t r ust zo ne b r e a king sa msung' s a r m · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8...
TRANSCRIPT
![Page 1: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/1.jpg)
BREAKING SAMSUNG'S ARMTRUSTZONE
Black Hat USA 2019
1 . 1
![Page 2: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/2.jpg)
OUR TEAM
Maxime Peterlin - R&D Engineer at Quarkslab
Alexandre Adamski - R&D Engineer at Quarkslab
Joffrey Guilbon - R&D Engineer at Quarkslab
@pandasec_
@NeatMonster_
@patateQBool
1 . 2
![Page 3: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/3.jpg)
PRESENTATION OUTLINE
Current state of embedded securityIntroduction to the ARM TrustZone technologySamsung's TrustZone OverviewTrusted ComponentsVulnerability Research ToolsVulnerability AnalysisExploitationPost-Exploitation Demonstrations
1 . 3
![Page 4: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/4.jpg)
CURRENT STATE OF EMBEDDED SECURITY
2 . 1
![Page 5: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/5.jpg)
OPERATING SYSTEM
TRADITIONAL ARCHITECTURE
APPLICATION APPLICATION APPLICATION
Kernel unbreakable...?
A LONG TIME AGO...
2 . 2
![Page 6: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/6.jpg)
HOW DO WE PROTECT OURSELVES...
... if the kernel is corrupted during the boot process?
... if the kernel is corrupted when the system is alreadyrunning?
2 . 3
![Page 7: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/7.jpg)
STAGE 0
BOOTROM
STAGE 1
VERIFIES, LOADS &EXECUTES
STAGE N
STAGE N+1
...
...
VERIFIES, LOADS &EXECUTES
Prevent the execution of untrusted orunauthorized code on end users devices
PROTECTION DURING THE BOOT PROCESSSecure Boot
2 . 4
![Page 8: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/8.jpg)
GUEST OS
HYPERVISOR-BASED ARCHITECTURE
APP
HYPERVISOR
GUEST OS
APP APP APP
Hypervisor based guest kernelprotectionProblem: VM escapes andhypervisor compromissions
RUNTIME PROTECTION USING ANHYPERVISOR
2 . 5
![Page 9: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/9.jpg)
TRUSTED EXECUTION ENVIRONMENTS
Virtual Processor (e.g. ARM TrustZone)
CPU
SoC
RAM
OTP
EEPROM
CRYPTO HW
ROM
PERIPHERALS GPU
External Coprocessor (e.g. Google Titan M)
SECURE
COPROC
CPU
SoC
RAM
OTP
EEPROM
CRYPTO HW
ROM
PERIPHERALS GPU
On-SoC Processor (e.g. Apple SEP)
SoC
CPU
RAM
OTP
EEPROM
CRYPTO HW
ROM
PERIPHERALS GPU
SECURE
CPU
Taken from Le TEE, nouvelle ligne de défense dans les mobiles, SSTIC 2013
2 . 6
![Page 10: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/10.jpg)
ARM TRUSTZONE TECHNOLOGY
3 . 1
![Page 11: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/11.jpg)
CPU
SoC
RAM
OTP
EEPROM
CRYPTO HW
ROM
PERIPHERALS GPU
Hardware architecture
Partitioning of all the SoC's hardware andsoftware resourcesTZPC, TZASC, TZMA, etc.
