reactive Wi-Fi jammer that analyses incoming frames during reception and transmits arbitrary jamming waveforms by operating Wi-Fi chips as software-defined radios (SDRs). We further introduce an acknowledging jammer to ensure the flow of non-targeted frames and an adaptive power-control jammer to adjust transmission powers based on measured jamming successes. Additionally, we discovered how to extract channel state information (CSI) on a per-frame basis. Using both SDR and CSI-extraction capabilities, we present a physical-layer covert channel. It hides covert symbols in phase changes of selected OFDM subcarriers. Those manipulations can be extracted from CSI measurements at a receiver. To ease the analysis of firmware binaries, we created a debugging application that supports single stepping and runs as firmware patch on the Wi-Fi chip. We published the source code of our framework and our applications to ensure reproducibility of our results and to enable other researchers to extend our work. Our framework and the applications emphasize the need for freely modifiable firmware and detailed hardware documentation to create novel and exciting applications on commercial off-the-shelf devices.

Pyra (Debian-based gaming console) needs kernel ARM/OMAP experts

Pyra needs help by kernel and low-level ARM/OMAP experts

W. Martin Borgert posted a message to the Debian kernel/ARM lists, about soliciting kernel dev help for a Debian-based gaming console, successor to OpenPandora.

Borgert quote:

I just read this post by Pyra project leader Michael Mrozek a.k.a. “Evil Dragon”. (Pyra is planned to be a Debian based gaming console, successor of OpenPandora.) They need help by kernel devs and folks who know OMAP etc. Maybe somebody here can help them? There even might be some money in it. No doubt about fame and fun, though!

Evil Dragon quote:

[…]This brings up another important point: Kernel developers! There’s still quite a few things which should be done before the release. We don’t have proper powersaving, the TILER implementation needs to be tidied up, 3D is not yet implemented, Audio needs a better setup, etc. It seems there are less and less kernel developers having the time to work on such things in their spare time. That’s why I decided to hire freelancers to help out as well![…]I know we’ve got quite a lot of OpenSource fans around here. Maybe some know some good kernel developers, who are able to include and improve hardware support and fix various issues. We can provide a test unit as well as the needed datasheets – but it needs someone who is capable of debugging and fixing low-level things.[…]


Azeria Labs releases new ARM cheat sheet poster

ARM64JSON: AArch64 instructions encoded in JSON


The repository contains ARM64 (AArch64) instruction encoding in a machine-readable JSON:

* ISA_v83A_A64_xml_00bet6_instructions.json contains encoding of every instruction, including ARM64v2/v3 extensions.

* ISA_v83A_A64_xml_00bet6_group_class.json contains hierarchical encoding ARM64 top level -> Instruction group (e.g. “Data Processing — Immediate”) -> Instruction class (e.g. “Add/subtract (immediate)”). No instruction encodings in this file.

The simple and easyly-organised JSON data was extracted from a machine-readable ARM64 specs. A64 ISA XML for Armv8.3 ver. 00bet6.1 released by ARM.



Linaro Connect Vancouver BC: CfP open


Call for Proposals: opened 8 May 2018
Deadline to submit proposals: ends 23 July 2018

PS: Resources from last Linaro Connect: