



MAY 11-12

---

BRIEFINGS

# Hand Me Your SECRET, MCU!

## Microarchitectural Timing Attacks on Microcontrollers are Practical

Cristiano Rodrigues | Sandro Pinto, PhD

(Centro ALGORITMI / LASI, Universidade do Minho)

# Hand Me Your SECRET, MCU!

## Microarchitectural Timing Attacks on Microcontrollers are Practical

Cristiano Rodrigues | Sandro Pinto, PhD

(Centro ALGORITMI / LASI, Universidade do Minho)



# Microarchitectural **SIDE-CHANNEL** Attacks





# Microarchitectural SIDE-CHANNELS

Servers, PCs, Mobile



intel.

AMD

arm



# Microarchitectural SIDE-CHANNELS

## Servers, PCs, Mobile



intel.

AMD

arm



# Microarchitectural SIDE-CHANNELS

## Servers, PCs, Mobile



intel.

AMD

arm



# Microarchitectural SIDE-CHANNELS

## Servers, PCs, Mobile



intel.

AMD

arm

# Microcontrollers



arm



# Research Question

*Which unique microarchitectural elements on MCUs may create new channels, and how can they be used to mount effective attacks?*





# Novel Channel

## BUS Interconnect



# BUS Interconnect

## Arbitration logic



# Hardware Gadgets

## Novel Concept



# Hardware Gadgets

## Smart Gadget Network

**BUSTed**  
Attack



TrustZone for Cortex-M

# BUSTed Attack

arm  
CORTEX®-M23



arm  
CORTEX®-M33



# AGENDA

01

## Introduction

Motivation and Side-Channels “101”

02

## Hidden Threat

Novel Side-Channel Source: MCU Bus Interconnect

03

## “Toy” Example

Basic Attack Example

04

## BUSTed Attack

Microarchitectural Side-Channel Attacks on MCUs

05

## “Live” Demo

Demo of BUSTed Attack

06

## Summary

Responsible Disclosure and BH Sound Bytes

# Introduction

Motivation and Side-Channels “101”







“RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis” by Daniel Genkin



# Lamphone Lightbulb Spies



MELTDOWN



SPECTRE

# TIMING DIFFERENCES





# Microarchitectural Attacks



# Microarchitectural Attacks





# APUs



Servers



Mobile

# MCUs



Drones



Wearables

---

PCs



Appliances



Hardware Wallets



# Computing spectrum

# APUs

Microcontroller unit (MCU) shipments forecast worldwide from 2021 to 2027 (in millions)

Microcontroller unit (MCU) shipments forecast 2021-2027



Description: In 2021, the microcontroller unit (MCU) shipments in 2021 amounted to some 28 billion units, a 3.6 percent increase from 2020. MCU market revenue worldwide was valued at approximately 20.5 billion U.S. dollars, a 24 percent increase from the previous year. Read more  
Note: Worldwide; 2019 to 2021; \*Forecast. Read more  
Source: Various publications

Computing  
spectrum

# MCUs



Drones



Wearables



Appliances



Hardware Wallets

# APUs

Microcontroller unit (MCU) shipments forecast worldwide from 2021 to 2027 (in millions)