Software architecture
Software implementation used in secure stateCommunications between secure and non-secure components
OVERVIEW
ARM TrustZone is a system-wide hardware isolationmechanism
3 . 2
![Page 12: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/12.jpg)
APPLICATIONS
APPLICATIONS
REQUIRING
TRUSTED
FUNCTIONALITY
SUPPORT
EMBEDDED OSTRUSTZONE
DRIVERS
NORMAL WORLD
TR
US
TE
D
AP
PL
ICA
TIO
NS
TR
US
TE
D
AP
PL
ICA
TIO
NS
TR
US
TE
D
AP
PL
ICA
TIO
NS
SECURE WORLD
MONITOR
SECURE OS
Secure WorldRuns trusted codePerforms sensitiveoperations
Normal WorldConsidered ascompromised by designPerforms non-sensitiveoperations
SECURE AND NON-SECURE WORLDS
3 . 3
![Page 13: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/13.jpg)
RES0
NS BIT [0]:
0 SECURE STATE
1 NON-SECURE STATE
31 14
NS
0
IRQ
1
FIQ
2
EA
3
FW
4
AW
5
nE
T
6
SC
D
7
HC
E
8
SIF
9
N
10
RE
S0
11
TW
I
12
TW
E
13
BITS ADDED IN
AARCH64
SECURE CONFIGURATION REGISTER
The Secure (or Non-Secure) state of the CPU is determined by the leastsigni�cant bit of the Secure Con�guration Register (SCR)
3 . 4
![Page 14: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/14.jpg)
SECURE MONITOR
NORMAL WORLD SECURE WORLD
RICH OS SECURE OS
SMC INSTRUCTION
INTERRUPT
EXTERNAL ABORT
DATA DATA
SECURE MONITOR
NORMAL WORLD SECURE WORLD
RICH OS SECURE OS
SMC INSTRUCTION
INTERRUPT
EXTERNAL ABORT
DIRECTLY WRITING TO
THE CPSR REGISTER
DATA DATA
Switches between worlds are performedby the Secure Monitor
Runs at the highest privilege level (EL3in ARMv8/Monitor Mode in ARMv7)
Data exchanged through
ExceptionsInterruptionsWriting to the PSTATE/CPSR registers(privileged operation)
COMMUNICATING BETWEEN WORLDS
3 . 5
![Page 15: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/15.jpg)
ARMv7 Privilege Levels
APP APPAPP
GUEST OS GUEST OS
HYPERVISOR
APP APPAPP
SECURE OS
SECURE MONITOR
NORMAL WORLD SECURE WORLD
USER MODE
(PL0)
SUPERVISOR MODE
(PL1)
HYPERVISOR MODE
(PL2)
MONITOR MODE
ARMv8 Exception Levels
APP APPAPP
GUEST OS GUEST OS
HYPERVISOR
APP APPAPP
SECURE OS
SECURE MONITOR
NORMAL WORLD SECURE WORLD
EL0
EL1
EL2
EL3
PRIVILEGES SEPARATION
3 . 6
![Page 16: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/16.jpg)
APP APPAPP
GUEST OS
GUEST OS
HYPERVISOR
APP APPAPP
TRUSTED OS
NORMAL WORLD SECURE WORLD
USER MODE
EL0
SUPERVISOR MODE
EL1
HYPERVISOR MODE
EL2
MONITOR MODE
EL3
TRUSTED OS DRIVERS TRUSTED OS DRIVERS TRUSTED HARDWARE DRIVERS
TRUSTED OS DRIVERS
SECURE MONITOR
TRUSTED OS DISPATCHER TRUSTED OS DISPATCHER
GENERIC SOFTWARE
SILICON PROVIDER SPECIFIC
TRUSTED OS SPECIFIC
APP APP APP APP APP
SILICON PROVIDER SPECIFIC OR GENERIC SOFTWARE
APPLICATION SPECIFIC
Privilege escalation by designNo hardware isolation between S-EL1 and EL3Access to all the physicalmemoryWill be �xed in ARMv8.4 withSecure Partitions
Fragmentation
System developed by differentvendorsCooperation and mutual trustrequired
THE TRUSTED COMPONENTSFRAGMENTATION ISSUE
3 . 7
![Page 17: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/17.jpg)
Operating System
APPLICATIONS
APPLICATIONS
REQUIRING
TRUSTED
FUNCTIONALITY
SUPPORT
EMBEDDED OSTRUSTZONE
DRIVERS
NORMAL WORLD
TR
US
TE
D
AP
PL
ICA
TIO
NS
TR
US
TE
D
AP
PL
ICA
TIO
NS
TR
US
TE
D
AP
PL
ICA
TIO
NS
SECURE WORLD
MONITOR
SECURE OS
Intermediate Option
APPLICATIONS
APPLICATIONS
REQUIRING
TRUSTED
FUNCTIONALITY
SUPPORT
EMBEDDED OSTRUSTZONE
DRIVERS
NORMAL WORLD
TR
US
TE
D
AP
PL
ICA
TIO
NS
TR
US
TE
D
AP
PL
ICA
TIO
NS
TR
US
TE
D
AP
PL
ICA
TIO
NS
SECURE WORLD
MONITOR
Synchronous Library
APPLICATIONS
APPLICATIONS
REQUIRING
TRUSTED
FUNCTIONALITY
SUPPORT
EMBEDDED OSTRUSTZONE
DRIVERS
NORMAL WORLD SECURE WORLD
MONITOR
(SYNCHRONOUS LIBRARY)
TRUSTZONE SOFTWARE ARCHITECTURE
Several implementations of the software stack running inTrustZone are possible
3 . 8
![Page 18: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/18.jpg)
TRUSTZONE'S USE CASES
Accessing hardware-backed features:Cryptographic engineCredentials storage (Hardware-backed Keystore)True random number generator...
