image image

TEE SW Security Training

3rd - 5th April 2019 | 3 Days


Cristofaro Mune


The “TEE SW Security Training” provides a unique opportunity for broadening knowledge, increasing skills and refining perspectives required for a methodical approach to TEE security and, specifically, to TEE SW (Trusted Execution Environment Software).

The training is designed from an attacker-oriented perspective, organized in a methodical flow, aimed at building the holistic approach required by TEE security. At the end of the training, students will be able to understand complexities of modern TEEs, identify non-obvious SW attack surfaces, be familiar with relevant vulnerability classes and perform reviews of TEE source code in the context of TEE relevant attacks.

Students are initially guided through TEE security models and components, understanding TEE SW specific roles and applicable attacks. TEE SW attack surface is explored in a comprehensive way, with multiple attacker models. Real, public case studies and attacks are analyzed while exploring vulnerability classes and the identified attack surface.

Practical exercises are a relevant portion of the training time. Students are tasked to identify vulnerabilities related to the covered concepts and in modified OP-TEE and ARM Trusted Firmware codebases. Wherever possible, public attacks have been ported to the training codebase, allowing for a close simulation of real vulnerabilities. Exploitation and remediation are discussed for all vulnerabilities. The training codebase is also running in an emulated target, allowing to perform actual exploitation for some of the vulnerabilities.

Unique to this training is the use of modern techniques for improving knowledge transfer quality and comfort. A mix of presentations, interactive sessions, open questions, exercises and other activities is delivered taking into account attention span curves. Exercises are organized in a jeopardy style, in-class CTF focusing on case analysis, vulnerability identification and successful exploits, leveraging gamification for an effective concept acquisition.

Participants are expected to have a good knowledge of modern OS technical and security concepts, being familiar with typical SW vulnerabilities and have a basic knowledge of ARM architecture and SW exploitation. Experience with OS-level source code reviews, binary reverse engineering, exploitation and exposure to SoC-level HW security may be beneficial during the overall course.


The following topics are covered during the training:

  • Module 1: “TEE and TEE SW security concepts” (start)
  • TEE security model
  • TEE HW & SW components roles
  • Needed approaches in security design and evaluation
  • CTF start
  • Module 2: “TEE primer: ARM TrustZone-based TEE”
  • TrustZone security model and TEE HW primitives
  • Typical TEE SW components in a TrustZone TEE
  • Running a TrustZone-based TEE
  • Module 3: “TEE SW attack surfaces”
  • REE attacker model
  • TA attacker model
  • Physical access attacker model
  • Module 4: “Vulnerability Identification Dojo: TEE runtime” (start)
  • REE attacker model (start)
  • Case studies, Exercises, CTF
  • Module 4: “Vulnerability Identification Dojo: TEE runtime” (cont.)
  • REE attacker model (cont.)
  • TA attacker model
  • Physical access attacker model
  • Case studies, Exercises, CTF
  • Module 5: “Vulnerability Identification Dojo: TEE initialization”
  • Secure Boot concepts
  • TEE HW initialization
  • Bootloaders
  • Demotion points
  • Case studies, Exercises, CTF
  • Module 6: “Vulnerability Identification Dojo: TEE configuration”
  • TEE “sealing”
  • Development chain vulnerabilities
  • Supply chain vulnerabilities
  • CTF finals

Who should attend?

The “TEE SW Security Training” is intended for both a defensive and offensive-oriented audience:

  • SW Security developers (e.g. tasked with developing a TA or a TEE SW component)
  • Security Architects (e.g. tasked with designing countermeasures for SW attacks)
  • Security Analysts (e.g. tasked with review of TEE-related source code)
  • Security Researchers

What attendees should bring?

A notebook:

  • capable of running VMware Fusion, Workstation or the free VMware Player
  • with one of the above VMWare products installed
  • with 40GB available disk space

What will be provided?

  • A VMWare image with all the tools and code needed for the exercises


Cristofaro Mune is a Product Security consultant, providing support for design and development of secure products. He also performs device-level security testing with advanced SW and HW techniques. He has more than 16 years of experience in (SW & HW) security assessment of highly secure products, as well as several years in TEE security evaluation and testing. He has also contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. Research on Fault Injection, TEE security, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
Twitter handle: @pulsoid