MVAM: Multi-variant Attacks on Memory for IoT Trust Computing

The growth of the Internet of Things (IoT) and the availability of low-cost cloud services have led to an increase in the sensory and data processing needs of IoT systems. TrustZone is a hardwarebased security solution designed for ARM processors in IoT handheld systems. It provides memory isolation to protect trusted application data from potential exploitation by malicious actors. This paper examines the vulnerabilities of the TrustZone extension of ARM Cortex-M processors and develops a threat model to carry out these attacks. After performing multi-variety attacks from different angles, it is found that TrustZone is susceptible to buffer overflow attacks that can compromise the security of other trusted apps. The vulnerabilities in TrustZone are attributed to the absence of validation for input parameters in the entry function and the failure to perform boundary-checking of memory allocation. The vulnerability known as Achilles' Heel can be found in any aspect of the TrustZone security system, making it susceptible to MOFlow attacks because the framework does not have adequate automatic safeguards in place. The proposed attacks were successfully tested on two recent ARM Cortex-M23 and M33 processors. Finally, a trust model is proposed to address these vulnerabilities.