More Web Proxy on the site http://driver.im/

research-article

Memory corruption attacks within Android TEEs: a case study based on OP-TEE

Authors:

Fabian Fleischer,

Phillip KuhrtAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 53, Pages 1 - 9

https://doi.org/10.1145/3407023.3407072

Published: 25 August 2020 Publication History

Abstract

Many security-critical services on mobile devices rely on Trusted Execution Environments (TEEs). However, due to the proprietary and locked-down nature of TEEs, the available information about these systems is scarce. In recent years, we have witnessed several exploits targeting all major commercially used TEEs, which raises questions about the capabilities of TEEs to provide the expected integrity and confidentiality guarantees. In this paper, we evaluate the exploitability of TEEs by analyzing common flaws from the perspective of an adversary. We provide multiple vulnerable TEE applications for OP-TEE, a reference implementation for TEEs, and elaborate on the steps necessary for their exploitation on an Android system. Our vulnerable examples are inspired by real-world exploits seen in-the-wild on commercially used TEEs. With this work, we provide developers and researchers with introductory knowledge to realistically assess the capabilities of TEEs. For these purposes, we also make our examples publicly available.

References

[1]

Tarasikov Alexander. 2019. Reverse-engineering Samsung Exynos 9820 bootloader and TZ. Retrieved June 27, 2020 from https://allsoftwaresucks.blogspot.com/2019/05/reverse-engineering-samsung-exynos-9820.html

[2]

Adamski Alexandre, Guilbon Joffrey, and Peterlin Maxime. 2020. A Deep Dive Into Samsung's TrustZone (Part 3). Retrieved July 3, 2020 from https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-3.html

[3]

ARM. 2008. TrustZone System Design. Retrieved January 3, 2020 from https://web.archive.org/web/20080505021706/http://www.arm.com/products/esd/trustzone_systemdesign.html

[4]

ARM. 2010-2016. Secure Configuration Register. Retrieved January 3, 2020 from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0434c/CIHBJJCF.html

[5]

ARM. 2013. System Control Register, EL1. Retrieved July 3, 2020 from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0488c/BABJAHDA.html

[6]

ARM. 2017. Security in ARMv8 systems, Version 1.0. Retrieved July 3, 2020 from https://developer.arm.com/docs/100935/0100

[7]

ARM. 2019. Procedure Call Standard for the ARM 64-bit Architecture (AArch64). Retrieved July 3, 2020 from https://github.com/ARM-software/software-standards/blob/master/abi/aapcs64/aapcs64.rst

[8]

Ahmad Atamli-Reineh, Ravishankar Borgaonkar, Ranjbar A. Balisane, Giuseppe Petracca, and Andrew Martin. 2016. Analysis of Trusted Execution Environment Usage in Samsung KNOX. In Proceedings of the 1st Workshop on System Software for Trusted Execution (Trento, Italy) (SysTEX '16). Association for Computing Machinery, New York, NY, USA, Article 7, 6 pages.

Digital Library

[9]

Gal Beniamini. 2016. Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921). Retrieved July 2, 2020 from https://bits-please.blogspot.com/2016/01/android-privilege-escalation-to.html

[10]

Gal Beniamini. 2016. QSEE privilege escalation vulnerability and exploit (CVE-2015-6639). Retrieved June 27, 2020 from https://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html

[11]

Gal Beniamini. 2017. Trust Issues: Exploiting TrustZone TEEs. Retrieved July 3, 2020 from https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html

[12]

Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-Oriented Programming: A New Class of Code-Reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (Hong Kong, China) (ASIACCS '11). Association for Computing Machinery, New York, NY, USA, 30--40.

Digital Library

[13]

Marcel Busch and Kalle Dirsch. 2020. Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution. In Proceedings of the 3rd Workshop on Binary Analysis Research.

[14]

Amat Cama. 2014--2019. xrop. Retrieved July 3, 2020 from https://github.com/acama/xrop

[15]

David Cerdeira, Nuno Santos, Pedro Fonseca, and Sandro Pinto. 2020. SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA. 18--20.

[16]

Moritz Eckert, Antonio Bianchi, Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2018. HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 99--116. https://www.usenix.org/conference/usenixsecurity18/presentation/eckert

[17]

GlobalPlatform. 2019. TEE Client API Specification. Retrieved July 3, 2020 from https://globalplatform.org/specs-library/tee-client-api-specification/

[18]

GlobalPlatform. 2019. TEE Internal Core API Specification. Retrieved July 3, 2020 from https://globalplatform.org/specs-library/tee-internal-core-api-specification-v1-2/

[19]

Google. 2018. Android Keystore. Retrieved July 3, 2020 from https://source.android.com/security/keystore

[20]

Dan Handley, Charles Garcia-Tobin, and ARM. 2014. Trusted Firmware Deep Dive. Retrieved July 3, 2020 from https://www.slideshare.net/linaroorg/trusted-firmware-deepdivev10/7

[21]

Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye, Koushik Sen, and Michael Grace. 2020. PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity20/presentation/harrison

[22]

Ben Lapid and Avishai Wool. 2018. Navigating the Samsung TrustZone and Cache-Attacks on the Keymaster Trustlet. In Computer Security, Javier Lopez, Jianying Zhou, and Miguel Soriano (Eds.). Springer International Publishing, Cham, 175--196.

[23]

Linaro.2019. OP-TEE/optee_os. Retrieved July 3, 2020 from https://github.com/OP-TEE/optee_os

[24]

Aravind Machiry, Eric Gustafson, Chad Spensky, Christopher Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. 2017. BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments. In NDSS.

