Breaking TEEs by Experience

It's notoriously hard to secure a Trusted Execution Environment (TEE) due to the interaction between complex hardware and a large trusted code base (TCB). The security provided by TEEs has been broken on a wide variety of devices, including mobile phones, smart TVs and even vehicles. Publicly disclosed TEE vulnerabilities were often exploited directly from the less-trusted Rich Execution Environment (REE). Many of these vulnerabilities were speandcific for TEEs and required novel exploitation techniques.

The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).

Your journey starts by achieving a comprehensive understanding of TEEs, where you will learn how hardware and software concur to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will then be challenged along the path to exploit them in multiple scenarios. All vulnerabilities are identified and exploited on our emulated attack platform which implements an ARMv8 (64-bit) TEE based on ARM TrustZone.

You will take on different roles, as an attacker in control of:

  • the REE, attempting to achieve privileged code execution in the TEE.
  • the REE, trying to access assess protected by a Trusted Application (TA).
  • a TA, aiming to escalate privileges to TEE OS.
  • a TA, accessing the protected assets of other TAs.

TEEPwn will guide you into an unexpected range of attack vectors and TEE-specific exploitation techniques, which may be leveraged for novel and creative software exploits. refining your skills to a new level.

Please contact us for more information!

Anonymous

Anonymous

Really enjoyed the material and CTF, instructions were clear, challenges were nicely staggered, just tricky enough without being frustrating and conveyed the concepts clearly.

Anonymous

Anonymous

the training is AMAZING, could use a bit more coffee breaks

Anonymous

Anonymous

For me as a non-SW reversengineer the learning curve is a bit steep, but better by challenged than to be bored during a training

Anonymous

Anonymous

Thanks for organizing training in Ringzer0. It is above my expectations, and I enjoyed very much these 5 days. Training contents are well considered.

Anonymous

Anonymous

Dig deep into the TEE environments that are out there. Some really interesting outputs from the class.

Anonymous

Anonymous

The knowledge of the instructor was excellent, guiding us towards specific vulnerability classes and giving concrete examples with the chance to exercise exploitation skills.

Anonymous

Anonymous

Very very nice docker environment that enabled it all to go smoothly. All the complexity of managing multiple toolchains etc. were hidden away making the experience transparent to learners. Excellent all around!

Anonymous

Anonymous

It was a delightful experience! I really enjoyed the training itself and the way Cristofaro presented and explained. Also, the training was very organized and well instructed. Big thank you!

Anonymous

Anonymous

The TEEPwn training is world class. I have learnt a lot, the trainer is exceptionally knowledgeable and I intend on organising more of my colleagues to attend this training.


Additional Info

Audience

  • Security Analysts and Researchers, interested in new techniques.
  • Software Security Developers/Architects interested in TEE software attack techniques.

Agenda

  • TEE Fundamentals
    • TEE overview
    • Security model
  • ARM TrustZone-based TEEs
    • TEE SW components
    • TEE attacker model
    • TEE attack surface
  • REE –> TEE attacks
    • Secure Monitor
    • TEE OS (SMC interface)
    • Exploitation:
      • Vulnerable SMC handlers
      • Broken design
      • Unchecked Pointers
      • Restricted writes
      • Range checks
  • REE –> TA attacks
    • Communicating with TAs
    • Global Platform APIs
    • Exploitation:
      • Type confusion
      • TOCTOU (Double fetch)
  • TA –> TEE attacks
    • TEE OS (Syscall interface)
    • Drivers
    • Exploitation:
      • Unchecked pointers from TA
      • Vulnerable crypto primitives
  • TA –> TA attacks
    • State confusion

Learning objectives

  • Explore TEE security at the system level
  • Gain strong understanding of TrustZone-based TEEs
  • Identify vulnerabilities across the entire TEE attack surface
  • Experience TEE-specific exploitation techniques

Attendee requirements

  • Experience with C/C++ programming
  • Experience with the ARM architecture (AArch64)
  • Understanding of typical software vulnerabilities
  • Familiarity with reverse engineering and typical exploitation techniques
  • Familiarity with modern OS security concepts

Please contact us for more information!

Hostringzer0
DateFeb 20-23, 2024
TypeClassroom
LocationAustin (USA)
LanguageEnglish

Buy your ticket soon

HostNFI
DateMay 21-24, 2024
TypeClassroom
LocationNetherlands
LanguageEnglish

Access restricted

HostNFI
DateNov 12-15, 2024
TypeClassroom
LocationNetherlands
LanguageEnglish

Access restricted

HostNFI
DateFeb 25-28, 2025
TypeClassroom
LocationNetherlands
LanguageEnglish

Access restricted

Contact Us

Contact Details

Feel free to contact us, we will be happy to listen and support.

Meeuwenlaan 20, 3055 CL, Rotterdam, The Netherlands
Email: info@raelize.com
VAT: NL861445934B01
KVK: 78549477