Comparison of side-channel leakage on Rich and Trusted Execution Environments by Leignac, Paul et al.
HAL Id: hal-02380360
https://hal.archives-ouvertes.fr/hal-02380360
Submitted on 26 Nov 2019
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Comparison of side-channel leakage on Rich and Trusted
Execution Environments
Paul Leignac, Olivier Potin, Jean-Baptiste Rigaud, Jean-Max Dutertre, Simon
Pontie
To cite this version:
Paul Leignac, Olivier Potin, Jean-Baptiste Rigaud, Jean-Max Dutertre, Simon Pontie. Comparison of
side-channel leakage on Rich and Trusted Execution Environments. the Sixth Workshop, Jan 2019,
Valencia, Spain. pp.19-22, ￿10.1145/3304080.3304084￿. ￿hal-02380360￿
Comparison of side-channel leakage on Rich and Trusted
Execution Environments
Paul Leignac, Olivier Potin, Jean-Baptiste Rigaud, Jean-Max Dutertre1 and Simon
Pontie´2
1Mines Saint-Etienne, CEA-Tech, Centre CMP, Departement SAS, Gardanne, F-13541,
FRANCE
2CEA Tech, Centre CMP, Equipe Commune CEA Tech - Mines Saint-Etienne,
Gardanne, F-13541, FRANCE
1firstname.name@emse.fr
2simon.pontie@cea.fr
Abstract
A Trusted Execution Environment (TEE) is a soft-
ware solution made to improve security inside sys-
tem on chip (SoC) based on ARM architecture. It
offers a compromise between the functionality of
the Rich Operating System (Rich OS), for exam-
ple Android, and the security of a Secure Element
(SE). ARM TrustZone separates the SoC between
two worlds (Normal World and Secure World). The
Trusted OS (the OS on the TEE) has several secu-
rity mechanisms that isolate and secure its execu-
tion and data from the Rich OS and save it from
data theft. If these mechanisms are made to pre-
vent software attack from Rich OS, this paper pro-
poses to take a look at the identification of data
leakage from a TEE facing physical attack. In par-
ticular, how a side-channel analysis on electromag-
netic (EM) emissions using the Test Vector Leakage
Assessment (TVLA) methodology permits to iden-
tify the leakage and a correlation electromagnetic
analysis (CEMA) can exploit the results.
1 Introduction
A Side-Channel Analysis (SCA) is an attack that
exploits a leakage in the implementation of an algo-
rithm by extracting information from a measured
physical value which has ’correlated’ to the tar-
get computation. It could be timing information
[1], power consumption [2], electromagnetic ema-
nations [3], or any other physical value. However,
the evolution of SoCs and smartphones tends to
move the attention to these targets that contain
sensitive data (banking information, work content,
personal data, etc.) and to develop new security
technologies such as ARM TrustZone [4] and TEE
[5, 6]. Some 64-bit microcontrollers (for example
ARM Cortex-M35P) also combine software pro-
tection with TrustZone technology and additional
physical protections. But mobile devices require
advanced microprocessors, which at present, do not
include side-channel attack protections. In this pa-
per, we study how is the complexity of side-channel
key extraction of AES encryption [7] when it is ex-
ecuted on Rich Execution Environment (REE) and
Trusted Execution Environment. Particularly, we
analyse whether the complexity of SoC used in mo-
bile devices and the OS executed on — Rich OS
or Trusted OS — can be an intrinsic protection.
1.1 Previous attacks on SoC
Attacks were performed in the last few years on ad-
vanced system. In [8], Aboulkassimi et al. attacked
a software implementation of AES under JAVA ME
using EM measures. In [9], Longo et al. added
an OS and attacked a SoC running under Debian
to extract AES encryption key exploiting electro-
1
magnetic emanations. Some attacks appeared on
ARM TrustZone and TEE. It was mostly software
attacks. In [10], Rosenberg used a security breach
in the QSEE (Qualcomm TEE) to unlock the boot-
loader on a Motorola smartphone. In [11], Lagini-
maineb redirected some functions inside QSEE to
be able to execute arbitrary code inside the TEE.
Physical attacks were made on a TEE-based sys-
tem. In [12], Tang et al. made a fault attack to
modify the behavior of the clock and voltage reg-
ulators, violate the timing constraint and extract
AES secret key on both Android and TEE. In [13],
Zhang et al. extracted information by probing the
cache during a software AES encryption on a TEE.
