Transcription
PartEmu: Enabling DynamicAnalysis of Real-WorldTrustZone Software UsingEmulationLee Harrison, Hayawardh Vijayakumar, Michael GraceSamsung Knox, Samsung Research AmericaRohan Padhye, Koushik SenEECS Department, University of California, Berkeley
The “Hidden” Software Stack: TrustZoneAndroidappsAndroidappsAndroid frameworkOS: Linux kernelTrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure Monitor
The “Hidden” Software Stack: TrustZone Separate software stackAndroidappsAndroidappsAndroid frameworkOS: Linux kernelTrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure Monitor Trusted applications (TAs) TrustZone OS (TZOS)
The “Hidden” Software Stack: TrustZoneNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure Monitor Separate software stack Trusted applications (TAs) TrustZone OS (TZOS) TEE/REE
The “Hidden” Software Stack: TrustZoneNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals Separate software stack Trusted applications (TAs) TrustZone OS (TZOS) TEE/REE Basis for security: Hasaccess to hardware keys
The “Hidden” Software Stack: TrustZoneNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals Separate software stack Trusted applications (TAs) TrustZone OS (TZOS) TEE/REE Basis for security: Hasaccess to hardware keys Access to TZ lockeddown: Only signedsoftware can run
Problem: Dynamic analysis of TZ is hard!ApproachResults: What did we learn?
Problem: Dynamic Analysis of TZ is HardNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals
Problem: Dynamic Analysis of TZ is HardNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals Dynamic analysis needsability to monitor target
Problem: Dynamic Analysis of TZ is HardNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals Dynamic analysis needsability to monitor target Debugging – needsmemory/registers Feedback-driven fuzztesting – needs list ofbasic blocks covered
Problem: Dynamic Analysis of TZ is HardNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals Dynamic analysis needsability to monitor target Debugging – needsmemory/registers Feedback-driven fuzztesting – needs list ofbasic blocks covered However, cannotinstrument TZ softwareor monitor TZ memorydue to signing!
Problem: Dynamic Analysis of TZ is HardNormal World/REEAndroidappsAndroidappsAndroid frameworkOS: Linux kernelSecure World/TEETrustedApp (TA)TrustedApp (TA)TrustZone OS (TZOS)Secure MonitorHW CryptoKeysSecurePeripherals Prior dynamic analysisapproaches limited! TA/TZOS binary reverseengineering Fuzz testing withoutfeedback
Solution: Dynamic Analysis By Emulation We build an emulator that runs real-world TZOSes and TAs
Solution: Dynamic Analysis By Emulation We build an emulator that runs real-world TZOSes and TAs Emulation enables dynamic analysis Allows introspection and monitoring of TZ execution
Solution: Dynamic Analysis By Emulation We build an emulator that runs real-world TZOSes and TAs Emulation enables dynamic analysis Allows introspection and monitoring of TZ execution We support four widely-used real-world TZOSes: Qualcomm’s QSEE Trustonic’s Kinibi Samsung’s TEEGRIS Linaro’s OP-TEE
Problem: Dynamic analysis of TZ is hard!Approach: How did we run TZ in an emulator?Results: What did we learn?
Challenge: Large Number of Components
Challenge: Large Number of ComponentsAndroid AppsAndroid FWLinux OSTEE UserspaceTEE DriverHypervisorSoftware
Challenge: Large Number of ComponentsAndroid AppsAndroid FWLinux OSTrusted AppsTEE UserspaceTEE DriverTrustZone OSHypervisorBootldrSecure MonitorSoftware
Challenge: Large Number of ComponentsAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure rintSystemon-ChipCrypto HWTZASC/TZPCStorage
Challenge: Large Number of ComponentsAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure rintSystemon-ChipCrypto HWTZASC/TZPCStorage
Traditional Approach: Emulate all HWAndroid AppsAndroid FWLinux OSTrusted AppsTEE UserspaceTEE DriverReuseUnmodifiedSoftwareComponentsTrustZone OSHypervisorBootldrSecure MonitorSoftwareHardware
Traditional Approach: Emulate all HWAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverReuseUnmodifiedSoftwareComponentsTrustZone OSHypervisorBootldrSecure rintSystemon-ChipCrypto HWTZASC/TZPCStorageEmulate AllHardwareComponents
Traditional Approach: Emulate all HWAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverReuseUnmodifiedSoftwareComponentsTrustZone OSHypervisorBootldrSecure rintSystemon-ChipCrypto HWTZASC/TZPCStorageImpractical to emulate all hardwareEmulate AllHardwareComponents
Our Approach: Emulate Subset of HW and SW
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsStudyComponentDependenciesTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure rintSystemon-ChipCrypto HWTZASC/TZPCStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsStudyComponentDependenciesTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure pCrypto HWTZASC/TZPCStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsStudyComponentDependenciesTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure pCrypto HWTZASC/TZPCStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsStudyComponentDependenciesTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure pCrypto HWTZASC/TZPCTighty coupled,difficult to emulatedependencyStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsStudyComponentDependenciesTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrSecure pCrypto HWTZASC/TZPCTighty coupled,difficult to emulatedependencyStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverLoosely coupled,easy to emulatedependencyTrustZone OSHypervisorBootldrSecure pCrypto HWTZASC/TZPCTighty coupled,difficult to emulatedependencyStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrEmulateBootloaderUsing StubSecure pCrypto HWTZASC/TZPCStorageExcludeStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrEmulateBootloaderUsing StubSecure pCrypto HWTZASC/TZPCStorageExcludeStorage