Microcontroller unit (MCU) shipments forecast 2021-2027

## Shipments 2022 – 29 billions



Computing  
spectrum



# MCUs



Drones



Wearables



Appliances



Hardware Wallets





Intel Skylake Microarchitecture

Arm Cortex-M33 Microarchitecture



# Arm Cortex-M33 Microarchitecture



[1] - Meltdown: Reading Kernel Memory from User Space

[2] - Arm Cortex-M33 Processor Datasheet

- L1-1



- L1-I
- L1-D



- L1-I
- L1-D
- L2



- L1-I
- L1-D
- L2
- TLBs



- L1-I
- L1-D
- L2
- TLBs
- BP



- L1-I
- L1-D
- L2
- TLBs
- BP
- OoO



- L1-I
- L1-D
- L2
- TLBs
- BP
- OoO



- L1-I
- L1-D
- L2
- TLBs
- BP
- OoO



- Fetch

[1] - Meltdown: Reading Kernel Memory from User Space

[2] - Arm Cortex-M33 Processor Datasheet

- L1-I
- L1-D
- L2
- TLBs
- BP
- OoO



- Fetch
- Decode

- L1-I
- L1-D
- L2
- TLBs
- BP
- OoO



- Fetch
- Decode
- Execute

# Microcontrollers



arm



# Hidden Threat

Novel Side-Channel Source: MCU Bus Interconnect

# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



# MCU Bus Interconnect as a Threat



**STM32L073 (M0+)**

**STM32L552 (M33)**

**STM32L412 (M4)**

**STM32L767 (M7)**



**STM32L552 (M33)**

**STM32L412 (M4)**

**STM32L767 (M7)**



**STM32L412 (M4)**



**STM32L767 (M7)**



**STM32L767 (M7)**



# MCU Channels



# APU Channels

Skylake TLB Channel



Arm Cortex-A9 L1-I Channel



# “Toy” Attack

Basic Attack Example

# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – The Basics



# Attack Overview – Toy Example



# Attack Overview – Toy Example



# Attack Overview – Toy Example



# Attack Overview – Toy Example



# Attack Overview – Toy Example



# Attack Overview – Toy Example



# Attack Overview – Toy Example



# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |



# Attack Overview – Toy Example



|       |       |              |                          |
|-------|-------|--------------|--------------------------|
|       | cmp   | r3, #0       | 1 clk                    |
|       | beq.n | ELSE         | 3 clk (else), 1 clk (if) |
| IF:   | movs  | r3, #1       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
|       | b.n   | END          | 2 clk                    |
| ELSE: | movs  | r3, #0       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
| END:  | nop   |              | 1 clk                    |



# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |



# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs |     |     |     |     |
| Trace | --- | --- | ---  |     |     |     |     |

  

|       |  |  |  |  |  |  |  |
|-------|--|--|--|--|--|--|--|
| Else  |  |  |  |  |  |  |  |
| Trace |  |  |  |  |  |  |  |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str |     |     |     |
| Trace | --- | --- | ---  | X   |     |     |     |

  

|       |  |  |  |  |  |  |  |
|-------|--|--|--|--|--|--|--|
| Else  |  |  |  |  |  |  |  |
| Trace |  |  |  |  |  |  |  |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str | b   |     |     |
| Trace | --- | --- | ---  | X   | --- |     |     |

  

|       |  |  |  |  |  |  |  |
|-------|--|--|--|--|--|--|--|
| Else  |  |  |  |  |  |  |  |
| Trace |  |  |  |  |  |  |  |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str | b   | b   |     |
| Trace | --- | --- | ---  | X   | --- | --- |     |

  

|       |  |  |  |  |  |  |  |
|-------|--|--|--|--|--|--|--|
| Else  |  |  |  |  |  |  |  |
| Trace |  |  |  |  |  |  |  |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str | b   | b   | nop |
| Trace | --- | --- | ---  | X   | --- | --- | --- |

  

|       |  |  |  |  |  |  |  |
|-------|--|--|--|--|--|--|--|
| Else  |  |  |  |  |  |  |  |
| Trace |  |  |  |  |  |  |  |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str | b   | b   | nop |
| Trace | --- | --- | ---  | X   | --- | --- | --- |
| Else  |     |     |      |     |     |     |     |
| Trace |     |     |      |     |     |     |     |

# Attack Overview – Toy Example



|       |       |              |                          |
|-------|-------|--------------|--------------------------|
|       | cmp   | r3, #0       | 1 clk                    |
|       | beq.n | ELSE         | 3 clk (else), 1 clk (if) |
| IF:   | movs  | r3, #1       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
|       | b.n   | END          | 2 clk                    |
| ELSE: | movs  | r3, #0       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
| END:  | nop   |              | 1 clk                    |

|       | Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp   | beq |     | movs | str | b   | b   | nop |
| Trace | ---   | --- | --- |      | X   | --- | --- | --- |
| Else  | cmp   |     |     |      |     |     |     |     |
| Trace | ---   |     |     |      |     |     |     |     |