In [14], Kevin et al. did side-channel EM analysis
to extract cryptographic secret key in TEE. How-
ever, this was done on bare-metal (without OS).
We propose in this paper to manage a complete
EM attack of an AES encryption on both REE and
TEE OS. We discuss about what are the difficulties
of the attack in terms of spatial and timing localisa-
tions of the AES encryption on complex SoC. What
is the impact of TEE on a classical side-channel at-
tack ?
1.2 Difficulties
The main difficulty for the attacker caused by the
operating systems is that a lot of processes are run-
ning at the same time on the device. Also the pres-
ence of several cores as on all recent SoC may in-
duce probing errors because of the scheduling of the
execution flow between cores. The consequence is
a lot of noise and interruptions which means it is
more difficult to clearly identify the targeted execu-
tion, and have synchronized measures. To bypass
these difficulties, we:
• Reduced the execution to one core.
• Identified the leakage with the TVLA method-
ology [15].
• Resynchronized the traces with mathematical
tools.
• Extracted the secret data by electromagnetic
correlation.
1.3 Targeted Device
The targeted board is an evaluation board LeMaker
HiKey. The device component is a 64-bit SoC
in 28nm technology. It has an octa-core ARM
Cortex-A53 CPU with 5 available clock frequen-
cies (208MHz to 1.2GHz). It is running Android
Oreo (Android version 8.0) and Trustonic Secured
Platforms for TEE (Kinibi). It is embedded in sev-
eral smartphones on the market such as Huawei P8
Lite or Honor 5A.
1.4 Targeted Software
The software targeted on the the board is separated
in two parts: the Client Application (CA), running
under Android Oreo, and the Trusted Application
(TA), running under the Trusted OS. Our appli-
cation is a 128-bit AES encryption developed in C
without countermeasure. The same key is fixed in
both environment. In case of REE, the software ex-
ecutes an AES encryption in the Normal World. In
case of TEE, the software execution goes through
a very specific process and defined by Global Plat-
form APIs [16] to produce the AES encryption in
Secure World. Indeed, the CA starts from the Nor-
mal World user mode then goes to kernel mode
and opens a session with the TA. Here, the chip
switches to Secure World. A Monitor Mode is ap-
plied to save and restore OS context when switch-
ing between Normal and Secure Worlds. In Secure
World, key, plaintexts buffer and memory used for
the AES computing are stored in secure enclaves
only reachable from TEE. Then, the TA executes
the AES encryption. The same path backward per-
mits to return to user mode in the Normal World.
The CA regains control, closes the session with the
TA and returns the cipher texts.
1.5 Non-intrusive attack setup
The targeted execution is an application perform-
ing a 128-bit AES encryption either on the REE
or on the TEE. As same as [17], we measure the
electromagnetic field around the chip through the
package during the encryption aiming to do a side-
channel analysis. Fortunately, the SoC is not a
package-on-package with RAM on top which would
imply to remove the RAM and potentially destroy
the chip. To do so, we used a Teledyne Lecroy Wa-
2
veRunner 640Zi oscilloscope sampling at 10GS/s
and with a 4GHz bandwith, a Langer H-field probe
RF-B 0.3-3 with a 30MHz to 3GHz bandwidth and
a Langer PA 306 amplifier with a 100kHz to 6GHz
bandwidth.
As the chip contains 8 CPUs, we took X-Ray pic-
tures of the SoC to identify 8-identical patterns and
conclude the CPUs position. As the TA is executed
in Secure World on the same CPU from which the
CA calls the TA, we manage to target one of the
CPUs and deactivate all others with CPU hotplug
capability of the Linux kernel. On the assumption
that any user with a root access to the Android
side can modify the content of configuration files
in the system, we are able to deactivate 7 cores.
Moreover, we also manage to deactivated Dynamic
Voltage and Frequency Scaling (DVFS) by setting
the CPU frequency to the highest supported value.
So, it permits to avoid dynamic time execution ac-
cording to the CPU load. On an Android system,
you can do it by configuring the CPU frequency
scaling of the Linux Kernel.
