You are on page 1of 33

Reflections on Trusting TrustZone

Dan Rosenberg

What is TrustZone?

"ARM TrustZone technology is a system-


wide approach to security for a wide array of
client and server computing platforms including
handsets tablets wearable devices and
enterprise systems! Applications enabled by the
technology are e"tremely varied but include
payment protection technology digital rights
management #$%D and a host of secured
enterprise solutions!"

TrustZone Architecture
& 'mage courtesy ARM (td!

Real-World Uses

DRM )*ide+ine ,layReady DT-,-',.

/ecure 0ey storage )dm-verify.

Mobile payments

,rotected hardware )framebuffer ,'1 entry.

Management of secure boot )via 23uses.

4ernel integrity monitoring )T'MA.



Prior Work

"1e"t 5eneration Mobile Root0its" )Thomas


Roth 6789.

":nloc0ing the Motorola #ootloader" )A;imuth


/ecurity 6789.

Maybe a few <T- /-%33 e"ploits


)undocumented.

<igh value target

+ery little public research=scrutiny


Motivation

Target

2ualcomm /ecure >"ecution >nvironment


)2/>>.

Ma?ority mar0et share among mid=high-end


Android phones

/amsung 5/@=5/A=1ote9 (5 1e"us @=1e"us


A=56=59 Moto B <T- %ne series!!!

Toolchain

TrustZone images included in firmware


available online or pulled from devices

'DA ,ro

2ualcomm loader for earlier TZ now itCs >(3



Attack Surface

/oftware e"ceptionsD /ecure Monitor -all


)/M-. interface

<ardware e"ceptionsD 'R2 3'2 e"ternal abort

/hared memory interface )mostly Mobi-ore.

eMM- flash )e!g! secure boot.

Trustlet-specific calls

Attacker Assumptions

Arbitrary code e"ecution on device

>"tremely minimal remote attac0 surface

4ernel privileges

Ability to issue /M- instructions

%therwise practically no ability to interact with


TrustZone directly

-rashes=Do/ bugs are not security relevant

The 0ernel can already bring down the device



S!! S"M #nterface

-ode in 2ualcomm trees )-A3. at


arch/arm/mach-msm/scm.c

1ot a typoD 2ualcomm chose /-M )E/ecure


-hannel ManagerF. as name for (inu" 0ernel
driver that interacts with 2/>> via /M-

Two calling conventionsD call-by-register or


reGuest=response structures

S"M "all-$%-Register "onvention

(oad r0 with %RCd value containing /M-


command number flags and number of
argumentsD
#define SCM_ATOMIC(svc, cmd, n) (((((svc) << 10)|((cmd) & 0x3ff)) << 12) | \
SCM_CASS_!"#IST"! | \
SCM_MAS$_I!%S | \
(n & 0xf))

Arguments go in r1,r2,...,rN

S"M "ommand Structures
s&'(c& scm_c)mm*nd +
(32 ,en-
(32 .(f_)ffse&-
(32 'es/_0d'_)ffse&-
(32 id-
(32 .(f102-
3-
ReGuest header
ReGuest buffer
Response header
Response buffer
s&'(c& scm_'es/)nse +
(32 ,en-
(32 .(f_)ffse&-
(32 is_c)m/,e&e-
3-

Structure Sanit% "hecking
8! cmd!len HI 8J
)-ommand length is greater than si;e of reGuest header.
6! cmd!bufKoffset L cmd!len
)/tart of reGuest buffer resides inside command buffer.
9! cmd!bufKoffset HI 8J
)ReGuest buffer does not overlap with reGuest header.
@! cmd!respKhdrKoffset LI cmd!len M 86
)>ntire response header resides inside command buffer.
A! &see'is'ns'memor%(cmd) cmd*len+ returns true &see'is'ns'memor%(cmd) cmd*len+ returns true
(!ntire command $uffer resides in non-secure memor%+ (!ntire command $uffer resides in non-secure memor%+

Secure Memor% "hecking

/eries of functions to chec0 if memory is


"protected"

<ard-coded list of regions with flags to indicate


memory attributes

Analogous to (inu" 0ernelCs accessKo0).


chec0s

E's this memory is safe for TZ to operate onNF



#nteger ,verflo- .ulnera$ilit%

Ta0e another loo0 at the invocation of secure


memory chec0ing in validating the /-M
command structureD
4see_is_ns_mem)'5(cmd, cmd6,en)

