You are on page 1of 33

Reflections on Trusting TrustZone

Dan Rosenberg

What is TrustZone?

"ARM TrustZone technology is a system-

wide approach to security for a wide array of
client and server computing platforms including
handsets tablets wearable devices and
enterprise systems! Applications enabled by the
technology are e"tremely varied but include
payment protection technology digital rights
management #$%D and a host of secured
enterprise solutions!"

TrustZone Architecture
& 'mage courtesy ARM (td!

Real-World Uses

DRM )*ide+ine ,layReady DT-,-',.

/ecure 0ey storage )dm-verify.

Mobile payments

,rotected hardware )framebuffer ,'1 entry.

Management of secure boot )via 23uses.

4ernel integrity monitoring )T'MA.

Prior Work

"1e"t 5eneration Mobile Root0its" )Thomas

Roth 6789.

":nloc0ing the Motorola #ootloader" )A;imuth

/ecurity 6789.

Maybe a few <T- /-%33 e"ploits


<igh value target

+ery little public research=scrutiny



2ualcomm /ecure >"ecution >nvironment


Ma?ority mar0et share among mid=high-end

Android phones

/amsung 5/@=5/A=1ote9 (5 1e"us @=1e"us

A=56=59 Moto B <T- %ne series!!!


TrustZone images included in firmware

available online or pulled from devices

'DA ,ro

2ualcomm loader for earlier TZ now itCs >(3

Attack Surface

/oftware e"ceptionsD /ecure Monitor -all

)/M-. interface

<ardware e"ceptionsD 'R2 3'2 e"ternal abort

/hared memory interface )mostly Mobi-ore.

eMM- flash )e!g! secure boot.

Trustlet-specific calls

Attacker Assumptions

Arbitrary code e"ecution on device

>"tremely minimal remote attac0 surface

4ernel privileges

Ability to issue /M- instructions

%therwise practically no ability to interact with

TrustZone directly

-rashes=Do/ bugs are not security relevant

The 0ernel can already bring down the device

S!! S"M #nterface

-ode in 2ualcomm trees )-A3. at


1ot a typoD 2ualcomm chose /-M )E/ecure

-hannel ManagerF. as name for (inu" 0ernel
driver that interacts with 2/>> via /M-

Two calling conventionsD call-by-register or

reGuest=response structures

S"M "all-$%-Register "onvention

(oad r0 with %RCd value containing /M-

command number flags and number of
#define SCM_ATOMIC(svc, cmd, n) (((((svc) << 10)|((cmd) & 0x3ff)) << 12) | \
SCM_CASS_!"#IST"! | \
SCM_MAS$_I!%S | \
(n & 0xf))

Arguments go in r1,r2,...,rN

S"M "ommand Structures
s&'(c& scm_c)mm*nd +
(32 ,en-
(32 .(f_)ffse&-
(32 'es/_0d'_)ffse&-
(32 id-
(32 .(f102-
ReGuest header
ReGuest buffer
Response header
Response buffer
s&'(c& scm_'es/)nse +
(32 ,en-
(32 .(f_)ffse&-
(32 is_c)m/,e&e-

Structure Sanit% "hecking
8! cmd!len HI 8J
)-ommand length is greater than si;e of reGuest header.
6! cmd!bufKoffset L cmd!len
)/tart of reGuest buffer resides inside command buffer.
9! cmd!bufKoffset HI 8J
)ReGuest buffer does not overlap with reGuest header.
@! cmd!respKhdrKoffset LI cmd!len M 86
)>ntire response header resides inside command buffer.
A! &see'is'ns'memor%(cmd) cmd*len+ returns true &see'is'ns'memor%(cmd) cmd*len+ returns true
(!ntire command $uffer resides in non-secure memor%+ (!ntire command $uffer resides in non-secure memor%+

Secure Memor% "hecking

/eries of functions to chec0 if memory is


<ard-coded list of regions with flags to indicate

memory attributes

Analogous to (inu" 0ernelCs accessKo0).