2 Side-channel Attack
To prepare to the side-channel attack, we proceed
to a reverse engineering analysis of the board on
REE side to identify the leakage model of the cir-
cuit which permits to make assumptions on key val-
ues. We apply the Test Vector Leakage Assessment
(TVLA) methodology. The methodology is de-
scribed in [15] and consists in almost 1800 Welch’s
t-tests [18] knowing the plaintexts and the secret
key. The results of specific t-tests regarding byte
values gave us exploitable results which means that
the leakage is linked to the value of the manipulated
bytes. Consequently, we target a leakage model on
Hamming weight on bytes for the side-channel at-
tack. With this assumption , we can manage to do a
Correlation ElectroMagnetic Analysis (CEMA) like
the Correlation Power Analysis (CPA) described by
Brier et al. in [19] except that we consider the EM
traces instead of power traces. However, as we ob-
serve a lack of synchronization between traces dur-
ing the TVLA process, we proceed to a pretreat-
ment step to resynchronize 10,000 traces according
to the process described in figure 1 before proceed-
ing to CEMA. The attack was done on REE side to
test the vulnerability of the hardware and on the
TEE side to attack the trustzone.
2.1 Pretreatment Step
The resynchronisation is a two-step process involv-
ing the identification of a golden pattern and the
pattern matching in the set of traces. The pattern
matching steps are executed on each trace:
1. Compute cross-correlation between traces and
golden pattern to select lower and/or upper
time limits before fine grain pattern matching.
2. Decimate trace to decrease the trace size.
3. Find the best pattern in the trace which min-
imize the euclidean distance from the golden
pattern. This search is bounded by time lim-
its.
4. Estimate the quality of the pattern matching.
A part of an arbitrary chosen trace will be the
golden pattern. Having analysed the chosen trace,
the time frame that should be an AES encryption
was identified. To avoid cache eviction or miss
cache consequences, we fill the plaintexts buffer
with a same plaintext. Consequently, if the first
encryption causes cache misses, next encryptions
must tend to a constant execution time. For exam-
ple, we choose the third AES encryption among the
ten successive iterations of the same AES encryp-
tion in figure 2. This part of the trace is saved and
considered as a golden pattern. The next resyn-
chronisation step consists in browsing all the traces
to look for a pattern matching the golden pattern.
Synchronisation with
cross corrélation
(margin of 150%)
Euclidean distance 
measurement
Decimation
(under the clock frequency)
Minimisation of euclidean distance
Desynchronised tracesGolden 
Pattern
Synchronized Traces
Quantitative evaluation of 
the resynchronisation 
process on each trace
Figure 1: Traces resynchronisation process
3
For that, we compute the cross-correlation (1) co-
efficient between the golden pattern (X) and each
trace (Y). The formula of the cross-correlation co-
efficient is given in Eq. 1:
ρX,Y (τ) =
1
σXσY
γX,Y (τ) (1)
Where:
ρX,Y (τ) = Cross-correlation between X and Y for
a delay τ
σX = the standard deviation of X
σY = the standard deviation of Y
γX,Y (τ)=the cross-covariance between X and Y
for a delay τ
The cross correlation coefficient is a measure of
similarity between two time series. By applying it
to the golden pattern and each trace, we measure
if the trace matches the golden pattern. This op-
eration is fast due to an optimisation based on fast
Fourier transform. The result is only used to de-
fined time limits around identified pattern. Step
(2) allows us to decrease the number of samples in
traces by decimation before proceeding to the next
step. In the step (3), we find the delay τ that min-
imizes the euclidean distance between the golden
pattern and a selected part of each trace around
the time limits from step (1) (see Eq. 2). Once
we have the delay τdelay, we select in the trace a
window of the same size of the golden pattern and
starting at the instant t = τdelay. Step (1) and (2)
reduce computation time of step (3). The result of
step (4) indicates the quality of the golden pattern
extraction in each trace which permits us to filter
traces with low matching.
