This project efficiently defends against semantic gap vulnerabilities in TrustZone using ARM Pointer Authentication.
- If you are not familiar with semantic gap vulnerabilities, you can refer to Boomerang and Horizontal Privilege Escalation (HPE).
- Qualcomm's introduction to the ARMv8.3 Pointer Authentication feature may help you better understand it.
Install the dependencies in the list. In addition, you need to install python2. Since we are using Ubuntu 22.04, it is recommended that you choose the same operating system.
cd src/build
make PAUTH=y all -j `nproc`make run-onlyThere will be two separate consoles, one for the non-secure world and another for the secure world.
Enter root in the console of the non-secure world.
It should be noted that the project runs on the FVP simulator, and the results may differ from testing on a real development board.
optee_example_hello_worldxtestxtest -t benchmarkavbtrusted_keyscd /mnt/host/scripts/darknet
sh run_darknet.sh- Recompile the project.
cd src/build
make PAUTH=y SECURE_EVALUATION=y all -j `nproc`- Repeat steps 2.2 and 2.3.
- Execute the victim CA, and then launch the malicious CA.
semantic_victim &
semantic_attack