*hat if )cmd O cmd!len. overflows 96-bit


integerN

Secure Memor% "hecking
Pseudocode
in& 4see_is_ns_mem)'5(,)n7 *dd', ,)n7 si8e)
+
'e&('n 4see_'*n7e_n)&_in_'e7i)n(4see_'e7i)n_,is&, *dd', addr+size addr+size)-
3
in& 4see_'*n7e_n)&_in_'e7i)n(v)id 9'e7i)n_,is&, ,)n7 s&*'&, ,)n7 end)
+
,)n7 &m/-
if (end < start) { if (end < start) {
tmp = start; tmp = start;
start = end; start = end;
end = tmp; end = tmp;
} }
:9 ;*,id*&e &0*& s&*'& &) end d)esn<& )ve',*/
9 sec('e ,is& 9:
666
3

Pathological "ommand /uffer
8! cmd!len HI 8J
6! cmd!bufKoffset L cmd!len
9! cmd!bufKoffset HI 8J
@! cmd!respKhdrKoffset LI cmd!len M 8J
A! GseeKisKnonsecureKmemory)cmd cmd!len. returns true
cmd6,en = 0xfffff000
cmd6.(f_)ffse& = 0xffffe000
cmd6'es/_0d'_)ffse& =
*'.i&'*'5 v*,(e < 0xfffff000

What is Written to Response
,utput?

<ard-coded response buffer for all reGuests


that receive outputD
's/6,en = 12-
's/6.(f_)ffse& = 12-
's/6is_c)m/,e&e = 1-

Result0 Ar$itrar% Secure Memor%
Write Primitive

#y crafting /M- reGuest to e"ploit integer


overflow possible to cause 2/>> to write three
words )7"7777777c 7"7777777c 7"77777778.
to response structure which can reside in
arbitrary secure memoryP

-an we achieve arbitrary secure code


e"ecutionN

1o- "an This /e !2ploited?

Memory layout of 2/>> is 0nown

'mage resides unencrypted on eMM- flash

(oaded at 0nown physical address

Most of RAM is non-secure memory

-anCt we ?ust clobber part of a function pointer


in secure memory to point to our non-secure
payload and triggerN

e!g! 7"deadbeef Q 7"cadbeef



Sorcer%3

This doesnCt appear to wor0

/uspect 2/>> has mechanism to prevent TZ


e"ecution from non-secure pages

:ndocumented blac0 hole

Any 2ualcomm or ARM employees in the


audienceN

/uilding /etter Primitives

A 86-byte uncontrolled write ma0es e"ploitation


somewhat difficult

:naligned writes clobber e"tra words


potentially unstable

Minimal options for redirecting pointers to non-


secure memory

<ow can we use this to build a more fle"ible


primitiveN

Region 4ists Revisited

(ist of protected memory regions composed of


structures similar to the followingD
s&'(c& 4see_mem)'5_'e7i)n +
in& id-
in& f,*7s-
(nsi7ned ,)n7 s&*'&-
(nsi7ned ,)n7 end-
3

Region 4ist "orruption

:se 86-byte write to clobber flags start and


end addresses for entry corresponding to the
2/>> image

ResultD all chec0s intended to ensure safety of


user-provided output pointers pass

1ow we can write arbitrary secure memory with


any value written as output by 2/>>P

"hoosing A 5e- Write Primitive

>numerate /M- handlers

>liminate those that donCt write any output

-hoose best option based on tas0 at hand

#ut then whatN



SM" 1andler Ta$le

'n 2/>> /M- table entries are variable lengthD


s&'(c& smc_en&'5 +
(nsi7ned in& smc_n(m-
c0*' 90*nd,e'_n*me-
(nsi7ned in& f,*7s-
in& (9smc_0*nd,e')()-
(nsi7ned in& n(m_*'7s-
(nsi7ned in& *'7_,ens12-
3

'terates through table using num_args to


calculate entry length matching against
smc_num

SM" Ta$le !2tension Attack

:se arbitrary secure memory write to modify


num_args field of /M- table entry

>"pand si;e of entry so iterator ?umps to


supposed ne"t entry in attac0er-controlled non-
secure memory

-reate fa0e entry to call arbitrary 2/>>


functions with arbitrary argumentsP

Ar$itrar% TZ "ode !2ecution

3ind memcpy copy all of secure memory to a


non-secure buffer brea0 all DRM=secure 0ey
storage

Disable T'MA

'nvo0e %>M-specific functionality to e!g! unloc0


the bootloader permanently D-.

D>M%P

4essons 4earned

Analysis=e"ploitation is made much easier due


to lac0 of encryption of TZ image

-ompare to i%/

,arsing of comple" data structures is an


obvious li0ely point of failure

As a vuln researcher learn to trust your gut

'f it loo0s s0etchy it probably is



4essons 4earned

/ingle points of failure are a bad idea

-ompare MotorolaCs secure boot to /amsungCs

'mproving security by minimi;ing attac0 surface


is a good idea but feature creep will eliminate
this advantage entirely

Mar0eting does not eliminate software bugs



2uestionsN