τdelay = argmax
τ
(‖X(t− τ)− Y (t)‖) (2)
Figure 2: Trace of CA execution containing 10 AES
2.2 Experimental result on REE side
After the resynchronisation of the 10,000 traces in
REE, we can proceed to the CEMA to measure the
vulnerability of the chip in Normal World. To do
the CEMA, we make 256-key hypotheses by com-
puting the hamming weight of the 8-bit value of
each of the 16 bytes of the AES state after the
SubBytes transformation in the first round of the
AES Encryption for all 10,000 plaintexts. Then,
we compute the Pearson correlation coefficients be-
tween all the key hypothesis and the samples of all
traces measured with the EM probe. For each byte
of the key, the good candidate is the one whose
correlation trace has the highest peak in absolute
value and the instant in time this peak appears is
the instant of the leakage. On the REE side, we
were able to recover all the 16 bytes of the AES
secret key with 10,000 traces in 30 minutes on a
machine using 10 CPUs and with 32 GB of RAM
(see Figure 3). The order of the found bytes for the
key is: 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6,
11. This corresponds to the order of the bytes after
the ShiftRows transformation of the first round.
2.3 Experimental result on TEE side
The trustzone is exclusively a software countermea-
sure and, obviously, we can expect that the same
algorithm executed on both environment REE and
TEE has a same EM signature. We hope that the
strategy developed on REE side permits us to re-
use the golden pattern on the TEE side. Unfortu-
nately, it was not! The measured EM field is much
more noisy than in Normal World and the AES en-
Figure 3: CPA the rank of the 16 correct keys on
REE
4
cryptions were hard to distinguish. Moreover, the
timing variability of the TA execution induced by
the switch context between Normal World and Se-
cure World increases the difficulty of resynchroni-
sation. Another difficulty is the lack of GPIO in
Secure World which allows us to trig on AES en-
cryptions. Indeed, the access to GPIO in Secure
World could be possible only if a kernel driver is
available in TEE. Nevertheless, by running several
times the TA with a different number of encryp-
tions, we were able to identify an window inside
the EM emanations whose length changed. This
window length is 500 µs out of 12ms (the trigger
width corresponding to the duration of the TA exe-
cution). But, with a time-frequency representation
of the trace (see Figure 4), it becomes possible to
extract a time frame including the 10 iterations of
AES encryption.
A more precise time-frequency analysis permits us
to clearly identify 10 patterns which correspond
to the 10 rounds of the AES encryption. Conse-
quently, we define these 10 patterns as the golden
pattern for TEE encryption and apply the same
strategy than in REE side. Finally, we were able
to conclude the attack on the Trustzone and extract
the secret key (see figure 5).
The bytes of the secret key have been found in this
order: 15, 0, 5, 10, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6,
11. It corresponds to the order of the bytes in the
state after the ShiftRows except for the first column
that has been mixed, which could mean that the
leakage appears during the MixColumns step. All
key bytes are found with 6,000 traces (same order of
magnitude as on the REE) in 45 minutes with the
same resources allocation as for the REE attack.
Figure 4: Spectrogram of the trace of TA execution
containing 10 AES encryptions
3 Conclusion
We succeeded in performing the side channel anal-
ysis on both Android and Trusted OS. We pro-
ceeded in three steps: the identification of the leak-
age model with the TVLA method, an AES attack
on REE side to test the hardware vulnerability of
the SoC and an AES attack on TEE side. Most
of the difficulties and strategy to bypass them were
concentrated on the spatial and the timing local-
isation of correct AES encryptions: Identification
of the 8-CPU cores on the SoC, set the execution
on one CPU core, avoid as soon as possible the
time shifting of the AES encryption process and
filter EM traces with OS interruptions. Neverthe-
less, the SoC complexity and the TEE protection
scheme were not sufficient against physical attack.
However we were surprised that a same code on
both side did not produce similar traces. It is still
an open question why some discrepancies are ob-
served between the REE and the TEE leakage and
what are the causes of leakage sources ? In case of
all the 8 CPU cores are activated, the attack should
come to a successfull conclusion. The side-channel
analysis would require more traces and time and
another step of pretreatment to identify whether or
not the trace is exploitable. It can be done by look-
ing at the result of cross-correlation during pattern
recognition process.
3.1 Perspectives and countermea-
sures
An attack on an AES T-Table implementation
should still succeed but is it possible to proceed to
Figure 5: CPA rank of the 16 correct keys on TEE
5
the attack in case of more complex AES encryption
algorithm (NEON based bitslicing) or dedicated as-
sembler instructions of ARMv8 which implies to
find few instructions in the complete TA process ?
