SlideShare a Scribd company logo

[若渴] Preliminary Study on Design and Exploitation of Trustzone

Aj MaChInE
Aj MaChInE

"Preliminary" 就是沒讀很多的意思,持續閱讀中,做個初步整理。

Education
1 of 25
Download to read offline
“Preliminary” Study on Design and Exploitation of Trustzone @若渴 2018.3.24 <ajblane0612@gmail.com> AjMaChInE
Outline • Design category of using trustzone • TEE Exploitation
Isolation Process Isolation -> Kernel Isolation-> Function Isolation (symmetrically call – non-preemptive) [0]
ARM TrustZone Technology “It aims at enabling the creation of an execution environment, for protecting the confidentiality and integrity of critical code, allowing that code to be executed isolated from the main operating system (OS).” [0] EL3 EL1 EL0
Design Category of Using TrustZone • Security services • Virtualization • Development frameworks
Security Services • DroidVault [1] • TrustOTP [2] • TZ-RKP [3]
DroidVault - Allowing the Secure Management of Storage [1] R0,R1 R2,R3
TrustOTP - Information Leakage of OTP [2]
Why to Use Reliable Switch [2] • SMC instruction – When REE (Normal) Kernels are compromised • Secure Interrupt – Non-maskable GPIO-2 Secure Interrupt
Reliable Switch - Non-Maskable Interrupt (NMI) Mechanism [2] • Non-maskable GPIO-2 Secure Interrupt Central Security Unit (CSU)
TZ-RKP: Avoid Bypassing the Memory Protection using Double Mapping [3]
TZ-RKP: Control Instruction Emulation and Trapping Translation Table Updates
Trsut-RKP OS Virtaul Memory Layout [3]
Virtualization
vTZ: When TEE OS is Compromised [4]
(c) is an Excellent Design [4]
Development Frameworks [0] TrusrFrame [0]
GlobalPlatform API ARM Trustzone API GlobalPlatform API ARM Trustzone ARM Trustzone Intel SGX
E.G. OP-TEE
E.G. TrustFrame [0] (ioctl)
Exploitation • Semantic gap (BOOMERANG) [5] • Revoke vulnerable trustlets [6]
Semantic Gap • [利用特性] – the secure world always maintains complete control over and visibility into the non-secure world (similar to a hypervisor and its guests) – Visibility: the secure world and its associated TAs have the ability to read and write to non-secure world memory • BOOMERANG (自食其果~”~) exploits the semantic gap inherent to the design of all the current TEE implementations.
BOOMERANG – PTR as DATA cannot be Checked [5]
Revocation • QSEE revocation – The Attestation certificate preventing “rolling back” to older versions of the software image – 但 all trustlets share the same image identifier • Kinibi revocation – Reverse-engineer the bootloader binary including TEE kernel – 沒有DOC ->找到TEE kernel->又找到parsing signature->解出the structure of the signature – 但直接送有問題的tasklet就可@@a [6]
Reference • [0] 2016, Joao Rocheteau Ramos, TrustFrame, a Software Development Framework for TrustZone-enabled Hardware • [1] 2014, Xiaolei Li, DroidVault- A Trusted Data Vault for Android • [2] 2015, He Sun, etc., TrustOTP- Transforming Smartphones into Secure One-Time Password Tokens • [3] 2014, Ahmed M Azab, etc. Hypervision Across Worlds : Real- time Kernel Protection from the ARM TrustZone Secure World • [4] 2017, Zhichao Hua, etc. vTZ- Virtualizing ARM TrustZone • [5] 2017, Nick Stephens, etc. Boomerang- Exploiting the Semantic Gap in Trusted Execution Environments • [6] 2017, Gal Beniamini, Trust Issues-Exploiting TrustZone TEEs

Recommended

Platform Security Presentation
Platform Security PresentationPlatform Security Presentation
Platform Security Presentation
Tyson Key
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharram
Kevin Wharram
 
HCLOS.Reduce to 600 dpi average quality
HCLOS.Reduce to 600 dpi average qualityHCLOS.Reduce to 600 dpi average quality
HCLOS.Reduce to 600 dpi average quality
Vinayak Wadhwa
 
I3 product &amp; solutions details 2016
I3 product &amp; solutions details 2016I3 product &amp; solutions details 2016
I3 product &amp; solutions details 2016
Denny NS
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
Eng Teong Cheah
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 

Recommended

Platform Security Presentation
Platform Security PresentationPlatform Security Presentation
Platform Security Presentation
Tyson Key
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharram
Kevin Wharram
 
HCLOS.Reduce to 600 dpi average quality
HCLOS.Reduce to 600 dpi average qualityHCLOS.Reduce to 600 dpi average quality
HCLOS.Reduce to 600 dpi average quality
Vinayak Wadhwa
 
I3 product &amp; solutions details 2016
I3 product &amp; solutions details 2016I3 product &amp; solutions details 2016
I3 product &amp; solutions details 2016
Denny NS
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
Eng Teong Cheah
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software
Ievgenii Katsan
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentation
VEDLIoT Project
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
Oracle super cluster m7
Oracle super cluster m7Oracle super cluster m7
Oracle super cluster m7
OTN Systems Hub
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
ssusere142fe
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
Kevin Mayo
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
Luc Wijns
 