Digital Rights Management (by leveraging the cryptographicengine)Protecting and monitoring of the Normal World by the SecureWorld
Example: Samsung's Real-Time Kernel Protection (RKP) andPeriodic Kernel Measurement (PKM)
3 . 9
![Page 19: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/19.jpg)
SAMSUNG'S ARM TRUSTZONE
4 . 1
![Page 20: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/20.jpg)
OVERVIEW
Samsung DevicesUse both Samsung's Exynos and Qualcomm's SnapdragonSoCs
The same phone models can have different SoCsdepending on the country
Samsung's TrustZone
Found only on Exynos SoCsFirst used in the Samsung Galaxy S3Trusted OS used:
Kinibi developed by Trustonic (Galaxy S3 to Galaxy S9)TEEGRIS developed by Samsung (Galaxy S10)Both are used in other models tooThis talk will focus on Kinibi
4 . 2
![Page 21: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/21.jpg)
PREVIOUS WORKS
(2-part article series)by Fernand Lone Sang
ARM Trusted Firmware usage on Samsung devices andextraction process from an OTA of the TEE-OS
(3-part article series) by Daniel Komaromy
Reverse-engineering of the Trusted OS and exploitation ofvulnerabilities in trustlets
by Gal Beniamini
Security analysis of different Trusted ExecutionEnvironments
Reverse Engineering Samsung S6 SBOOT
Unbox Your Phone
Trust Issues: Exploiting TrustZone TEEs
4 . 3
![Page 22: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/22.jpg)
SAMSUNG'S TRUSTZONE ARCHITECTURE
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLD
4 . 4
![Page 23: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/23.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLDDrivers, daemons, libraries andinterfaces used for communicatingwith the Secure WorldCommunications pass throughSMCs and shared memory buffers
NORMAL WORLD COMPONENTS
4 . 5
![Page 24: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/24.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLDARM Trusted Firmware
Open-source referenceimplementation of Secure Worldsoftware provided by ARMContains a modular securemonitor implementationCustom SMC handlers, called
, can be added to�t the vendors requirementsExample: runtime services areused by Samsung to forwardSMCs handled by Kinibi
SECURE MONITOR
runtime services
4 . 6
![Page 25: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/25.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLDSecure world based on a micro-kernel architecture
SECURE WORLD COMPONENTS
4 . 7
![Page 26: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/26.jpg)
SECURE DRIVERSSiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SECURE WORLDKinibi is a 32-bit OS developed by Trustonic
Used to be called Mobicore and t-baseMTK: micro-kernel and only componentrunning in S-EL1Provides syscalls (SVCs)
Memory mapping, process creation, SMCs,etc.SVCs available depend on the privileges ofthe calling process
Loads other components (embedded drivers,etc.) and especially RTM
MTK: KINIBI'S MICRO KERNEL
4 . 8
![Page 27: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/27.jpg)
SECURE DRIVERSSiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SECURE WORLDSpecial Secure World trusted applicationequivalent to the init process on LinuxMain tasks
starting and managing processesnotifying trustlets of incoming data fromthe NWd
Implements communication channelsInter-Process CommunicationsMobicore Communication Interface (MCI)
A communication channel with theNormal World based on the MobicoreControl Protocol (MCP)
RUN-TIME MANAGER
4 . 9
![Page 28: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/28.jpg)
SECURE DRIVERSSiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SECURE WORLDProvides standard functions to TrustedApplications, Secure Drivers and RTMSeparated into two APIs:
TlApi: set of functions used by trustedapplicationsDrApi: set of functions used by securedrivers
Useful during exploitation to �nd gadgets TlApi call example
MCLIB: KINIBI'S STANDARD LIBRARY
; _DWORD tlApiWaitNotification(_DWORD timeout) MOV.W R1, #0x1000 LDR.W R2, [R1,#(tlApiLibEntry - 0x1000)] MOV R1, R0 MOVS R0, #6 BX R2
4 . 10
![Page 29: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/29.jpg)
SECURE DRIVERSSiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SECURE WORLDSecure World equivalent of regularapplications in the Normal World (run at S-EL0)Allow trusted third-parties to extend thefunctionalities of the TEE-OS
Trusted UI, DRM, storage of secrets, etc.Signed binaries loaded directly from theNormal World (so are SDs)
TRUSTED APPLICATIONS
4 . 11
![Page 30: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/30.jpg)
tlApiWaitNotification
COMMAND #1HANDLER
tlApiNotify
...COMMAND #N
HANDLER
MAIN FUNCTION
STACK INITIALIZATIONTCI BUFFER SIZE CHECK
...