Of course, AES classical countermeasures (shifting
or masking) should deal with the attack. As we ob-
serve the TA is vulnerable when the attacker can
identify AES rounds, another proposition of coun-
termeasure on the TEE side could be to interleave
the rounds of the AES encryption with rounds of
another AES that would be using random key and
plaintext and these rounds would be randomly or-
dered. As there is no access to GPIO pins, the at-
tacker has to use a cross-correlation to retrieve the
AES in the trace. However, if there are some ”false”
rounds, the correlation would be fooled by the
countermeasure and the analysis made on rounds
from different AES encryptions, preventing the at-
tack to success.
Acknowledgement
This work was carried out in the framework of
the FUI-AAP20 project TEEVA supported by BPI
France.
References
[1] P. C. Kocher, “Timing attacks on implemen-
tations of diffie-hellman, rsa, dss, and other
systems,” in Annual International Cryptology
Conference, pp. 104–113, Springer, 1996.
[2] P. Kocher et al., “Differential power analysis,”
in Advances in Cryptology — CRYPTO’ 99
(M. Wiener, ed.), pp. 388–397, Springer Berlin
Heidelberg, 1999.
[3] K. Gandolfi et al., “Electromagnetic analysis:
Concrete results,” in CHES 2001, pp. 251–261,
Springer, 2001.
[4] ARM Ltd, ARM Security Technology - Build-
ing a Secure System using TrustZone Technol-
ogy, 2009.
[5] M. Sabt et al., “Trusted execution environ-
ment: what it is, and what it is not,” in 14th
IEEE International Conference on Trust, Se-
curity and Privacy in Computing and Commu-
nications, 2015.
[6] J.-E. Ekberg et al., “Trusted execution envi-
ronments on mobile devices,” in Proceedings of
the 2013 ACM SIGSAC conference on Com-
puter & communications security, pp. 1497–
1498, ACM, 2013.
[7] P. FIPS, “197, advanced encryption standard
(aes), national institute of standards and tech-
nology, us department of commerce, november
2001,” 2001.
[8] D. Aboulkassimi et al., “ElectroMagnetic
Analysis (EMA) of Software AES on Java Mo-
bile Phones,” in IEEE Intl. Workshop on In-
formation Forensics and Security - WIFS’11,
(Foz do Iguac¸u, Brazil), p. Paper 75, Nov.
2011.
[9] J. Longo et al., “Soc it to em: Electro-
magnetic side-channel attacks on a complex
system-on-chip,” in CHES 2015 (T. Gu¨neysu
and H. Handschuh, eds.), (Berlin, Heidelberg),
pp. 620–640, Springer Berlin Heidelberg, 2015.
[10] D. Rosenberg, “Unlocking the motorola boot-
loader,” Azimuth Security Blog, 2013.
[11] Laginimaineb, “Exploring qualcomm’s trust-
zone,” Bits, Please!, 2015.
[12] A. Tang et al., “CLKSCREW: Exposing the
perils of security-oblivious energy manage-
ment,” in 26th USENIX Security Symposium
(USENIX Security 17), (Vancouver, BC),
pp. 1057–1074, USENIX Association, 2017.
[13] N. Zhang et al., “Truspy: Cache side-channel
information leakage from the secure world on
arm devices.,” 2016.
[14] B. Kevin et al., “How TrustZone could be by-
passed: Side-Channel Attacks on a modern
System-on-Chip,” in Wistp’17, International
Conference on Information Security Theory
and Practice, (Heraklion, Greece), Sept. 2017.
[15] G. Becker et al., “Test vector leakage assess-
ment (TVLA) methodology in practice,” in
International Conference on Mathematics and
Computing, 2013.
[16] Global Platform Device Technology, TEE In-
ternal Core API Specification, 2013.
6
[17] D. Genkin et al., “Ecdsa key extraction from
mobile devices via nonintrusive physical side
channels,” in Proceedings of the 2016 ACM
SIGSAC Conference on Computer and Com-
munications Security, pp. 1626–1638, ACM,
2016.
[18] B. L. Welch, “The generalization of stu-
dent’s’ problem when several different pop-
ulation variances are involved,” Biometrika,
vol. 34, no. 1/2, pp. 28–35, 1947.
[19] E. Brier, C. Clavier, and F. Olivier, “Correla-
tion power analysis with a leakage model,” in
International workshop on cryptographic hard-
ware and embedded systems – CHES 2004,
pp. 16–29, Springer, 2004.
7