Cont0519
Cont0519Cont0519
Cont0519
Samuel Dratwa
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
Yossi Sassi
 
Nelson: Rigorous Deployment for a Functional World
Nelson: Rigorous Deployment for a Functional WorldNelson: Rigorous Deployment for a Functional World
Nelson: Rigorous Deployment for a Functional World
Timothy Perrett
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
ijdms
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
Clonetab flyer
Clonetab flyerClonetab flyer
Clonetab flyer
Venkata Meka
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Riscure
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
Drew Moseley
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Ramesh Nagappan
 
An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE
 

More Related Content

Similar to [若渴] Preliminary Study on Design and Exploitation of Trustzone

Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
Nelson: Rigorous Deployment for a Functional World
Nelson: Rigorous Deployment for a Functional WorldNelson: Rigorous Deployment for a Functional World
Nelson: Rigorous Deployment for a Functional World
Timothy Perrett
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
ijdms
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 

Similar to [若渴] Preliminary Study on Design and Exploitation of Trustzone (20)

6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentation
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
 
Oracle super cluster m7
Oracle super cluster m7Oracle super cluster m7
Oracle super cluster m7
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
 
Cont0519
Cont0519Cont0519
Cont0519
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
 
Nelson: Rigorous Deployment for a Functional World
Nelson: Rigorous Deployment for a Functional WorldNelson: Rigorous Deployment for a Functional World
Nelson: Rigorous Deployment for a Functional World
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
Clonetab flyer
Clonetab flyerClonetab flyer
Clonetab flyer
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 

More from Aj MaChInE

[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 

More from Aj MaChInE (19)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Recently uploaded

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Recently uploaded (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 

[若渴] Preliminary Study on Design and Exploitation of Trustzone

  • 1. “Preliminary” Study on Design and Exploitation of Trustzone @若渴 2018.3.24 <ajblane0612@gmail.com> AjMaChInE
  • 2. Outline • Design category of using trustzone • TEE Exploitation
  • 3. Isolation Process Isolation -> Kernel Isolation-> Function Isolation (symmetrically call – non-preemptive) [0]
  • 4. ARM TrustZone Technology “It aims at enabling the creation of an execution environment, for protecting the confidentiality and integrity of critical code, allowing that code to be executed isolated from the main operating system (OS).” [0] EL3 EL1 EL0
  • 5. Design Category of Using TrustZone • Security services • Virtualization • Development frameworks
  • 6. Security Services • DroidVault [1] • TrustOTP [2] • TZ-RKP [3]
  • 7. DroidVault - Allowing the Secure Management of Storage [1] R0,R1 R2,R3
  • 8. TrustOTP - Information Leakage of OTP [2]
  • 9. Why to Use Reliable Switch [2] • SMC instruction – When REE (Normal) Kernels are compromised • Secure Interrupt – Non-maskable GPIO-2 Secure Interrupt
  • 10. Reliable Switch - Non-Maskable Interrupt (NMI) Mechanism [2] • Non-maskable GPIO-2 Secure Interrupt Central Security Unit (CSU)
  • 11. TZ-RKP: Avoid Bypassing the Memory Protection using Double Mapping [3]
  • 12. TZ-RKP: Control Instruction Emulation and Trapping Translation Table Updates
  • 13. Trsut-RKP OS Virtaul Memory Layout [3]
  • 15. vTZ: When TEE OS is Compromised [4]
  • 16. (c) is an Excellent Design [4]
  • 18. GlobalPlatform API ARM Trustzone API GlobalPlatform API ARM Trustzone ARM Trustzone Intel SGX
  • 21. Exploitation • Semantic gap (BOOMERANG) [5] • Revoke vulnerable trustlets [6]
  • 22. Semantic Gap • [利用特性] – the secure world always maintains complete control over and visibility into the non-secure world (similar to a hypervisor and its guests) – Visibility: the secure world and its associated TAs have the ability to read and write to non-secure world memory • BOOMERANG (自食其果~”~) exploits the semantic gap inherent to the design of all the current TEE implementations.
  • 23. BOOMERANG – PTR as DATA cannot be Checked [5]
  • 24. Revocation • QSEE revocation – The Attestation certificate preventing “rolling back” to older versions of the software image – 但 all trustlets share the same image identifier • Kinibi revocation – Reverse-engineer the bootloader binary including TEE kernel – 沒有DOC ->找到TEE kernel->又找到parsing signature->解出the structure of the signature – 但直接送有問題的tasklet就可@@a [6]
  • 25. Reference • [0] 2016, Joao Rocheteau Ramos, TrustFrame, a Software Development Framework for TrustZone-enabled Hardware • [1] 2014, Xiaolei Li, DroidVault- A Trusted Data Vault for Android • [2] 2015, He Sun, etc., TrustOTP- Transforming Smartphones into Secure One-Time Password Tokens • [3] 2014, Ahmed M Azab, etc. Hypervision Across Worlds : Real- time Kernel Protection from the ARM TrustZone Secure World • [4] 2017, Zhichao Hua, etc. vTZ- Virtualizing ARM TrustZone • [5] 2017, Nick Stephens, etc. Boomerang- Exploiting the Semantic Gap in Trusted Execution Environments • [6] 2017, Gal Beniamini, Trust Issues-Exploiting TrustZone TEEs