image image

Cristofaro Mune & Niek Timmers

TEEPwn: Breaking Trusted Execution Environments


Trainer: Cristofaro Mune & Niek Timmers

Date: 24th - 26th Oct 2022

Time: 9:00am to 5:00pm CEST

Venue: Marriott Hotel, The Hague, Netherlands

Training Level: Intermediate


Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

A Trusted Execution Environments (TEE) is notoriously hard to secure due to the interaction between complex hardware and a large Trusted Code Base (TCB). The security provided by different TEE implementations has been broken on a wide variety of devices, including mobile phones, smart TVs and even modern vehicles.

The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where you will experience exploitation of powerful vulnerabilities specific for TEE technology. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Your journey starts with achieving a comprehensive understanding of TEE technology. You will learn how hardware and software cooperate in order to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

All practical exercises are performed on our custom emulated attack platform which is using ARM TrustZone to implement multiple TEE implementations.

You will take on different roles, as an attacker in control of:

  • the REE, achieving privileged code execution in the TEE
  • the REE, accessing assets protected by a Trusted Application (TA)
  • a TA, escalating privileges to the TEE OS
  • a TA, accessing the protected assets of another TA

You will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

Do not worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, many exercises can be completed in complex way which keeps the exercises interesting to experienced attendees as well.


Detailed Description:

The TEEPwn experience take your on a journey of 3 days where you will attend lectures and perform exciting hands-on exercises. The lectures are given during classroom time and the exercises can be freely performed, even outside classroom time, using our unique exercise infrastructure. You will get access to a personal cloud-based VM that can be accessed from a modern browser.

It’s expected that not all of the exercises are finalized within the training hours. Therefore, you will get access to a personal VM, which contains all the required tooling and will allow to continue with the exercises after the training has ended.

During the TEEPwn experience we will cover the following topics:

  • Fundamentals
    • Overview of TEE
    • Security model
  • ARM TrustZone
    • TEE software
    • TEE attacker model
    • TEE attack surface
  • REE-to-TEE attacks
    • Secure Monitor (S-EL3)
    • TEE OS (S-EL1)
    • Identify and exploit vulnerabilities related to:
      • Vulnerable SMC handlers
      • Broken design
      • Unchecked pointers
      • Restricted writes
      • Range checks
  • REE-to-TA attacks
    • Communicating with a TA
    • Global Platform API
    • Identify and exploit vulnerabilities related to:
      • Type confusion
      • ToCToU / Double fetch
  • TA-to-TEE attacks
    • TEE OS (syscall interface)
    • Drivers
    • Identify and exploit vulnerabilities related to:
      • Unchecked pointers
      • Vulnerable hardware primitives
  • TA-to-TA attacks
    • State confusion

Therefore, you will get access to an offline VM that can be used to continue with the exercises after the training has ended.


What to Expect? | Key Learning Objectives:

The key learning objectives of the TEEPwn experience are:

  • gain a system-level understanding of TEE security
  • identify vulnerabilities across the entire TEE attack surface
  • gain hands-on experience with TEE-specific exploitation techniques
  • gain a solid understanding of ARM TrustZone-based TEEs

Who Should Attend? | Target Audience:

The TEEPwn experience is intended for:

  • Security Analysts, Researchers and Practitioners interested in TEE security
  • Software Security Developers and Architects interested in an offensive TEE perspective

What to Bring? | Software and Hardware Requirements:

The attendees of the TEEPwn experience are expected to have:

  • a modern computer system or laptop with sufficient memory
  • We advise to install and use the Chrome browser
  • stable Internet connection with sufficient bandwidth
  • we advise to install a VM software (e.g. VMware)

What to Bring? | Prerequisite Knowledge and Skills:

The attendees of the TEEPwn experience are expected to:

  • have experience with C programming
  • have experience with the ARM architecture (Aarch64) and ARM64 assembly
  • have a solid understanding of modern OSes and related security concepts
  • have an understanding of typical software vulnerabilities
  • be familiar with reverse engineering (AArch64)
  • be familiar with typical exploitation techniques

Resources Provided at the Training | Deliverables:

During the training you will get access to:

  • a personal cloud based VM
  • the exercise registry
  • the exercise instructions
  • the CTF server

To continue practicing after the training is completed:

  • a personal offline VM
  • a temporary token to access the exercise registry
  • for downloading all training exercises in the offline VM

Hardwear.io Support Gear:

  • Whiteboard and markers should be available throughout the entire training
  • A stable and fast Internet connection

ABOUT THE TRAINERS

Cristofaro Mune (@pulsoid) is Security Researcher at Raelize and he has been in the security field for 20+ years. He has 15+ years of experience with evaluating SW and HW security of secure products, as well as 10+ years of experience in assessing TEE security. He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. His research on Fault Injection, TEEs, Secure Boot, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.

Niek Timmers (@tieknimmers) is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.