Communications with the NormalWorld made through world-sharedmemory (named TCI buffer byTrustonic)The TCI buffer contains commands tobe handled by the trustletTCI buffer contains commands to behandled by the trustlet Noti�cations
tlApiWaitNotificationtlApiNotify
TRUSTED APPLICATIONS LIFE-CYCLE
4 . 12
![Page 31: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/31.jpg)
SECURE DRIVERSSiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SECURE WORLDSpecial type of Trusted ApplicationsRun at S-EL0 but have higher software-de�neprivilegesHave access to a richer set of API and syscallsAre used by trustlets as an interface to accessphysical memory and reach secureperipherals in a controlled mannerCommunications with TAs made through IPCsand shared memory
SECURE DRIVERS
4 . 13
![Page 32: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/32.jpg)
ENTRY POINT
MAINTHREAD
drApiIntrAttach
...
drApiIntrDetach
ISR HANDLER
drApiIpcSigWait
...
drApiNotify
DCI HANDLER
drApiIpcCallToIPCH
...
IPC HANDLER
Multi-threaded applicationDCI: Normal World communicationsIPC: trustlet communications
Trustlet interactions
Retrieves IPC data by mapping theentire trustletNoti�cations usingdrApiIpcCallToIPCH
SECURE DRIVERS LIFE-CYCLE
4 . 14
![Page 33: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/33.jpg)
VULNERABILITY RESEARCHTOOLS
5 . 1
![Page 34: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/34.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
ATTACK SURFACE
5 . 2
![Page 35: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/35.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
ATTACK SURFACE
5 . 3
![Page 36: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/36.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
SVC
ATTACK SURFACE
5 . 4
![Page 37: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/37.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
SMC
ATTACK SURFACE
5 . 5
![Page 38: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/38.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
ATTACK SURFACE
5 . 6
![Page 39: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/39.jpg)
ATTACK SURFACE
Must be reacheable from the Normal WorldATF is open-source, probably heavily reviewedTrusted Applications are low-hanging fruits
5 . 7
![Page 40: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/40.jpg)
OUR JOURNEY IN 5 STEPS
5 . 8
![Page 41: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/41.jpg)
STEP #1 - LOADING INTO IDA/GHIDRA
LOADER
5 . 9
![Page 42: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/42.jpg)
Proprietary File Format - MobiCore Loadable Format (MCLF)
5 . 10
![Page 43: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/43.jpg)
mclf-ida-loader mclf-ghidra-loader
5 . 11
![Page 44: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/44.jpg)
STEP #2 - IDENTIFYING FUNCTIONS
LOADER
SCRIPTS
5 . 12
![Page 45: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/45.jpg)
MCLIB - STANDARD LIBRARY
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
5 . 13
![Page 46: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/46.jpg)
BeforeAfter
Renames tlApi/drAPI functionsSets the functions prototypes
5 . 14
![Page 47: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/47.jpg)
STEP #3 - MANUALLY FINDINGVULNERABILITIES
LOADER EMULATOR
SCRIPTS
5 . 15
![Page 48: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/48.jpg)
TRUSTLETS EMULATOR
Based on Unicorn (external project)Split into simple tasks:
Loading the MCLF binaryMapping the shared memory bufferHooking the McLib functions
5 . 16
![Page 49: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/49.jpg)
TRUSTLETS EMULATOR
python emulator.py *41.tlbin cmd1.bin --tci 0x40100 -v [+] Binary is a trustlet [+] Trustlet size = 0x1ba4c [+] Mapping text section at 0x00001000 with a size of 0x4874 [+] Mapping data section at 0x00007000 with a size of 0x168 [+] Mapping BSS section at 0x00007168 with a size of 0x17070 [+] Mapping region at 0x07d00000 (0x1 bytes) [+] Mapping TCI buffer at 0x00100000 with a size of 0x40100 [i] drApiLogvPrintf(u'ICCC:Trustlet ICCC::Starting\n') [+] Loading input data [i] drApiLogvPrintf(u'TL ICCC: we got a command: 1\n') [i] drApiLogvPrintf(u'ICCC: Initialize failed - tamper fuse set\n') [i] drApiLogvPrintf(u'ICCC: Measurements result ret = 65548, ret hex = 1000c\n') [i] drApiLogvPrintf(u'iccc: ICCC save data@#\n') [i] drApiLogvPrintf(u'Iccc_phys_read failed\n') [i] drApiLogvPrintf(u'ICCC: check magic failed\n') [i] drApiLogvPrintf(u'End of ICCC_Init, ret=1000c\n') [i] drApiLogvPrintf(u'ICCC: Error writing Trustboot flag\n') [+] tlApiNotify: Quitting!
