In this article, we present a tool to analyze cache timing vulnerabilities in trusted execution environments. First, we present a platform based on the well-known gem5 simulator capable of booting GlobalPlatform Compliant TEEs for ARMV8 architecture. Next we present the associated GDB instrumentation which allows us to dynamically reconfigure the gem5 simulator and access detailed micro-architectural state after each simulation step. Unmodified Linux/TEE binaries can be run on this platform, from which detailed execution and cache access traces are gathered and analyzed on-the-fly.
We demonstrate the usage of this tool, first with an in-vitro experiment to explain the concepts of Key-Cache lines, Key-Execution Points, a method to rank these lines in an increasing order of vulnerability, and code coverage. We show that real vulnerabilities can be detected with our tool, in an otherwise constant-time RSA implementation inside an open Source TEE called OP-TEE.