Back to All Events

TEEPwn: Breaking TEE by Experience


  • secwest.net Vancouver Canada (map)

Course Details:

Number of Days: 4

Attendance: In-Person Only

Details below last updated July 7/26

 

Course Description:

A Trusted Execution Environments (TEE) is notoriously hard to secure due to the interaction between complex hardware and a large Trusted Code Base (TCB). The security provided by different TEE implementations has been broken on a wide variety of devices, including mobile phones, smart TVs and even modern vehicles.

The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where you will experience exploitation of powerful vulnerabilities specific for TEE technology. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Your journey starts with achieving a comprehensive understanding of TEE technology. You will learn how hardware and software cooperate in order to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

All practical exercises are performed on our custom emulated attack platform which is using ARM TrustZone to implement multiple TEE implementations. Real vulnerabilities that Raelize found and exploited on Google devices are used to demonstrate the techniques taught in TEEPwn's learning path.

You will take on different roles, as an attacker in control of:

  • the REE, achieving privileged code execution in the TEE

  • the REE, accessing assets protected by a Trusted Application (TA)

  • a TA, escalating privileges to the TEE OS

  • a TA, accessing the protected assets of another TA

You will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

 

Format:

The TEEPwn experience takes you on a journey of 4 days of 8 hours where you will attend lectures and perform exciting hands-on exercises.

You will get access to a personal VM which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, you will have access to this VM forever so you can continue with the exercises after the training has ended.

 

Level:

The training level of the TEEPwn experience is Intermediate.

 

Course Outline:

Day 1

During the TEEPwn experience we will cover the following topics:

  • Fundamentals

    • Overview of TEE

    • Security model

  • ARM TrustZone

    • TEE software

    • TEE attacker model

    • TEE attack surface

  • REE-to-TEE attacks

    • Secure Monitor (S-EL3)

    • TEE OS (S-EL1)

    • Identify and exploit vulnerabilities related to:

      • Vulnerable SMC handlers

      • Unchecked pointers

      • Restricted writes

      • Range checks

  • REE-to-TA attacks

    • Communicating with a TA

    • Global Platform API

    • Identify and exploit vulnerabilities related to:

      • Type confusion

      • ToCToU / Double fetch

  • TA-to-TEE attacks

    • TEE OS (syscall interface)

    • Drivers

    • Identify and exploit vulnerabilities related to:

      • Unchecked pointers

      • Vulnerable hardware primitives

  • TA-to-TA attacks

    • State confusion

 

Prerequisites: What You Need to Have:

The attendees of the TEEPwn experience are expected to have:

  • any modern computer system or laptop with sufficient memory

  • we advise to install and use the Chrome browser

  • A virtual machine software (preferably VMware), installed on your laptop

  • a stable Internet connection with sufficient bandwidth

 

Target audience:

The TEEPwn experience is intended for:

  • Security Analysts, Researchers and Practitioners interested in TEE security

  • Software Security Developers and Architects interested in an offensive TEE perspective

 

What You Will Get:

The attendees of the TEEPwn experience will get access to:

  • a personal virtual machine (VM) with all the required tooling installed

  • access to the exercise modules and instructions

To continue practicing after the training is completed:

  • ability to run the exercise modules forever

  • ability to copy the exercise modules and instructions

 

About the Instructor: Cristofaro Mune

Cristofaro Mune is a Co-Founder of Raelize and has been in the security field for 20+ years. He has 15+ years of experience with evaluating the software and hardware of secure products, including numerous TEE designs and implementations. He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. His research on Fault Injection, TEE, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and published in academic papers.

 
 
Next
Next
September 26

Internals of the Windows 11 Operating System