5 . 17
![Page 50: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/50.jpg)
STEP #4 - FINDING VULNERABILITIESAUTOMATICALLY
LOADER EMULATOR
SCRIPTS FUZZER
5 . 18
![Page 51: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/51.jpg)
TRUSTLETS FUZZER
Based on AFL_Unicorn (internal project)Interfaces the fuzzer AFL with UnicornUsability and performance improvements100% of the code is written in Python!
5 . 19
![Page 52: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/52.jpg)
TRUSTLETS FUZZER
5 . 20
![Page 53: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/53.jpg)
TRUSTLETS SYMBOLIC EXECUTOR
Based on Manticore by Trail of BitsUses very simple strategies:
Mark the shared memory buffer symbolicExplore all the paths of the trustletCheck reads or writes to memoryAsk the solver for an invalid address
5 . 21
![Page 54: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/54.jpg)
CRASH EXAMPLE
Command line: '../tainter.py -s 1036 ffffffff000000000000000000000005.tlbin.elf -t -c coverage.txt' Status: Invalid symbolic memory access (mode:r) ================ PROC: 00 ================ Memory: 0000000000001000-0000000000008000 r x 00000094 ffffffff000000000000000000000005.tlbin.elf 0000000000009000-0000000000024000 rw 00006dc8 ffffffff000000000000000000000005.tlbin.elf 0000000000100000-0000000000101000 rw 00000000 0000000007d00000-0000000007d01000 rx 00000000 CPU: INSTRUCTION: 0x00000000000059ec: pld [r1, #0x80] APSR: 0x0000000060000000 R0 : 0x0000000000009aac R1 : <BitVecExtract at 7f2571dbdeb8-T> R10: 0x0000000000000000 R11: 0x0000000000000000 R12: 0x0000000000000000 R13: 0x0000000000023a28
5 . 22
![Page 55: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/55.jpg)
STEP #5 - EXPLOITING THE VULNERABILITIES
LOADER EMULATOR BINDINGS
SCRIPTS FUZZER
5 . 23
![Page 56: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/56.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE (TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE (MCI)
SECURE WORLD
SOFTWARE STACK
5 . 24
![Page 57: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/57.jpg)
TRUSTLET
WORLD
SHARED
MEMORY
BUFFER
allocate
WRITE TO
READ FROM
WRITE TO
READ FROM
FREE
CONNECTOR
MCNOTIFY TLAPIWAIT
NOTIFICATION
TLAPINOTIFYMCWAIT
NOTIFICATION
MCOPEN
SESSION
MCCLOSE
SESSION
CLIENT API
5 . 25
![Page 58: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/58.jpg)
PYTHON BINDINGS
Writing C is tedious, writing Python is a lot easierBindings of the mcClient API called pymcclientProvides various utilities: hexdump, (dis)assemble, etc.Provides a command interpreter which is based on IPython
5 . 26
![Page 59: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/59.jpg)
SCRIPT EXAMPLE
with Device(DEVICE_ID) as dev: with dev.buffer(TCI_BUFFER_SIZE) as tci: with open(TRUSTLET_FILE, "rb") as fd: buf = fd.read() with Trustlet(dev, tci, buf) as app: tci.seek(0) tci.write_dword(1) app.notify() app.wait_notification() tci.seek(0) print(tci.read_dword())
5 . 27
![Page 60: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/60.jpg)
VULNERABILITY ANALYSIS &EXPLOITATION
6 . 1
![Page 61: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/61.jpg)
OVERVIEW
Target:Samsung Galaxy S7 running Android 7.0
Main goal:Obtaining code execution in EL3
Prerequisites:Being part of the radio groupBeing able to write �les somewhere on the device
6 . 2
![Page 62: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/62.jpg)
SiP/OEM SYSTEM
CONTAINERS
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLD
HERE!
