shadow-box v2...- globalplatform is an association of samsung, qualcomm, amd, apple, trustonic, nxp...
TRANSCRIPT
![Page 1: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/1.jpg)
Seunghun Han, Jun-Hyeok Park(hanseunghun || parkparkqw)@nsr.re.kr
Shadow-Box v2:
The Practical and Omnipotent Sandbox for ARM
Wook Shin, Junghwan Kang, HyoungChun Kim
(wshin || ultract || khche)@nsr.re.kr
![Page 2: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/2.jpg)
Who Are We?
- Senior security researcher at NSR (National Security Research
Institute of South Korea)
- Speaker at Black Hat Asia 2017 and HITBSecConf 2016/2017
- Author of the book series titled “64-bit multi-core OS principles
and structure, Vol.1&2”
- a.k.a kkamagui, @kkamagui1
- Senior security researcher at NSR
- Embedded system engineer
- Interested in firmware security and IoT security
- a.k.a davepark, @davepark312
![Page 3: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/3.jpg)
Last Year We Presented…
We introduced Shadow-box v1
![Page 4: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/4.jpg)
Goal of This Year is…
X86
VT-x, VT-d(Virtualization Technology)
Shadow-Box for x86
Linux
TrustZone(Virtualization Technology)
Shadow-Box for ARM
Linux
We will introduce Shadow-box v2
IMA
![Page 5: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/5.jpg)
Background
Design
Implementation
Demo. and Conclusion(with Black Hat Sound Bytes)
![Page 6: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/6.jpg)
REMIND:
Linux Kernel is Everywhere!
![Page 7: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/7.jpg)
REMIND:
Security Threats of Linux Kernel
- The Linux kernel suffers from rootkits and security
vulnerabilities
- Rootkits: EnyeLKM, Adore-ng, Sebek, suckit, kbeast, and so many
descendants
- Vulnerabilities: CVE-2014-3153, CVE-2015-3636, CVE-2016-4557,
CVE-2017-6074, etc.
Devices that use Linux kernel
share security threats
![Page 8: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/8.jpg)
- Kernel-level (Ring 0) protections are not enough
- Lots of rootkits and exploits work in the Ring 0 level
- Protections against them are often easily bypassed and neutralized
- Kernel Object Hooking (KOH)
- Direct Kernel Object Manipulation (DKOM)
Protections need
an even lower level (Ring -1)
REMIND:
Melee Combats at the Kernel-level
![Page 9: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/9.jpg)
- Leveraging virtualization technology (VT)
- VT separates a machine into a host (secure world) and a guest
(normal world)
- The host in Ring -1 can freely access/control the guest in Ring 0
(the converse doesn’t hold)
- VT-equipped HW: Intel VT-x, AMD AMD-v, ARM TrustZone
Shadow-Box v2 focuses on
ARM TrustZone!
REMIND:
Taking the Higher Ground
![Page 10: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/10.jpg)
- ARM TrustZone
- is a security extension of ARM processor and hardware-based
security
- separates a machine into the secure world and normal world
- Trusted Execution Environment (TEE)
- is a secure area of ARM processor
- protects integrity and confidentiality of data in memory and storage
ARM TrustZone and
Trusted Execution Environment
![Page 11: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/11.jpg)
Lords of the TEE
TEE of KNOX QSEE
RED OCEAN…
OH, NO…
![Page 12: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/12.jpg)
Restrictions on Lords of the TEE (1)
- TEEs are proprietary
- Their source codes are not published
- Use of the source code is restricted
- TEEs are not portable
- They are designed for their own processors
- So, they are not applicable in different processors
![Page 13: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/13.jpg)
Restrictions on Lords of the TEE (2)
- To wrap it up, their TEEs are not suitable for various
ARM-based devices
- There are so many ARM processor vendors such as Broadcom,
NXP, MediaTek, Allwinner, etc.
- Manufacturers choose low-cost ARM SoC for their products
- The types and vendors of ARM SoC in products are different
depending on manufacturing date
We need
an open source and portable TEE!
