Professional Documents
Culture Documents
OUR TEAM
PRESENTATION OUTLINE
Current state of embedded security
Introduction to the ARM TrustZone technology
Samsung's TrustZone Overview
Trusted Components
Vulnerability Research Tools
Vulnerability Analysis
Exploitation
Post-Exploitation Demonstrations
2.1
CURRENT STATE OF
EMBEDDED SECURITY
2.2
TRADITIONAL ARCHITECTURE
Kernel unbreakable...?
OPERATING SYSTEM
2.3
STAGE 1
...
STAGE N
STAGE N+1
...
2.5
GUEST OS GUEST OS
HYPERVISOR
2.6
CPU
PERIPHERALS GPU PERIPHERALS GPU PERIPHERALS GPU
EEPROM RAM ROM SECURE EEPROM RAM ROM EEPROM RAM ROM
CPU
SECURE
COPROC
3.1
OVERVIEW
ARM TrustZone is a system-wide hardware isolation
mechanism
Hardware architecture
Partitioning of all the SoC's hardware and
PERIPHERALS GPU
software resources
TZPC, TZASC, TZMA, etc.
CPU CRYPTO HW OTP
Software architecture
EEPROM RAM ROM
Software implementation used in secure state
Communications between secure and non-
secure components
SoC
3.3
SNOITACILPPA
SNOITACILPPA
SNOITACILPPA
APPLICATIONS
DETSURT
DETSURT
DETSURT
REQUIRING operations
APPLICATIONS TRUSTED
FUNCTIONALITY Normal World
SUPPORT
Considered as
compromised by design
SECURE OS
Performs non-sensitive
EMBEDDED OS
TRUSTZONE
DRIVERS
operations
MONITOR
3.4
31 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
NS BIT [0]:
0SER
EWT
TEn
ECH
DCS
IWT
WA
QIF
QRI
WF
FIS
AE
RES0
SN
0 SECURE STATE
N
1 NON-SECURE STATE
BITS ADDED IN
AARCH64
3.5
SECURE MONITOR
3.6
PRIVILEGES SEPARATION
ARMv7 Privilege Levels ARMv8 Exception Levels
NORMAL WORLD SECURE WORLD NORMAL WORLD SECURE WORLD
USER MODE
(PL0)
APP APP APP APP APP APP EL0 APP APP APP APP APP APP
SUPERVISOR MODE
(PL1)
GUEST OS GUEST OS SECURE OS EL1 GUEST OS GUEST OS SECURE OS
HYPERVISOR MODE
(PL2)
HYPERVISOR EL2 HYPERVISOR
SNOITACILPPA
SNOITACILPPA
SNOITACILPPA
SNOITACILPPA
SNOITACILPPA
APPLICATIONS APPLICATIONS APPLICATIONS
DETSURT
DETSURT
DETSURT
DETSURT
DETSURT
DETSURT
REQUIRING REQUIRING REQUIRING
APPLICATIONS TRUSTED APPLICATIONS TRUSTED APPLICATIONS TRUSTED
FUNCTIONALITY FUNCTIONALITY FUNCTIONALITY
SUPPORT SUPPORT SUPPORT
MONITOR
(SYNCHRONOUS LIBRARY)
SECURE OS
TRUSTZONE TRUSTZONE TRUSTZONE
EMBEDDED OS DRIVERS EMBEDDED OS DRIVERS EMBEDDED OS DRIVERS MONITOR
MONITOR
3.9
OVERVIEW
Samsung Devices
Use both Samsung's Exynos and Qualcomm's Snapdragon
SoCs
The same phone models can have different SoCs
depending on the country
Samsung's TrustZone
Found only on Exynos SoCs
First used in the Samsung Galaxy S3
Trusted OS used:
Kinibi developed by Trustonic (Galaxy S3 to Galaxy S9)
TEEGRIS developed by Samsung (Galaxy S10)
Both are used in other models too
This talk will focus on Kinibi
4.3
PREVIOUS WORKS
Reverse Engineering Samsung S6 SBOOT (2-part article series)
by Fernand Lone Sang
ARM Trusted Firmware usage on Samsung devices and
extraction process from an OTA of the TEE-OS
TRUSTED
Drivers, daemons, libraries and
NORMAL WORLD SECURE WORLD
APPLICATION
COMMUNICATION
interfaces used for communicating
APP SiP/OEM SYSTEM SECURE DRIVERS
INTERFACE
(TCI)
CONTAINERS with the Secure World
SERVICE
PROVIDER SHARED SYSTEM DRIVER Communications pass through
PROVISIONING NON- TA TA
AGENT TRUSTED SECURE SMCs and shared memory buffers
APPLICATION MEMORY MCLIB
CONNECTOR TLAPI DRAPI
ROOT
PROVISIONING MOBICORE
AGENT COMMUNICATION DRCRYPT
INTERFACE
(MCI)
...
