Implementing and Breaking Load-Link / Store-Conditional on an ARM-Based System

TL;DR

This paper explores the implementation and vulnerabilities of load-link/store-conditional (LL/SC) routines on ARM systems, highlighting their importance in multithreading synchronization and demonstrating potential security issues.

Contribution

It provides a concise ARMv7l implementation of LL/SC, analyzes its mechanics, and reveals vulnerabilities related to register integrity in multithreaded environments.

Findings

Successful implementation of LL/SC on ARMv7l

Identification of register integrity vulnerabilities

Demonstration of potential security exploits

Abstract

Manufacturers of modern electronic devices are constantly attempting to implement additional features into ever-increasingly complex and performance demanding systems. This race has been historically driven by improvements in the processor's clock speed, but as power consumption and real estate concerns in the embedded space pose an growing challenge, multithreading approaches have become more prevalent and relied upon. Synchronization is essential to multithreading systems, as it ensures that threads do not interfere with each others' operations and produce reliable and consistent outputs whilst maximizing performance and efficiency. One of the primary mechanisms guaranteeing synchronization in RISC architectures is the load-link/store conditional routine, which implements an atomic operation that allows a thread to obtain a lock. In this study, we implement, test, and manipulate an LL/SC routine in a multithreading environment using GDB. After examining the routine mechanics, we propose a concise implementation in ARMv7l, as well as demonstrate the importance of register integrity and vulnerabilities that occur when integrity is violated under a limited threat model. This work sheds light on LL/SC operations and related lock routines used for multithreading.