![Page 14: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/14.jpg)
OP-TEE: Open Portable TEE (1)
- OP-TEE is an open source TEE
- You can change everything that you want
- Linaro supports and maintains OP-TEE
- Linaro is an association of ARM, Freescale, IBM, Samsung, ST, TI
- OP-TEE supports many kinds of SoCs and devices
- OP-TEE supports more than fourteen devices including Raspberry
Pi 3 and QEMU
- OP-TEE has well-defined architecture, so you can port OP-TEE to
your device easily
![Page 15: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/15.jpg)
- OP-TEE follows GlobalPlatform specifications
- GloabalPlatform makes Trusted Execution Environment (TEE)
specifications
- GlobalPlatform is an association of Samsung, Qualcomm, AMD,
APPLE, Trustonic, NXP
- Many companies follow the specifications, so you can port your
trusted application to other TEE
OP-TEE: Open Portable TEE (2)
![Page 16: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/16.jpg)
Architecture of OP-TEE
Secure World Normal World
OP-TEE
Trusted Kernel
Static
Trusted Application
Dynamic Trusted
Application
TEE Internal APIs
Linux Kernel
OP-TEE Driver
Client
Application
TEE Client API
Tee-
supplicant
Kernel
User
![Page 17: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/17.jpg)
Background
Design
Implementation
Demo. and Conclusion(with Black Hat Sound Bytes)
![Page 18: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/18.jpg)
Activities in OS
Ring -1 Monitoring Mechanism (Light-Box)
REMIND:
Security Architecture in Shadow Play
Security Monitor(Shadow-Watcher)
![Page 19: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/19.jpg)
Ring -1 Monitoring Mechanism
Activities in OS
Security Monitor
(Light-Box)
(Shadow-Watcher)
We named this architecture
“Shadow-box”
REMIND:
Security Architecture in Shadow Play
![Page 20: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/20.jpg)
User
Shared
Area
Light-Box (Lightweight Hypervisor)
User(Read/Write
Permission)
Shared Kernel(Read-only
Permission)
Guest (Ring 0~3)Host (Ring -1)
Shared Kernel Only Shared Kernel and User
Shared Kernel(Read/Write
Permission)
Shadow-
Watcher
(Monitor)
Monitor, control
Architecture of Shadow-Box for x86
![Page 21: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/21.jpg)
Light-Box (Trusted App. and Trusted Kernel)
User
Application
Normal
Kernel
Normal World (Ring 0~3)Secure World (Ring -1)
Trusted
Kernel
Shadow-
Watcher
(Trusted App.)
Monitor
Shadow-
Watcher Client
IMA
SMC call
Architecture of Shadow-Box for ARM
![Page 22: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/22.jpg)
- Integrity Measurement Architecture (IMA)
- Can check hashes or signatures of files and prevent the system
from unauthorized executable files
- Can store measurement value in Trusted Platform Module (TPM)
- Is included Linux Kernel since 2.6.30!
- IMA needs to manage hashes or signatures
- You need to make hashes or signatures of good executable files
- IMA is hard to be used for general purpose environment, but it is
good for special purpose environment such as embedded systems
Integrity Measurement Architecture
![Page 23: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/23.jpg)
What can Shadow-Box v2 Do?
- Shadow-box v2 (for ARM) protects Linux kernel from
- Unauthorized executable file attacks
- IMA in kernel verifies signatures of executable files
- Static kernel object attacks
- Static kernel object = immutable at runtime
- Code modification and system table modification attacks
- Dynamic kernel object attacks (x86 only and future work!)
- Dynamic kernel object = mutable at runtime
- Process hiding and module hiding, function pointer modification attacks
![Page 24: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/24.jpg)
Static Kernel Object Protection (1)
Normal WorldSecure World
Shadow-Watcher
Client
Shadow-Box
Trusted App.
OP-TEE
Trusted Kernel
OP-TEE Driver
Linux Kernel
1. Request3. Compare Hashes
4. Return the Result
Periodic Kernel
Integrity Monitor
Remote Attestation
2. Calculate Page Hashes
Light-Box Trusted App.
Integrity Checker
Page
HashesKeys
Measured
Results
![Page 25: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/25.jpg)
- Page hash-based integrity monitor
- Is a simple and intuitive mechanism which is widely used!
- But, the attacker can guess when the page is measured and do
transient attack!
- Needs a mechanism to randomize the measurement timing
- So, Shadow-Box randomizes page order
- Shadow-watcher trust application shuffles pages after
integrity measurement is completed
Static Kernel Object Protection (2)
![Page 26: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/26.jpg)
Workload-Concerned
Kernel Monitoring- Adaptive mechanism
- Changes check period for measurement depending on system
workload
- Increases the period to keep performance as workload increases
Check Period(time) Maximum Check Period
(Check Infrequently)
Minimum Check Period(Check Frequently)
CPU Workload
![Page 27: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/27.jpg)
Remote Attestation
Normal WorldSecure World
Shadow-Watcher
Client
Shadow-Box
Trusted App.
OP-TEE Driver
Linux Kernel
2. Send the Request3. Get Encrypted Results of Measurement
4. Return the Encrypted
Result
Periodic Kernel
Integrity Monitor
Integrity Checker
5. Bypass the Results
1. Request
with Encrypted Nonce
Remote
Server
Remote Attestation
OP-TEE
Trusted Kernel
Light-Box Trusted App.
Page
HashesKeys
Measured
Results
Keys
![Page 28: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/28.jpg)
Executable File Verification with IMA
Normal WorldSecure World
Shadow-
Watcher
Client
Shadow-Box
Trusted App.