KINIBI CLIENT API
RUNTIME MANAGEMENT (RTM)
SHARED
KINIBI DAEMON NON-
SECURE SYSCALL
KINIBI EMBEDDED KERNEL MEMORY HANDLERS
DRIVERS OS KINIBI MICRO-KERNEL
SMC
MONITOR (ATF BL31)
TEE-OS
ATF
FORWARD TO CUSTOM TEE-OS HANDLER DISPATCHER
4.6
SECURE MONITOR
TRUSTED
ARM Trusted Firmware
NORMAL WORLD SECURE WORLD
APP
APPLICATION
COMMUNICATION SiP/OEM SYSTEM SECURE DRIVERS
Open-source reference
INTERFACE
(TCI)
CONTAINERS implementation of Secure World
SERVICE
PROVIDER SHARED SYSTEM DRIVER software provided by ARM
PROVISIONING NON- TA TA
AGENT TRUSTED SECURE Contains a modular secure
APPLICATION
ROOT
CONNECTOR
MEMORY
TLAPI
MCLIB
DRAPI monitor implementation
PROVISIONING
AGENT
MOBICORE
DRCRYPT
Custom SMC handlers, called
COMMUNICATION
INTERFACE
...
runtime services, can be added to
(MCI)
KINIBI CLIENT API
RUNTIME MANAGEMENT (RTM) t the vendors requirements
KINIBI DAEMON
SHARED
NON-
Example: runtime services are
SECURE
MEMORY
SYSCALL
HANDLERS used by Samsung to forward
KINIBI EMBEDDED KERNEL
DRIVERS OS KINIBI MICRO-KERNEL SMCs handled by Kinibi
SMC
MONITOR (ATF BL31)
TEE-OS
ATF
FORWARD TO CUSTOM TEE-OS HANDLER DISPATCHER
4.7
TRUSTED
Secure world based on a micro-
NORMAL WORLD SECURE WORLD
APP
APPLICATION
COMMUNICATION SiP/OEM SYSTEM SECURE DRIVERS
kernel architecture
INTERFACE CONTAINERS
SERVICE (TCI)
PROVIDER SHARED SYSTEM DRIVER
PROVISIONING NON- TA TA
AGENT TRUSTED SECURE
APPLICATION MEMORY MCLIB
CONNECTOR TLAPI DRAPI
ROOT
PROVISIONING MOBICORE
AGENT COMMUNICATION DRCRYPT
INTERFACE
...
