The increasing popularity of connected devices in recent years has led manufacturers to put a greater emphasis on security, finding themselves in need of robust designs that
would protect their users.
From these requirements emerged the ARM TrustZone, a system-wide hardware isolation technology. It introduces a trusted Secure World that can process code and data while ensuring their integrity and confidentiality. This Secure World can also watch over the user-controlled (and therefore untrusted) Normal World to verify its integrity, similarly to the mechanism implemented in Samsung's TIMA.
It can also access hardware peripherals, such as keyboards, screens or cryptoprocessors, in a secure and isolated manner to create trusted UIs, implement DRMs, etc. All the sensitive data and the critical interruptions are directly handled by the Secure World without ever passing through the Normal World.
During this practical two-day training, attendees will be introduced to the ARM TrustZone technology, the related problematics and how they can be answered using both hardware and software components using Samsung's TrustZone to illustrate the course. Once the OS running in the Trusted Execution Environment, or TEE-OS for short, has been extracted by the trainees on Samsung’s Exynos based Android platforms, they will be reverse-engineered to list the entry points, the differences with other TEE-OSs, the communication mechanisms, etc. The course will then focus on how to extract, reverse-engineer and communicate with trusted applications. Ultimately, the main objective of the training is for the attendees to get arbitrary code execution in trusted application and in a secure driver on Exynos by exploiting, now-fixed, vulnerabilities. The course ends by providing different tips to go further and presents the attack surface offered once code execution is reached in trusted applications and in secure drivers.
The training is optimally suited for:
This training introduces and details ARM TrustZone technologies through presentations and practical exercises on Samsung’s implementation. No pre-requisite in terms of knowledge on ARM TrustZone is needed for this course. At the end of the training, the participants will have gained a solid understanding of the underlying mechanisms used in popular ARM TrustZone implementations as well as developed tools and insights to perform reverse engineering, vulnerability research and exploitation efficiently. The main objective of this training is to gain code execution in Secure World User Mode (SEL0) by exploiting, now fixed, vulnerabilities found in a Trusted Application and a Secure Driver on certain past Android versions available for the Samsung Galaxy S6/S7 models. The different steps leading up to this objective are described in the agenda.
Alexandre Adamski is working at Quarkslab in the Data Analysis team. As an R&D engineer, his work includes reverse engineering, low-level systems, vulnerability exploitation, and his all time favorite: tools development. In his free time, he develops open-source tools and plugins (IDArling, AMIE, etc).
Joffrey Guilbon is a Security Researcher at Quarkslab working on mobile and embedded systems. His usual work includes low-level systems, reverse engineering (on several targets such as operating systems, trusted execution environment components, secure boot implementations, bootroms, etc.), vulnerability research, binary exploitation, and tools development to ease things out. In his free time he enjoys participating in Capture The Flag (CTF) competitions and in open-source projects (IDArling for example).