E's this memory is safe for TZ to operate onNF

#nteger ,verflo- .ulnera$ilit%

Ta0e another loo0 at the invocation of secure

memory chec0ing in validating the /-M
command structureD
4see_is_ns_mem)'5(cmd, cmd6,en)

*hat if )cmd O cmd!len. overflows 96-bit


Secure Memor% "hecking
in& 4see_is_ns_mem)'5(,)n7 *dd', ,)n7 si8e)
'e&('n 4see_'*n7e_n)&_in_'e7i)n(4see_'e7i)n_,is&, *dd', addr+size addr+size)-
in& 4see_'*n7e_n)&_in_'e7i)n(v)id 9'e7i)n_,is&, ,)n7 s&*'&, ,)n7 end)
,)n7 &m/-
if (end < start) { if (end < start) {
tmp = start; tmp = start;
start = end; start = end;
end = tmp; end = tmp;
} }
:9 ;*,id*&e &0*& s&*'& &) end d)esn<& )ve',*/
9 sec('e ,is& 9:

Pathological "ommand /uffer
8! cmd!len HI 8J
6! cmd!bufKoffset L cmd!len
9! cmd!bufKoffset HI 8J
@! cmd!respKhdrKoffset LI cmd!len M 8J
A! GseeKisKnonsecureKmemory)cmd cmd!len. returns true
cmd6,en = 0xfffff000
cmd6.(f_)ffse& = 0xffffe000
cmd6'es/_0d'_)ffse& =
*'.i&'*'5 v*,(e < 0xfffff000

What is Written to Response

<ard-coded response buffer for all reGuests

that receive outputD
's/6,en = 12-
's/6.(f_)ffse& = 12-
's/6is_c)m/,e&e = 1-

Result0 Ar$itrar% Secure Memor%
Write Primitive

#y crafting /M- reGuest to e"ploit integer

overflow possible to cause 2/>> to write three
words )7"7777777c 7"7777777c 7"77777778.
to response structure which can reside in
arbitrary secure memoryP

-an we achieve arbitrary secure code


1o- "an This /e !2ploited?

Memory layout of 2/>> is 0nown

'mage resides unencrypted on eMM- flash

(oaded at 0nown physical address

Most of RAM is non-secure memory

-anCt we ?ust clobber part of a function pointer

in secure memory to point to our non-secure
payload and triggerN

e!g! 7"deadbeef Q 7"cadbeef


This doesnCt appear to wor0

/uspect 2/>> has mechanism to prevent TZ

e"ecution from non-secure pages

:ndocumented blac0 hole

Any 2ualcomm or ARM employees in the


/uilding /etter Primitives

A 86-byte uncontrolled write ma0es e"ploitation

somewhat difficult

:naligned writes clobber e"tra words

potentially unstable

Minimal options for redirecting pointers to non-

secure memory

<ow can we use this to build a more fle"ible


Region 4ists Revisited

(ist of protected memory regions composed of

structures similar to the followingD
s&'(c& 4see_mem)'5_'e7i)n +
in& id-
in& f,*7s-
(nsi7ned ,)n7 s&*'&-
(nsi7ned ,)n7 end-

Region 4ist "orruption

:se 86-byte write to clobber flags start and

end addresses for entry corresponding to the
2/>> image

ResultD all chec0s intended to ensure safety of

user-provided output pointers pass

1ow we can write arbitrary secure memory with

any value written as output by 2/>>P

"hoosing A 5e- Write Primitive

>numerate /M- handlers

>liminate those that donCt write any output

-hoose best option based on tas0 at hand

#ut then whatN

SM" 1andler Ta$le

'n 2/>> /M- table entries are variable lengthD

s&'(c& smc_en&'5 +
(nsi7ned in& smc_n(m-
c0*' 90*nd,e'_n*me-
(nsi7ned in& f,*7s-
in& (9smc_0*nd,e')()-
(nsi7ned in& n(m_*'7s-
(nsi7ned in& *'7_,ens12-

'terates through table using num_args to

calculate entry length matching against

SM" Ta$le !2tension Attack

:se arbitrary secure memory write to modify

num_args field of /M- table entry

>"pand si;e of entry so iterator ?umps to

supposed ne"t entry in attac0er-controlled non-
secure memory

-reate fa0e entry to call arbitrary 2/>>

functions with arbitrary argumentsP

Ar$itrar% TZ "ode !2ecution

3ind memcpy copy all of secure memory to a

non-secure buffer brea0 all DRM=secure 0ey

Disable T'MA

'nvo0e %>M-specific functionality to e!g! unloc0

the bootloader permanently D-.


4essons 4earned

Analysis=e"ploitation is made much easier due

to lac0 of encryption of TZ image

-ompare to i%/

,arsing of comple" data structures is an

obvious li0ely point of failure

As a vuln researcher learn to trust your gut

'f it loo0s s0etchy it probably is

4essons 4earned

/ingle points of failure are a bad idea

-ompare MotorolaCs secure boot to /amsungCs

'mproving security by minimi;ing attac0 surface

is a good idea but feature creep will eliminate
this advantage entirely

Mar0eting does not eliminate software bugs