ATTACK PLAN
6 . 3
![Page 63: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/63.jpg)
SOFTWARE MITIGATIONS
Model XN bit Canary ASLR PIES6
S7
S8
S9
6 . 4
![Page 64: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/64.jpg)
ATTACKING A TRUSTED APPLICATIONOverview
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLD
WE'RE
HERE!
6 . 5
![Page 65: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/65.jpg)
tlApiWaitNotification
COMMAND#1
HANDLER
tlApiNotify
MAIN FUNCTION
STACK INITIALIZATIONTCI BUFFER SIZE CHECK
...
COMMAND#5
HANDLER
COMMAND#N
HANDLER... ...
Stack-based buffer over�ow in the handler of thecommand ID #5
Call to memcpy at the beginning of the 5th commandhandler
Before this call, the registers are set as follow:
R0 = SP+0x4F8-0xF0, the destination bufferR1 = tci_buffer + 0x8, the source bufferR2 = *(tci_buffer + 0x16808), the length of the buffer
ATTACKING A TRUSTED APPLICATIONSEM Trustlet Vulnerability
.text:00020FB2 ADD.W R1, R0, #0x16000
.text:00020FB6 MOV R4, R1
.text:00020FB8 LDR.W R2, [R1,#0x808]
.text:00020FBC ADD.W R1, R0, #8
.text:00020FC0 ADD.W R0, SP, #0x4F8+var_F0
.text:00020FC4 BLX memcpy_aligned
6 . 6
![Page 66: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/66.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLD
HERE!
Code execution in S-EL0It is now possible to:
Communicate with Secure DriversMake some syscalls (e.g. printcharacters, get system information, etc.)
Next target: Secure Driver
ATTACKING A TRUSTED APPLICATIONExploitation Results
6 . 7
![Page 67: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/67.jpg)
ATTACKING A SECURE DRIVERVALIDATOR Secure Driver Vulnerability
A vulnerability was found in the VALIDATOR secure driver
Stack-based buffer over�ow in the handler of the command ID#15
Equivalent to the one found in the trustlet (i.e. memcpy in thestack and a user-controlled size)
.text:00001362 MOVS R2, #0x37 ; '7'
.text:00001364 MOV R1, R4
.text:00001366 ADDS R0, R6, #1
.text:00001368 BLX memcpy
6 . 8
![Page 68: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/68.jpg)
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
SiP/OEM SYSTEM
CONTAINERS
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLD
HERE!
Code execution in S-EL0 but with higherprivilegesIt is now possible to:
Communicate with the RunTimeManager (or RTM, an init-like process)Access more syscalls (e.g. map physicalmemory, create threads, make SMCs,etc.)
Next target: Trusted OS & Monitor
ATTACKING A SECURE DRIVERExploitation Results
6 . 9
![Page 69: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/69.jpg)
ATTACKING KINIBI AND THE MONITORVulnerability Analysis
mmap: secure and non-secure physical memory mappingsyscallVulnerability
Monitor mapped at 0x2022000Can be mapped using mmap to modify an SMCCalling the hijacked SMC allows code execution in EL3
PatchFixed in the newest versions by using a blacklist
6 . 10
![Page 70: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/70.jpg)
SiP/OEM SYSTEM
CONTAINERS
SECURE DRIVERS
TRUSTED
APPLICATION
CONNECTOR ROOT
PROVISIONING
AGENT
EMBEDDED KERNEL
OS
KINIBI
DRIVERS
NORMAL WORLD
KINIBI DAEMON
KINIBI CLIENT API
APP
SERVICE
PROVIDER
PROVISIONING
AGENT
DRIVER
TA
MONITOR (ATF BL31)TEE-OS
DISPATCHERATF
FORWARD TO CUSTOM TEE-OS HANDLER
SMC
SYSTEM
TA
KINIBI MICRO-KERNEL
MCLIBTLAPI DRAPI
SYSCALL
HANDLERS
RUNTIME MANAGEMENT (RTM)
DRCRYPT
...
