image image

TEE Offensive Core

11th - 12th June 2019 | 2 Days


Cristofaro Mune


TEEs (Trusted Execution Environments), with their interactions of complex hardware and extensive software TCBs, are notoriously hard to secure environments.

Would you like to develop a new understanding of TEE security ? Know TEEs beyond obvious interfaces? Becoming familiar with unexplored corners and thinking? Identify new vulnerability classes? Develop a methodical approach for building creative attacks and solid defense strategies?

Then, this training is for you!

“TEE Offensive Core” is a unique training for gaining a deep technical understanding of TEEs. Security challenges, potential pitfalls and vulnerabilities are explored with multiple threat models, across the entire TEE attack surface. Obscure attack vectors included.

The training is organized in a methodical flow, with an attacker-oriented perspective and delivered at an exciting pace. At the end of the training, students will be able to understand complexities of modern TEEs, identify non-obvious SW attack surfaces, have knowledge of relevant and new vulnerability classes.

Students are guided through the topics by means of innovative content, analysis of real, public case studies and tailored exercises.

The training is supported by purposely modified codebases, based on OP-TEE and ARM Trusted Firmware. Public attacks ported to the training codebase allow for close simulation of real vulnerabilities. Specially crafted exercises support discussion and understanding of new vulnerability classes.

Exploitation and remediation are also analyzed for all vulnerabilities. The training codebase also runs in an emulated target, where exploitation is performed for some of the vulnerabilities.

Presentations, interactive sessions, open questions, exercises are all mixed into a high intensity training, with an attention to interest span curves. An in-class, jeopardy-style CTF supports the training covering all its phases, from concepts understanding, to vulnerability identification and exploitation and related flags.

You are going to be overall challenged. So, better be prepared!

Participants are expected to have sound knowledge of modern OS security concepts, familiarity with C/C++ programming and SW vulnerabilities, basic knowledge of ARM architecture and exploitation. Experience with OS-level source code reviews, binary reverse engineering and SoC- level HW security may be greatly beneficial during the overall course.

The instructor has several years of experience in security evaluation and testing of TEEs, both at the SW and HW level, while also being a professional technical trainer.


The following topics are covered during the training:

  • TEE and TEE SW security concepts
    • TEE security model
    • TEE HW & SW components roles
  • "ARM TrustZone-based TEEs
    • Security model and TEE HW primitives
    • TEE SW components
  • TEE SW attack surfaces
    • REE attacker model
    • TA attacker model
    • Physical attacker model
  • TEE runtime and attacks
    • REE-based
    • TA-based
  • TEE initialization and attacks
    • Secure Boot
    • Bootloaders
    • TEE HW initialization
  • TEE configuration and attacks:
    • Understand TEE configurations
    • Attacks examples

Who should attend?

The training is intended for both a defensive and offensive-oriented audience:

  • Security Analysts and Researchers, interested in top-notch understanding of TEE security.
  • SW Security Developers or Security Architects, interested in sound TEE design and robust TEE SW implementations.

What attendees should bring?

A notebook:

  • capable of running VMware Fusion, Workstation or the free VMware Player
  • with one of the above VMWare products installed
  • with 40GB available disk space

What will be provided?

  • A VMWare image with all the tools and code needed for the exercises


Cristofaro Mune is a Product Security consultant, providing support for design and development of secure products. He also performs device-level security testing with advanced SW and HW techniques. He has more than 17 years of experience in (SW & HW) security assessment of highly secure products, as well as several years in TEE security evaluation and testing. He has also contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. Research on Fault Injection, TEE security, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
Twitter handle: @pulsoid