OP-TEE
Trusted Kernel
Page
HashesKeys
Measured
Results
OP-TEE
Driver
Linux Kernel
Signed
App.
Modified
App.
Unsigned
App.
IMA
Verify and Execute
Monitor
Light-Box Trusted App.
Integrity Checker
![Page 29: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/29.jpg)
Background
Design
Implementation
Demo. and Conclusion(with Black Hat Sound Bytes)
![Page 30: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/30.jpg)
- Raspberry Pi board
- Is the most famous embedded hardware
- Supports many kinds of OS such as
Raspbian, Ubuntu, and Windows 10 core
Target Board: Raspberry Pi 3
- Raspberry Pi 3 model B specification
- Quad Core 1.2GHz Broadcom BCM2837
- 1GB RAM and HDMI
- BCM43438 wireless LAN and bluetooth
- 40-pin extended GPIO
![Page 31: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/31.jpg)
- Raspberry Pi is the best board for a prototype, but…
- CPU supports ARM TrustZone feature only
- DRAM and flash controller do not support it
- Raspberry Pi does not have secure boot feature
- The secure world is not really secure and just for a prototype!
- If you want a fully-featured board, choose another board!
- OP-TEE supports many kinds of embedded boards such as Juno
board, HiKey board, ATSAMA5D2-XULT board, and i.MX7Dual
SabreSD Board
Limitation of Raspberry Pi 3
![Page 32: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/32.jpg)
How to Integrate Shadow-Box with
Raspberry Pi
Raspbian OS
Raspbian’s Kernel
OP-TEE’s Kernel with IMA Patch
OP-TEE’s Secure Kernel
Shadow-Box
= Secure Pi
-+
++
![Page 33: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/33.jpg)
How to Integrate Shadow-Box with
Raspberry Pi?
Raspbian OS
Raspbian’s Kernel
OP-TEE’s Kernel with IMA Patch
OP-TEE’s Secure Kernel
Shadow-Box
= Secure Pi
-+
++
Secure Pi is
an OPEN SOURCE project!
We always welcome your
CONTRIBUTIONS!
https://github.com/kkamagui/shadow-box-for-arm
![Page 34: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/34.jpg)
Background
Design
Implementation
Demo. and Conclusion(with Black Hat Sound Bytes)
![Page 35: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/35.jpg)
- Rootkits need to patch kernel code
and read-only data
- They usually hide themselves by patching
kernel code or function pointers
- But, kernel has page protection mechanism
- In x86 case, they disable page write
protection in the CR3 register!
- In ARM case, they also need to disable
page protection, too!
Porting x86 Rootkits to ARM (1)
![Page 36: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/36.jpg)
- Do we really need to know about the page protection
mechanism for patching kernel?
- Paging mechanism is too much complicated
- ARM processors have various paging mechanism
- Use live kernel patch functions instead!
- Linux kernel has kernel patch functions for a live patch
- x86: text_poke(void *addr, const void *opcode, size_t len)
- ARM: patch_text(void *addr, unsigned int insn)
- You do not worry about the paging mechanism anymore!
Porting x86 Rootkits to ARM (2)
![Page 37: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/37.jpg)
- Do we really need to know about the page protection
mechanism for patching kernel?
- Paging mechanism is too much complicated
- ARM processors have various paging mechanism
- Use live kernel patch functions instead!
- Linux kernel has kernel patch functions for a live patch
- x86: text_poke(void *addr, const void *opcode, size_t len)
- ARM: patch_text(void *addr, unsigned int insn)
- You do not worry about the paging mechanism anymore!
Porting x86 Rootkits to ARM (2)
EXACTLY WHAT I WANT!
OH, THIS IS
![Page 38: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/38.jpg)
DEMO
![Page 39: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/39.jpg)
Conclusion and
Black Hat Sound Bytes
- Kernel-level (ring 0) threats should be protected in
a more privileged level (ring -1)
- Rootkits can neutralize kernel-level (ring 0) protection
- We create a ring -1 level protection mechanism with ARM TrustZone
- Shadow-box v2 is practical and portable
- Shadow-box v2 protects the kernel from rootkits using IMA and
OP-TEE
- We made a reference implementation with Raspberry Pi 3
- We named it “Secure Pi” and opened as an open source project
![Page 40: Shadow-Box v2...- GlobalPlatform is an association of Samsung, Qualcomm, AMD, APPLE, Trustonic, NXP - Many companies follow the specifications, so you can port your trusted application](https://reader034.vdocument.in/reader034/viewer/2022042802/5f3e25a91b8f23058612b9a1/html5/thumbnails/40.jpg)
Questions ?
Project : https://github.com/kkamagui/shadow-box-for-arm
Contact: [email protected], @kkamagui1
[email protected], @DavePark312
C O N T R I B U T I O N !