Hi all,
On October 16, 2020, Arm published a report discussing the Armv8-M Stack Sealing vulnerability, which was disclosed as CVE-2020-16273. The CVE and report state that on Armv8-M-based processors if Secure software does not properly manage the Secure stacks when the stacks are created, it is possible for Non-secure world software to manipulate the Secure Stacks and potentially influence Secure control flow. The corresponding advisory note shows two example attack scenarios of a stack underflow situation.
To understand the root cause of this vulnerability, we carefully studied the first scenario and did experiments following its procedure. However, we could not reproduce the vulnerability on the ARM V2M-MPS2+ motherboard prototyping Cortex-M33. Our experiments show this vulnerability may not be exploitable. We share the details of our experiments in a blog in hope of triggering more discussions and getting some help in reproducing the attack. We used an ARM V2M-MPS2+ motherboard prototyping Cortex-M33 to carry out the experiments.
In detail, please check this blog: Reproducing the Armv8-M Secure Stack Pointer Software Vulnerability (CVE-2020-16273)
We cannot reproduce the attack described in that CVE report, and we doubt if it is feasible. We hope this blog can trigger discussions on this issue. Please do not hesitate to contact us if you have any questions, comments, or additional information.
Thank you for your time.