(MCI)
KINIBI CLIENT API
RUNTIME MANAGEMENT (RTM)
SHARED
KINIBI DAEMON NON-
SECURE SYSCALL
KINIBI EMBEDDED KERNEL MEMORY HANDLERS
DRIVERS OS KINIBI MICRO-KERNEL
SMC
MONITOR (ATF BL31)
TEE-OS
ATF
FORWARD TO CUSTOM TEE-OS HANDLER DISPATCHER
4.8
RUN-TIME MANAGER
Special Secure World trusted application
SECURE WORLD
equivalent to the init process on Linux
SiP/OEM SYSTEM SECURE DRIVERS
CONTAINERS Main tasks
SYSTEM DRIVER
starting and managing processes
TA TA notifying trustlets of incoming data from
MCLIB
the NWd
TLAPI DRAPI
Implements communication channels
DRCRYPT Inter-Process Communications
... Mobicore Communication Interface (MCI)
RUNTIME MANAGEMENT (RTM)
A communication channel with the
Normal World based on the Mobicore
SYSCALL Control Protocol (MCP)
HANDLERS
KINIBI MICRO-KERNEL
4 . 10
TRUSTED APPLICATIONS
Secure World equivalent of regular
SECURE WORLD
applications in the Normal World (run at S-
SiP/OEM SYSTEM SECURE DRIVERS
CONTAINERS EL0)
SYSTEM DRIVER
Allow trusted third-parties to extend the
TA TA functionalities of the TEE-OS
MCLIB
Trusted UI, DRM, storage of secrets, etc.
TLAPI DRAPI
Signed binaries loaded directly from the
DRCRYPT Normal World (so are SDs)
...
SYSCALL
HANDLERS
KINIBI MICRO-KERNEL
4 . 12
MAIN FUNCTION
Communications with the Normal
STACK INITIALIZATION
TCI BUFFER SIZE CHECK
...
World made through world-shared
memory (named TCI buffer by
Trustonic)
tlApiWaitNotification The TCI buffer contains commands to
be handled by the trustlet
COMMAND #1
...
COMMAND #N TCI buffer contains commands to be
handled by the trustlet
HANDLER HANDLER
SECURE DRIVERS
Special type of Trusted Applications
SECURE WORLD
Run at S-EL0 but have higher software-de ne
SiP/OEM SYSTEM SECURE DRIVERS
CONTAINERS privileges
SYSTEM DRIVER
Have access to a richer set of API and syscalls
TA TA Are used by trustlets as an interface to access
MCLIB
physical memory and reach secure
TLAPI DRAPI
peripherals in a controlled manner
DRCRYPT Communications with TAs made through IPCs
... and shared memory
RUNTIME MANAGEMENT (RTM)
SYSCALL
HANDLERS
KINIBI MICRO-KERNEL
4 . 14
VULNERABILITY RESEARCH
TOOLS
5.2
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
ATTACK SURFACE
Must be reacheable from the Normal World
ATF is open-source, probably heavily reviewed
Trusted Applications are low-hanging fruits
5.8
LOADER
5 . 10
mclf-ida-loader mclf-ghidra-loader
5 . 12
LOADER
SCRIPTS
5 . 13
After
Before
5 . 15
LOADER EMULATOR
SCRIPTS
5 . 16
TRUSTLETS EMULATOR
Based on Unicorn (external project)
Split into simple tasks:
Loading the MCLF binary
Mapping the shared memory buffer
Hooking the McLib functions
5 . 17
TRUSTLETS EMULATOR
python emulator.py *41.tlbin cmd1.bin --tci 0x40100 -v
[+] Binary is a trustlet
[+] Trustlet size = 0x1ba4c
[+] Mapping text section at 0x00001000 with a size of 0x4874
[+] Mapping data section at 0x00007000 with a size of 0x168
[+] Mapping BSS section at 0x00007168 with a size of 0x17070
[+] Mapping region at 0x07d00000 (0x1 bytes)
[+] Mapping TCI buffer at 0x00100000 with a size of 0x40100
[i] drApiLogvPrintf(u'ICCC:Trustlet ICCC::Starting\n')
[+] Loading input data
[i] drApiLogvPrintf(u'TL ICCC: we got a command: 1\n')
[i] drApiLogvPrintf(u'ICCC: Initialize failed - tamper fuse set\n')
[i] drApiLogvPrintf(u'ICCC: Measurements result ret = 65548, ret hex = 1000c\n')
[i] drApiLogvPrintf(u'iccc: ICCC save data@#\n')
[i] drApiLogvPrintf(u'Iccc_phys_read failed\n')
[i] drApiLogvPrintf(u'ICCC: check magic failed\n')
[i] drApiLogvPrintf(u'End of ICCC_Init, ret=1000c\n')
[i] drApiLogvPrintf(u'ICCC: Error writing Trustboot flag\n')
[+] tlApiNotify: Quitting!
