The increasing popularity of connected devices in recent years has led manufacturers to put a greater emphasis on security, finding themselves in need of robust designs that would protect their users. From these requirements emerged the ARM TrustZone, a system-wide hardware isolation technology. It introduces a trusted Secure World that can process code and data while ensuring their integrity and confidentiality. This Secure World can also watch over the user-controlled (and therefore untrusted) Normal World to verify its integrity, similarly to the mechanism implemented in Samsung's TIMA. It can also access hardware peripherals, such as keyboards, screens or cryptoprocessors, in a secure and isolated manner to create trusted UIs, implement DRMs, etc. All the sensitive data and the critical interruptions are directly handled by the Secure World without ever passing through the Normal World.
During this practical three-day training, attendees will be introduced to the ARM TrustZone technology, the related problematics and how they can be answered using both hardware and software components using Samsung's TrustZone to illustrate the course. Once the OS running in the Trusted Execution Environment, or TEE-OS for short, has been extracted by the trainees on Samsung’s Exynos based Android platforms, they will be reverse-engineered to list the entry points, the differences with other TEE-OSs, the communication mechanisms, etc. The course will then focus on how to extract, reverse-engineer and communicate with trusted applications and secure drivers. Ultimately, the main objective of the training is for the attendees to get arbitrary code execution in the secure OS on Exynos by exploiting multiple, now-fixed, vulnerabilities in different components (Trustlets, Secure Driver and TEE-OS). The course ends by providing different tips to go further and presents some post-exploitation ideas.
The training is optimally suited for:
This training introduces and details ARM TrustZone technologies through presentations and practical exercises on Samsung’s implementation. No pre-requisite in terms of knowledge on ARM TrustZone is needed for this course. At the end of the training, the participants will have gained a solid understanding of the underlying mechanisms used in popular ARM TrustZone implementations as well as developed tools and insights to perform reverse engineering, vulnerability research and exploitation efficiently. The main objective of this training is to gain code execution in EL3 by exploiting, now fixed, vulnerabilities found in a Trusted Application, a Secure Driver and the TEE-OS on certain past Android versions available for the Samsung Galaxy S6/S7 models. The different steps leading up to this objective are described in the agenda.
Joffrey Guilbon is a Security Researcher previously working at Quarkslab on mobile and embedded systems. His work includes low-level systems, reverse engineering (on several targets such as operating systems, trusted execution environment components, secure boot implementations, bootroms, etc.), vulnerability research, binary exploitation, and tools development to ease things out. In his free time he enjoys participating in Capture The Flag (CTF) competitions and in open-source projects (IDArling for example).
Maxime Peterlin is a Security Researcher working in Quarkslab’s embedded & hardware team. His day-to-day work includes reverse engineering, studying low-level systems, vulnerability research, binary exploitation and tools development. Occasionally, he enjoys participating in Capture the Flag competitions and pursuing his research during his own time.
Romain Thomas is a Security Engineer working at Quarkslab on the development of new tools to assist security researchers. He is also interested in Android internal, (de)obfuscation and software protections. He previously contributed to the Triton project, a dynamic binary analysis framework.
Tom Czayka is a security researcher working at Quarkslab. He is interested in everything related to Android operating system, especially internals. He is keen on reverse engineering, instrumentation, fuzzing and low-level programming. As well, he is into developing tools which assist reverse engineers and make their work easier.