TEE Offensive Core - TEEPwn
2 Day u_short 16 CPE Hour Training: August 2020
Trusted Execution Environments (TEEs) are notoriously hard to secure due to the interaction between complex hardware and large trusted code bases (TCBs). The security provided by TEEs has been broken on a wide variety of devices, including mobile phones, smart TVs and even vehicles. Publicly disclosed TEE vulnerabilities were often exploited directly from the less-trusted Rich Execution Environment (REE). Many of these vulnerabilities were specific for TEEs and required novel exploitation techniques.
The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).
Your journey starts by achieving a comprehensive understanding of TEEs, where you will learn how hardware and software concur to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will then be challenged along the path to exploit them in multiple scenarios.
All vulnerabilities are identified and exploited on our emulated attack platform, implementing a 64-bit TEEs based on ARM TrustZone.
You will take on different roles, as an attacker in control of:
- the Rich Execution Environment (REE), attempting to achieve privileged code execution in the TEE
- the REE, trying to access assets protected by a Trusted Application (TA)
- a TA, aiming to escalate privileges to TEE OS
- a TA, accessing the protected assets of other TAs
TEEPwn will guide you into an unexpected range of attack vectors and TEE-specific exploitation techniques, which may be leveraged for novel and creative software exploits, refining your skills to a new level.
The TEEPwn experience consists of 4 exciting days during which we will give several lectures covering fundamental topics. Nonetheless, the emphasizes will be on the exciting hands-on exercises for which you will get a personal cloud-based Virtual Machine (VM) that can be accessed using modern browser.
The lectures are given through Zoom and a Discord server is available for support.
Key Learning Objectives
- Explore TEE security at the system level
- Gain strong understanding of TrustZone-based TEEs
- Identify vulnerabilities across the entire TEE attack surface
- Experience TEE-specific exploitation techniques.
Who Should Attend
- Security Analysts and Researchers, interested in new techniques, or
- Software Security Developers/Architects interested in defenses against attacks combining Hardware and Software.
- Trusted Execution Environment (TEE) Fundamentals
- TEE overview
- Security model
- ARM TrustZone-based TEEs
- TEE software components
- TEE attacker model
- TEE attacker surface
- Rich Execution Environment (REE) --> TEE attacks
- Secure Monitor
- TEE OS (SMC interface)
- Vulnerable SMC Handlers
- Broken Design
- Unchecked Pointers
- Restricted Writes
- Range Checks
- Rich Execution Environment (REE) --> TA attacks
- Communicating with TAs
- Global Platform APIs
- Type Confusion
- TOCTOU (Double Fetch)
- Trusted Application (TA) --> TEE attacks
- TEE OS (Syscall Interface)
- Unchecked pointers from TA
- Vulnerable Crypto primitives
- TA --> TA attacks
- State confusion attacks
Attendees are expected to have:
- Experience with C/C++ programming
- Experience with the ARM architecture (AArch64)
- Understanding of typical software vulnerabilities and their exploitation techniques
- Familiarity with reverse engineering and typical exploitation techniques
- Familiarity with modern OS security concepts
- Any modern computer with sufficient memory
- We advise to install and use the Chrome browser
- A stable Internet connection with sufficient bandwidth
Students will be provided with
- A personal cloud-based VM
- The exercise registry
- The exercise instructions
- The CTF server
Cristofaro has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs. He works as a Product Security Consultant, providing support for design and development of secure products. He also performs device-level security testing with advanced SW and HW techniques. Finally, he provides security training on low-level topics, usually lying at the boundaries of SW and HW.
He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups.
His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.