Page MenuHomePhabricator

Identify the source of a given handle to know if it is malicious
Open, NormalPublic

Description

Identity the source of a given handle to know if it is an NSPE handle or SP handle. This avoids malicious NSPE thread peek information from secure side.

Event Timeline

KenLSoft triaged this task as Normal priority.Jan 24 2019, 7:17 AM
KenLSoft created this task.
KenLSoft created this object with edit policy "Subscribers".
alzix added a subscriber: alzix.EditedJan 27 2019, 8:40 PM

isolation level 3 assumes mutual distrust between secure partitions.
we need to save connection "owner" client ID and not only secure domain origin.

consider following use case:

  • there is a long lived connection between two secure services. It is created during initialization sequence.
  • connection policy is validated upon connection creation - ns_caller && !service->service_db->non_secure_client
  • offending NSPE client guesses a connection handle for secure->secure service connection mentioned above. This is probably not to hard given handles are just indexes in array without random factor.
  • offending NSPE client performs psa_call.

TF-M must assert that the connection is "owned" by the caller.