# Attack Overview – Toy Example



|       |       |              |                          |
|-------|-------|--------------|--------------------------|
|       | cmp   | r3, #0       | 1 clk                    |
|       | beq.n | ELSE         | 3 clk (else), 1 clk (if) |
| IF:   | movs  | r3, #1       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
|       | b.n   | END          | 2 clk                    |
| ELSE: | movs  | r3, #0       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
| END:  | nop   |              | 1 clk                    |

|       | Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp   | beq |     | movs | str | b   | b   | nop |
| Trace | ---   | --- | --- |      | X   | --- | --- | --- |
| Else  | cmp   |     |     |      |     |     |     |     |
| Trace | ---   |     |     |      |     |     |     |     |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

|       | Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp   | beq |     | movs | str | b   | b   | nop |
| Trace | ---   | --- | --- |      | X   | --- | --- | --- |
| Else  | cmp   | beq |     |      |     |     |     |     |
| Trace | ---   | --- |     |      |     |     |     |     |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str | b   | b   | nop |
| Trace | --- | --- | ---  | X   | --- | --- | --- |
| Else  | cmp | beq | beq  |     |     |     |     |
| Trace | --- | --- | ---  |     |     |     |     |

# Attack Overview – Toy Example



|       |       |              |                          |
|-------|-------|--------------|--------------------------|
|       | cmp   | r3, #0       | 1 clk                    |
|       | beq.n | ELSE         | 3 clk (else), 1 clk (if) |
| IF:   | movs  | r3, #1       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
|       | b.n   | END          | 2 clk                    |
| ELSE: | movs  | r3, #0       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
| END:  | nop   |              | 1 clk                    |

|       | Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp   | beq |     | movs | str | b   | b   | nop |
| Trace | ---   | --- | --- |      | X   | --- | --- | --- |
| Else  | cmp   | beq | beq | beq  |     |     |     |     |
| Trace | ---   | --- | --- | ---  |     |     |     |     |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4  | t+5 | t+6 |
|-------|-----|-----|------|-----|------|-----|-----|
| If    | cmp | beq | movs | str | b    | b   | nop |
| Trace | --- | --- | ---  | X   | ---  | --- | --- |
| Else  | cmp | beq | beq  | beq | movs |     |     |
| Trace | --- | --- | ---  | --- | ---  | --- | --- |

# Attack Overview – Toy Example



|       |       |              |                          |
|-------|-------|--------------|--------------------------|
|       | cmp   | r3, #0       | 1 clk                    |
|       | beq.n | ELSE         | 3 clk (else), 1 clk (if) |
| IF:   | movs  | r3, #1       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
|       | b.n   | END          | 2 clk                    |
| ELSE: | movs  | r3, #0       | 1 clk                    |
|       | str   | r3, [r7, #0] | 1 clk                    |
| END:  | nop   |              | 1 clk                    |

| Clock | t   | t+1 | t+2  | t+3 | t+4  | t+5 | t+6 |
|-------|-----|-----|------|-----|------|-----|-----|
| If    | cmp | beq | movs | str | b    | b   | nop |
| Trace | --- | --- | ---  | X   | ---  | --- | --- |
| Else  | cmp | beq | beq  | beq | movs | str |     |
| Trace | --- | --- | ---  | --- | ---  | X   |     |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

|       | Clock | t   | t+1 | t+2  | t+3  | t+4 | t+5 | t+6 |
|-------|-------|-----|-----|------|------|-----|-----|-----|
| If    | cmp   | beq |     | movs | str  | b   | b   | nop |
| Trace | ---   | --- | --- |      | X    | --- | --- | --- |
| Else  | cmp   | beq | beq | beq  | movs | str | nop |     |
| Trace | ---   | --- | --- | ---  | ---  | X   | --- | --- |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

|       | Clock | t   | t+1 | t+2  | t+3  | t+4 | t+5 | t+6 |
|-------|-------|-----|-----|------|------|-----|-----|-----|
| If    | cmp   | beq |     | movs | str  | b   | b   | nop |
| Trace | ---   | --- | --- |      | X    | --- | --- | --- |
| Else  | cmp   | beq | beq | beq  | movs | str | nop |     |
| Trace | ---   | --- | --- | ---  |      | X   | --- | --- |