SHARED
NON-
SECURE
MEMORY
TRUSTED
APPLICATION
COMMUNICATION
INTERFACE
(TCI)
SHARED
NON-
SECURE
MEMORY
MOBICORE
COMMUNICATION
INTERFACE
(MCI)
SECURE WORLD
HERE!
Code execution in EL3Now possible to do anything we want!
ATTACKING KINIBI AND THE MONITORExploitation Results
6 . 11
![Page 71: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/71.jpg)
POST-EXPLOITATION
7 . 1
![Page 72: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/72.jpg)
TRUSTPWN FRAMEWORK
Based on the previous vulnerabilitiesInternals
Uses the EL3 vulnerability to have arbitrary access to KinibiAdds a SVC and a drApi function to execute code in S-EL1"natively"
SVCs and drApi functions are referenced in pointerarrays
UsageRead or write memory arbitrarilyExecute code in S-EL1 and EL3
7 . 2
![Page 73: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/73.jpg)
DEMO
Finding the Master Key in the Monitor
7 . 3
![Page 74: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/74.jpg)
FINDING THE MASTER KEY IN THE MONITORDrApi Reversing
Reversing the crypto-driver drcrypto (found embedded inKinibi) DrApi 0x1030
Takes four possible command IDs (0xAA, 0xAB, 0xAC, 0xAD)The interesting one is 0xAB
Wrapper around SMC 0xB2000005 SMC 0xB2000005
SMC arguments:R0: SMC IDR0: command number (four possible values [0-3])R1: number of bytes to read
Reads 0x10 bytes of the master key at 0x101E4000
7 . 4
![Page 75: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/75.jpg)
FINDING THE MASTER KEY IN THE MONITORDrApi Function
7 . 5
![Page 76: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/76.jpg)
FINDING THE MASTER KEY IN THE MONITORSMC Function
7 . 6
![Page 77: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/77.jpg)
DEMO
Bypassing Signature Checks
7 . 7
![Page 78: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/78.jpg)
BYPASSING SIGNATURE CHECKSMethodology
Reversing RTMFinding the SHA-256 of the public key corresponding to theprivate key used to sign TAs and SDsSignature is veri�ed using tlApiSignatureVerifyPatch the checks and load your own TA or SD
7 . 8
![Page 79: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/79.jpg)
FINDING THE MASTER KEY IN THE MONITORRTM Veri�cations
First check
Second check
ROM:00006E62 BL tlApiSignatureVerify ROM:00006E66 LDR R4, =0x40B00009 ROM:00006E68 ADDS R4, R4, #6 ROM:00006E6A CBNZ R0, loc_6E7A ROM:00006E6C LDRB.W R0, [SP,#0xC0+var_44]
ROM:000073E0 BL tlApiSignatureVerify ROM:000073E4 CBNZ R0, loc_73FA ROM:000073E6 LDRB.W R0, [SP,#0x1C0+var_48]
7 . 9
![Page 80: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/80.jpg)
DEMO
Trusted-OS Instrumentation
7 . 10
![Page 81: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/81.jpg)
TRUSTED-OS INSTRUMENTATIONMethodology
Handles ARMv7 and ThumbBased on the Unde�ned Instruction exceptionUnde�ned Instruction handler is replaced by our own codePatch an instruction with the ARM unde�ned instruction UDF0xNNNNWhen a breakpoint triggers the current context of the CPU issaved
Current context is savedOverwritten instruction is executed
7 . 11
![Page 82: T R UST ZO NE B R E A KING SA MSUNG' S A R M · t r ust zo ne bl a ck ha t usa 201 9 3 9 6 8 )% 1 / czko g2 gvgtnkp 4 &'pikpggtcv3wctmuncd # ngzcp ftg# fco um k 4 &'pikpggtcv3wctmuncd](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd17b437bfdd2b66079bcd/html5/thumbnails/82.jpg)
THANK YOU!
8 . 1