Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.
Training Objectives:
ARM TrustZone-based Trusted Execution Environments (TEEs) form the backbone of the security architecture for a diverse array of devices, including smartphones, tablets, smart TVs, automotive infotainment systems, and drones. Over the past decade, numerous design and implementation flaws in TrustZone TEE implementations have been uncovered, exposing critical vulnerabilities that compromise the integrity and confidentiality these systems aim to guarantee. These flaws often stem from recurring TrustZone TEE-specific patterns. This training provides a hands-on, offensive-focused exploration of these vulnerabilities, equipping participants with a comprehensive understanding of the flaws and pitfalls in modern TrustZone TEE implementations.
In this training, you will gain a deep, hands-on understanding of ARM TrustZone TEEs from both a system-level perspective and an offensive security lens. Drawing from real-world research, you’ll learn to analyze system designs to intuitively identify vulnerabilities, explore hardware primitives that enforce isolation and confidentiality, and master the key "do's and don'ts" of TrustZone TEE design.
On an emulated training platform designed for 64-bit ARM TrustZone TEE implementations, you will put theory into practice. Through an engaging Capture-the-Flag (CTF) experience, you’ll execute a variety of attacks, demonstrating firsthand the real-world impact of design and implementation flaws specific to TEEs.
Finally, you’ll explore advanced techniques to fuzz critical TEE components, including the secure monitor and Trusted Applications (TAs), giving you practical skills to assess and challenge TrustZone security implementations.
By the end of this training, you’ll not only have sharpened your offensive security skills but also developed a robust understanding of the intricacies of TrustZone TEEs.
What to Expect? | Key Learning Objectives:
- Understand TrustZone TEEs from the ground up
- Map the attack surface of and identify vulnerabilities within TrustZone TEEs
- Understand TrustZone-specific design and implementation flaws
- Exploit vulnerabilities in TrustZone TEEs
Training Detailed Description:
This three-day training is structured to provide you with a comprehensive learning experience that combines theoretical insights and practical application. During the official training hours, you will attend engaging lectures designed to deepen your understanding of ARM TrustZone TEE security, covering key concepts, vulnerabilities, and offensive techniques.
In addition to the lectures, you’ll participate in hands-on practical exercises that reinforce the material covered. These exercises, including a dynamic Capture-the-Flag (CTF), can be completed both during and outside of the official training hours, allowing you the flexibility to explore and experiment at your own pace. This structure ensures you gain both the knowledge and the practical skills to effectively analyze and exploit TrustZone TEE vulnerabilities.
During the three-day training, we will cover a broad range of TEE security topics including
- Foundation
- What is a TEE?
- TrustZone, SGX, SEV, and friends
- ARM TrustZone Overview
- Use cases
- Security model
- Attack surface
- TEEs in-the-wild: the Android TEE Ecosystem
- Trusted Applications
- Talking to TAs: the GlobalPlatform APIs
- Sharing memory pitfalls (the semantic gap)
- GlobalConfusion attacks
- Time-of-Check-Time-of-Use attacks
- Rollback attacks
- Code confidentiality
- Cryptographic key protection pitfalls
- Exploit mitigations
- Fuzzing TAs
- Secure Monitors
- ARM Trusted Firmware-A
- Design and implementation flaws in SMC handlers
- Fuzzing Secure Monitors
- Trusted Operating Systems
- System call interface
- GlobalPlatform APIs
- Design and implementation flaws in Trusted OS system calls and drivers
Who Should Attend? | Target Audience:
- Security researchers and engineers interested in TrustZone TEE security
- Pen testers, bug bounty hunters, and forensic investigators interested in an offensive TrustZone TEE perspective
What to Bring? | Software and Hardware Requirements:
- Modern laptop capable of smoothly running an Ubuntu VM compiled for 64-bit x86 (i.e., using VMWare or VirtualBox)
- At least 30GB of free space for the VM
What to Bring? | Prerequisite Knowledge and Skills:
- Basic systems programming experience in C
- Experience with the ARM architecture (aarch64)
- Good understanding of computer architecture and systems concepts
- Familiarity with reverse engineering (aarch64)
Resources Provided at the Training | Deliverables:
- Ubuntu (64-bit x86) VM with training contents
- CTF competition platform access
ABOUT THE TRAINERS
Marcel Marcel, (@0ddc0de) holds a PhD in Computer Science with a specialization in cybersecurity, bringing a wealth of expertise and hands-on experience to the training. In his past research he broke proprietary TEEs, Fuzzed, TAs, identified the GlobalConfusion design weakness, performed large-scale rollback attacks, and fuzzed secure monitors
As an experienced educator, Marcel has delivered university-level lectures to large audiences. Additionally, he organized weekly Capture-the-Flag (CTF) meetings and workshops on reverse engineering and binary exploitation. As a passionate CTF enthusiast, Marcel has captured flags in dozens of competitions as a member of renowned teams such as FAUST, Shellphish, polygl0ts, and the Organizers.
Marcel's unique combination of academic rigor, practical expertise, and competitive experience makes him an exceptional trainer for this hands-on security course.