# Attack Overview – Toy Example



|       |                  |                          |
|-------|------------------|--------------------------|
|       | cmp r3, #0       | 1 clk                    |
|       | beq.n ELSE       | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
|       | b.n END          | 2 clk                    |
| ELSE: | movs r3, #0      | 1 clk                    |
|       | str r3, [r7, #0] | 1 clk                    |
| END:  | nop              | 1 clk                    |

A timing diagram showing the execution of the code across six clock cycles (t to t+5) and a final cycle (t+6). The diagram is divided into two main sections: 'If' and 'Else'. In the 'If' section, at clock t+3, a 'beq' instruction is highlighted in red. At clock t+4, a 'str' instruction follows. In the 'Else' section, at clock t+3, another 'beq' instruction is highlighted in red. At clock t+4, a 'movs' instruction follows. Both the 'beq' and 'str' instructions in the 'If' section are marked with a red 'X' in the 'Trace' row. Similarly, the 'beq' and 'movs' instructions in the 'Else' section are also marked with a red 'X' in their respective 'Trace' rows. A magnifying glass icon and a spy icon are positioned above the diagram, indicating the analysis process.

| Clock | t   | t+1 | t+2  | t+3 | t+4 | t+5 | t+6 |
|-------|-----|-----|------|-----|-----|-----|-----|
| If    | cmp | beq | movs | str | b   | b   | nop |
| Trace | --- | --- | ---  | X   | --- | --- | --- |

  

| Clock | t   | t+1 | t+2 | t+3 | t+4  | t+5 | t+6 |
|-------|-----|-----|-----|-----|------|-----|-----|
| Else  | cmp | beq | beq | beq | movs | str | nop |
| Trace | --- | --- | --- | --- | ---  | X   | --- |

# Attack Overview – Toy Example



|                                                | Code            | Timing                   |       |
|------------------------------------------------|-----------------|--------------------------|-------|
| IF:                                            | cmp r3, #0      | 1 clk                    |       |
|                                                | beq.n ELSE      | 3 clk (else), 1 clk (if) |       |
|                                                | movs r3, #1     | 1 clk                    |       |
|                                                | str r3 [r7 #01] | 1 clk                    |       |
|                                                | b.r             | 2 clk                    |       |
|                                                | ELSE:           | movs r3, #0              | 1 clk |
|                                                |                 | str r3 [r7 #00]          | 1 clk |
| nop                                            |                 | 1 clk                    |       |
| <b>if(s==1)<br/>var=1;<br/>else<br/>var=0;</b> |                 |                          |       |



# Attack Overview – Toy Example



|       |                 |                          |
|-------|-----------------|--------------------------|
|       | cmp r3, #0      | 1 clk                    |
|       | beq.n ELSE      | 3 clk (else), 1 clk (if) |
| IF:   | movs r3, #1     | 1 clk                    |
|       | str r3 [r7 #01] | 1 clk                    |
|       | b.r             | 2 clk                    |
| ELSE: | movs r3, #0     | 1 clk                    |
|       | str r3 [r7 #00] | 1 clk                    |
| END:  | nop             | 1 clk                    |

A callout box highlights the conditional branch logic:

```
if(S==1)
    var=1;
else
    var=0;
```

The timing diagram shows the execution flow between two traces: 'If' and 'Else'. The columns represent time steps from t to t+6. The 'If' trace (top) and 'Else' trace (bottom) both start with a 'cmp' instruction at t. At t+1, the 'If' trace executes a 'beq' instruction, while the 'Else' trace continues with a '---'. At t+2, the 'If' trace executes a 'movs' instruction, and the 'Else' trace continues with a '---'. At t+3, the 'If' trace executes a 'str' instruction, and the 'Else' trace also executes a 'str' instruction. Both traces then continue with 'b' and 'nop' instructions. Red boxes highlight the t+3 column, and arrows indicate the flow from the 'If' trace to the 'Else' trace at this point.