[25]

Dru Nelson. 2013. Single Byte or Small x86 Opcodes. Retrieved July 3, 2020 from http://xxeo.com/single-byte-or-small-x86-opcodes

[26]

NIST. 2017. CVE-2016-8764. Retrieved July 3, 2020 from https://nvd.nist.gov/vuln/detail/CVE-2016-8764

[27]

Eloi Sanfelix. 2019. TEE Exploitation - Exploiting Trusted Apps on Samsung's TEE. Retrieved July 3, 2020 from https://downloads.immunityinc.com/infiltrate2019-slidepacks/eloi-sanfelix-exploiting-trusted-apps-in-samsung-tee/TEE.pdf

[28]

Sascha Schirra. 2014--2019. ropper. Retrieved July 3, 2020 from https://github.com/sashs/Ropper

[29]

Shellphish. 2020. shellphish/how2heap. Retrieved July 3, 2020 from https://github.com/shellphish/how2heap

[30]

Nick Stephens. 2017. Behind the PWN of a TrustZone. Retrieved July 3, 2020 from https://www.slideshare.net/GeekPwnKeen/nick-stephenshow-does-someone-unlock-your-phone-with-nose

[31]

John Walker. 1996. BGET. Retrieved July 3, 2020 from https://www.fourmilab.ch/bget/

Cited By

Li RLi YWang QDuan SWang QRyan M(2025)Accountable Decryption Made Formal and PracticalIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.351580820(620-635)Online publication date: 2025
https://doi.org/10.1109/TIFS.2024.3515808
Reddy ABanda G(2024)ElasticPay: Instant Peer-to-Peer Offline Extended Digital Payment SystemSensors10.3390/s2424803424:24(8034)Online publication date: 16-Dec-2024
https://doi.org/10.3390/s24248034
Chen XHe SSun LZheng YWu C(2024)A Survey of Consortium Blockchain and Its ApplicationsCryptography10.3390/cryptography80200128:2(12)Online publication date: 22-Mar-2024
https://doi.org/10.3390/cryptography8020012
Show More Cited By

Index Terms

Memory corruption attacks within Android TEEs: a case study based on OP-TEE
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security
      1. Mobile platform security
      2. Trusted computing

Recommendations

RusTEE: Developing Memory-Safe ARM TrustZone Applications
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

In the past decade, Trusted Execution Environment (TEE) provided by ARM TrustZone is becoming one of the primary techniques for enhancing the security of mobile devices. The isolation enforced by TrustZone can protect the trusted applications running in ...
SecTEE: A Software-based Approach to Secure Enclave Architecture Using TEE
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Secure enclaves provide a practical solution to secure computation, and current approaches to secure enclaves are implemented by extending hardware security mechanisms to the CPU architecture. Therefore, it is hard for a platform to offer secure ...
Secure Block Device -- Secure, Flexible, and Efficient Data Storage for ARM TrustZone Systems
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01

Recent years have seen a flurry of activity in the area of efficient and secure file systems for cloud storage, and also in the area of memory protection for secure processors. Both scenarios use cryptographic methods for data protection. Here, we ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 ACM.

© 2020 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
629
Total Downloads

Downloads (Last 12 months)131
Downloads (Last 6 weeks)12

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li RLi YWang QDuan SWang QRyan M(2025)Accountable Decryption Made Formal and PracticalIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.351580820(620-635)Online publication date: 2025
https://doi.org/10.1109/TIFS.2024.3515808
Reddy ABanda G(2024)ElasticPay: Instant Peer-to-Peer Offline Extended Digital Payment SystemSensors10.3390/s2424803424:24(8034)Online publication date: 16-Dec-2024
https://doi.org/10.3390/s24248034
Chen XHe SSun LZheng YWu C(2024)A Survey of Consortium Blockchain and Its ApplicationsCryptography10.3390/cryptography80200128:2(12)Online publication date: 22-Mar-2024
https://doi.org/10.3390/cryptography8020012
Schulze MLindenmeier CRöckl JFreiling FSchrittwieser SIanni M(2024)IlluminaTEE: Effective Man-At-The-End Attacks from within ARM TrustZoneProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690838(11-21)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690838
Duan LSun YNi WDing WLiu JWang W(2023)Attacks Against Cross-Chain Systems and Defense Approaches: A Contemporary SurveyIEEE/CAA Journal of Automatica Sinica10.1109/JAS.2023.12364210:8(1647-1667)Online publication date: Aug-2023
https://doi.org/10.1109/JAS.2023.123642
Shiba KKuzuno HYamauchi T(2023)Prevention Method for Stack Buffer Overflow Attack in TA Command Calls in OP-TEE2023 Eleventh International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW60564.2023.00052(274-278)Online publication date: 27-Nov-2023
https://doi.org/10.1109/CANDARW60564.2023.00052
Bove DSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517417(616-629)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517417
Marth DHlauschek CSchanes CGrechenig T(2022)Abusing Trust: Mobile Kernel Subversion via TrustZone Rootkits2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833891(265-276)Online publication date: May-2022
https://doi.org/10.1109/SPW54247.2022.9833891
Koutroumpouchos NNtantogian CXenakis C(2021)Building Trust for Smart Connected Devices: The Challenges and Pitfalls of TrustZoneSensors10.3390/s2102052021:2(520)Online publication date: 13-Jan-2021
https://doi.org/10.3390/s21020520
Melotti DRossi-Bellom MContinella A(2021)Reversing and Fuzzing the Google Titan M ChipReversing and Offensive-oriented Trends Symposium10.1145/3503921.3503922(1-10)Online publication date: 18-Nov-2021
https://dl.acm.org/doi/10.1145/3503921.3503922
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten