Attacking ARM TrustZones

This training introduces and details TrustZone technologies through presentations and practical exercises on Samsung’s implementation.

At the end of the training, the participants will have gained a solid understanding of the underlying mechanisms used in popular TrustZone implementations as well as developed tools and insights to perform reverse engineering, vulnerability research and exploitation efficiently.

The main objective of this training is to gain code execution in Secure World User Mode (SEL0) by exploiting a, now fixed, vulnerability found in a Trusted Application on certain past Android versions available for the Samsung Galaxy S6/S7 models. The different steps leading up to this objective are described in the syllabus given in the description.

Syllabus:

• Introduction to the TrustZone technology
• Analysis of kernel components enabling communication with Trustzone elements (Qualcomm and Exynos)
• Analysis of a TEE-OS attack surface
• TEE-OS extraction from Android platforms (Qualcomm and Exynos)
• Basics of TEE-OS reverse engineering, listing entry points for an attacker (Qualcomm and Exynos)
• Trusted Application extraction from Android platforms (Qualcomm and Exynos)
• Development of a tool to discuss with Trusted Applications (Exynos only)
• Comparison of different Trusted Application formats (Qualcomm and Exynos)
• Reverse engineering of Trusted Applications (Exynos only)
• Vulnerability research and exploitation on a Trusted Application (Exynos only)
• Tips to go further (TEE-OS attack surface)

Requirements:

• An IDA license, all tools used and developed for this training are compatible only with IDA 7.0+
• A basic understanding of ARMv8 ISA
• A basic understanding of the main exploitation techniques, software protections and how to bypass them

Provided for the training:

• Galaxy S6 (one per participant)