**SECRET = 1**

# BUSTed

Microarchitectural Side-Channel Attacks on MCUs





















Cortex-M



















# Challenges



# Challenges

Spy



# Challenges

Spy



Victim



Spy      Victim



# Challenges

Spy



Victim



Spy



# Challenges

Spy



Victim



Spy



No Difference



# Challenges

Spy



Victim



Spy



No Difference



# Challenges

**C1 - The bus is a stateless component;**



No Difference



# Challenges



# Challenges



Dual-Core, Spy Always Executing

# Challenges



Always Spying

# Challenges



# Challenges



# Challenges



# Challenges



# Challenges



# Challenges



Different States



# Challenges



Single-Core MCU!!!



# Challenges

C1 - The bus is a stateless component;



Single-Core MCU!!!



# Challenges

C1 - The bus is a stateless component;

C2 - No concurrent execution between Spy and Victim (single-core);



Single-Core MCU!!!



# Challenges

**C1** - The bus is a stateless component;

**C2** - No concurrent execution between Spy and Victim (single-core);

**C3** - Victim execution cannot be interrupted;



Single-Core MCU!!!



# Challenges

- C1 - The bus is a stateless component;
- C2 - No concurrent execution between Spy and Victim (single-core);
- C3 - Victim execution cannot be interrupted;
- C4 - Spy only has one chance to steal the secret.

Single-Core MCU!!!





# Solution



Single-Core MCU!!!

# Solution



Single-Core MCU!!!

# Solution



Single-Core MCU!!!

# Solution



MCUs Have a lot of Peripherals!!

# Solution



Group Some Peripherals!!

# Solution



Interconnect the Peripherals!!

# Solution



Voilà!!! Hardware Gadgets!

# Solution

Spy



Spy



Spy



Always Spying

# Solution

Spy



Spy



Spy



Always Spying

# Solution

Spy



Spy



Spy



Always Spying

# Solution

Spy



Spy



Spy



Different States



# Challenges

- C1** - The bus is a stateless component;
- C2** - No concurrent execution between Spy and Victim (single-core);
- C3** - Victim execution cannot be interrupted;
- C4** - Spy only has one chance to steal the secret.

# Challenges

- ✓ C1 - The bus is a stateless component;
- ✓ C2 - No concurrent execution between Spy and Victim (single-core);
- ✓ C3 - Victim execution cannot be interrupted;
- ✓ C4 - Spy only has one chance to steal the secret.

# Hardware Gadgets



# Hardware Gadgets



# Hardware Gadgets



# Hardware Gadgets



# Hardware Gadgets



# Hardware Gadgets



Contention  
Threshold

# Hardware Gadgets



Normal Operation



Contention  
Threshold

# Hardware Gadgets



Normal Operation



# Hardware Gadgets



Normal Operation



# Hardware Gadgets

Normal Operation



Transfer  
Latency

# Hardware Gadgets



# Hardware Gadgets



# Hardware Gadgets



CONTENTION!!



# Hardware Gadgets



CONTENTION!!



# Hardware Gadgets



CONTENTION!!



Transfer  
Latency

# Hardware Gadgets



CONTENTION!!



# Hardware Gadgets



CONTENTION!!



Interrupt  
(Detection)

# BUSted Attack



# BUSted Attack



```
signed int read_keypad(void){  
    int is_pressed, mask = 0x1;  
    int new_key_state = get_keypad_state();  
    for (int key = 0; key < KYPD_NB_KEYS; key++){  
        is_pressed = (new_key_state & mask) & ~key_state & mask);  
        if (is_pressed)  
            pin[pin_idx++] = key;  
        else  
            dummy_pin[dummy_pin_idx++] = key;  
        dummy_pin_idx = 0;  
        mask <<= 1;  
    }  
    key_state = new_key_state;  
    return (4 - pin_idx);  
}  
void read_pin(){  
    signed int pin_len = PIN_LEN;  
    while(pin_len>0)  
        pin_len = read_keypad();  
}
```

Code based in Sancus and Texas Reference Implementation of a Keypad [1,2]

[1] [https://github.com/sancus-tee/vulcan/blob/master/demo/ecu-tcs/sm\\_tcs\\_kypd.c](https://github.com/sancus-tee/vulcan/blob/master/demo/ecu-tcs/sm_tcs_kypd.c)