5 . 18
LOADER EMULATOR
SCRIPTS FUZZER
5 . 19
TRUSTLETS FUZZER
Based on AFL_Unicorn (internal project)
Interfaces the fuzzer AFL with Unicorn
Usability and performance improvements
100% of the code is written in Python!
5 . 20
TRUSTLETS FUZZER
5 . 21
CRASH EXAMPLE
Command line:
'../tainter.py -s 1036 ffffffff000000000000000000000005.tlbin.elf -t -c coverage.txt'
Status:
Invalid symbolic memory access (mode:r)
SCRIPTS FUZZER
5 . 24
SOFTWARE STACK
CLIENT API
CONNECTOR
allocate TRUSTLET
MCOPEN
SESSION
WRITE TO
MCNOTIFY TLAPIWAIT
NOTIFICATION
WORLD READ FROM
SHARED
MEMORY
BUFFER
WRITE TO
MCWAIT TLAPINOTIFY
NOTIFICATION
READ FROM
MCCLOSE
SESSION
FREE
5 . 26
PYTHON BINDINGS
Writing C is tedious, writing Python is a lot easier
Bindings of the mcClient API called pymcclient
Provides various utilities: hexdump, (dis)assemble, etc.
Provides a command interpreter which is based on IPython
5 . 27
SCRIPT EXAMPLE
with Device(DEVICE_ID) as dev:
with dev.buffer(TCI_BUFFER_SIZE) as tci:
with open(TRUSTLET_FILE, "rb") as fd:
buf = fd.read()
app.notify()
app.wait_notification()
tci.seek(0)
print(tci.read_dword())
6.1
OVERVIEW
Target:
Samsung Galaxy S7 running Android 7.0
Main goal:
Obtaining code execution in EL3
Prerequisites:
Being part of the radio group
Being able to write les somewhere on the device
6.3
ATTACK PLAN
SOFTWARE MITIGATIONS
S7
S8
S9
6.5
POST-EXPLOITATION
7.2
TRUSTPWN FRAMEWORK
Based on the previous vulnerabilities
Internals
Uses the EL3 vulnerability to have arbitrary access to Kinibi
Adds a SVC and a drApi function to execute code in S-EL1
"natively"
SVCs and drApi functions are referenced in pointer
arrays
Usage
Read or write memory arbitrarily
Execute code in S-EL1 and EL3
7.3
DEMO
DrApi 0x1030
Takes four possible command IDs (0xAA, 0xAB, 0xAC, 0xAD)
The interesting one is 0xAB
Wrapper around SMC 0xB2000005
SMC 0xB2000005
SMC arguments:
R0: SMC ID
R0: command number (four possible values [0-3])
R1: number of bytes to read
Reads 0x10 bytes of the master key at 0x101E4000
7.5
DEMO
Second check
ROM:000073E0 BL tlApiSignatureVerify
ROM:000073E4 CBNZ R0, loc_73FA
ROM:000073E6 LDRB.W R0, [SP,#0x1C0+var_48]
7 . 10
DEMO
Trusted-OS Instrumentation
7 . 11
TRUSTED-OS INSTRUMENTATION
Methodology
Handles ARMv7 and Thumb
Based on the Unde ned Instruction exception
Unde ned Instruction handler is replaced by our own code
Patch an instruction with the ARM unde ned instruction UDF
0xNNNN
When a breakpoint triggers the current context of the CPU is
saved
Current context is saved
Overwritten instruction is executed
8.1
THANK YOU!