[2] Implementing An Ultra-Low-Power Keypad Interface With MSP430™ MCUs

# BUSted Attack



```
signed int read_keypad(void){  
    int is_pressed, mask = 0x1;  
    int new_key_state = get_keypad_state();  
    for (int key = 0; key < KYPD_NB_KEYS; key++){  
        is_pressed = (new_key_state & mask) & ~(key_state & mask);  
        if (is_pressed)  
            pin[pin_idx++] = key;  
        else  
            dummy_pin[dummy_pin_idx++] = key;  
        dummy_pin_idx = 0;  
        mask <<= 1;  
    }  
    key_state = new_key_state;  
    return (4 - pin_idx);  
}  
  
void read_pin(){  
    signed int pin_len = PIN_LEN;  
    while(pin_len>0)  
        pin_len = read_keypad();  
}
```

Code based in Sancus and Texas Reference Implementation of a Keypad [1,2]

Annotations on the right side of the code:

- read key (grey box)
- if branch (leak) (pink box)
- else branch (grey box)
- for loop (grey box)
- while loop (grey box)

[1] [https://github.com/sancus-tee/vulcan/blob/master/demo/ecu-tcs/sm\\_tcs\\_kypd.c](https://github.com/sancus-tee/vulcan/blob/master/demo/ecu-tcs/sm_tcs_kypd.c)

[2] Implementing An Ultra-Low-Power Keypad Interface With MSP430™ MCUs

# BUSted Profiling



# BUSTed Profiling



# BUSTed Profiling



# BUSTed Profiling



# BUSted Profiling



# BUSted Profiling



# BUSted Profiling



# BUSted Profiling



# BUSTed Profiling



# BUSTed Profiling



# BUSTed Profiling



# BUSted Exploitation



# BUSted Exploitation



# BUSted Exploitation



# BUSted Exploitation



# BUSTed Exploitation



# BUSted Exploitation



# “Live” Demo

Demo of BUSted Attack

# Under the hood



# “Live” Demo

```
[INF] Starting bootloader
[INF] Swap type: none
[INF] Swap type: none
[INF] Bootloader chainload address offset: 0x13000
[INF] Jumping to the first image slot
[Sec Thread] Secure image initializing!
TF-M isolation level is: 0x00000002
Booting TFM v1.4.0
Non-Secure system starting

Jumping to S World
*****
Entering Read Keypad Secure Service
4-digit Secure PIN = 5 8 6 3
Leaving Read Keypad Secure Service
*****
Stolen PIN  = 5 8 6 3
Non-Secure end operations
█
```

# Summary

Responsible Disclosure, and Black Hat Sound Bytes

We have introduced the concept of **hardware gadgets** and presented **BUSted**, the **1<sup>st</sup> microarchitectural side-channel attack** exploiting **TrustZone-M** devices.

# Responsible Disclosure

# Responsible Disclosure



# Responsible Disclosure



# BH Sound Bytes

1. We **debunked** the common belief **that MCUs are not vulnerable to microarchitectural side-channel attacks.**
2. We presented a **new class** of software-based **microarchitectural side-channel attacks** affecting **MCUs**
3. We provided a **reference attack** that **bypasses** the TEE (**TrustZone-M**) of modern Armv8-M MCUs (Cortex-M33), **breaking all memory isolations!!**

# THANK YOU!

Cristiano Rodrigues | Sandro Pinto, PhD  
(Centro ALGORITMI / LASI, Universidade do Minho)

**id9492@alunos.uminho.pt**

**LinkedIn** - <https://www.linkedin.com/in/cristiano-rodrigues-msc-engineer/>  
**ResearchGate** - <https://www.researchgate.net/profile/Cristiano-Rodrigues-10>  
**Github** - <https://github.com/ESCristiano>

**sandro.pinto@dei.uminho.pt**

**LinkedIn** - <https://www.linkedin.com/in/sandro-pinto-phd-40535455/>  
**ResearchGate** - [https://www.researchgate.net/profile/Sandro\\_Pinto2](https://www.researchgate.net/profile/Sandro_Pinto2)  
**Github** - <https://github.com/sandro2pinto/>

Q & A