Our Approach: Emulate Subset of HW and SWAndroid AppsAndroid FWTrusted AppsTEE UserspaceLinux OSTEE DriverTrustZone OSHypervisorBootldrEmulateBootloaderUsing StubSecure pCrypto HWTZASC/TZPCStorageExcludeStorage
Emulation Effort Feasible Using Patterns
Emulation Effort Feasible Using Patterns Patterns to Emulate Hardware (MMIO Loads and Stores)
Emulation Effort Feasible Using Patterns Patterns to Emulate Hardware (MMIO Loads and Stores)
Emulation Effort Feasible Using Patterns Patterns to Emulate Hardware (MMIO Loads and Stores)
Emulation Effort Feasible Using Patterns Patterns to Emulate Software APIs
Emulation Effort Feasible Using Patterns Patterns to Emulate Software APIs
Emulation Effort Feasible Using Patterns Patterns to Emulate Software APIs
ImplementationQEMU
ImplementationQEMUHW Emulation
ImplementationQEMUHW EmulationPartEmuModuleAPIAFL FuzzModuleDebugModule
ImplementationSWEmulationGuestQEMUHW EmulationTAsTZOSPartEmuModuleAPIAFL FuzzModuleDebugModule
ImplementationSWEmulationTAsGuestTZOSDriverPartEmu RunManagement APIQEMUHW EmulationPartEmuModuleAPIAFL FuzzModuleDebugModule
Problem: Dynamic analysis of TZ is hard!Approach: How did we run TZ in an emulator?Results: What did we learn?
Fuzz Testing TAs Using AFL16 FirmwareImages
Fuzz Testing TAs Using AFL16 FirmwareImages12 Smartphone /IoT vendors
Fuzz Testing TAs Using AFL16 FirmwareImages12 Smartphone /IoT vendors196 Unique TAs
Fuzz Testing TAs Using AFL16 FirmwareImages12 Smartphone /IoT vendors196 Unique TAsAFL Crashed48 TAs
Fuzz Testing TAs Using AFL16 FirmwareImages12 Smartphone /IoT vendors196 Unique TAsAFL Crashed48 TAs Found TZ-specific coding anti-patterns that led to crashes
Anti-Pattern 1:Assumptions about Request Sequence
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requestschar *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case UNINIT:uninit(ptr);break;};
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests1.char *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case UNINIT:uninit(ptr);break;};
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests1.2.char *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case UNINIT:uninit(ptr);break;};
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests1.2.3.char *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case UNINIT:uninit(ptr);break;};
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests1.2.3.char *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case UNINIT:uninit(ptr);break;};1.
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests1.2.3.char *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case ce
Anti-Pattern 1:Assumptions about Request Sequence TAs split work into small units receive a sequence of requests1.2.3.char *ptr NULL; // global switch (request) {case INIT:init(ptr);break;case DO ACTION:do action(ptr);break;case ceTA should properly handle any sequence of requests from CA
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)SharedMemory
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseSharedMemory
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseSharedMemory
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseptr off shm ta baseSharedMemory
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseptrptr off shm ta baseSharedMemory
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseptrptr off shm ta baseSharedMemorymal ptr
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseptrptr off shm ta baseSharedMemorymal ptrTA Memory leak/ corruption
Anti-Pattern 2:Unvalidated Normal-World PointersNormal World/REESecure World/TEEClient App (CA)Trusted App (TA)shm ta baseptrptr off shm ta baseSharedMemorymal ptrTA Memory leak/ corruptionTA should check that CA-supplied pointers point to shared memory
Anti-Pattern 3:Unvalidated Parameter Types GlobalPlatform TEE API allows 4 parameters in TA calls Each parameter can be either a value or a pointer to a bufferTEE Result TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t paramTypes, TEE Params params[4]){// Use params[0] as a bufferrequest ptr (struct request struct *) params[0];switch (request ptr- request) { }}
Anti-Pattern 3:Unvalidated Parameter Types GlobalPlatform TEE API allows 4 parameters in TA calls Each parameter can be either a value or a pointer to a bufferTEE Result TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t paramTypes, TEE Params params[4]){// Use params[0] as a bufferrequest ptr (struct request struct *) params[0];switch (request ptr- request) { }}
Anti-Pattern 3:Unvalidated Parameter Types GlobalPlatform TEE API allows 4 parameters in TA calls Each parameter can be either a value or a pointer to a bufferTEE Result TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t paramTypes, TEE Params params[4]){paramType(0) // Use params[0] as a bufferrequest ptr (struct request struct *) params[0];TEEC MEMREF;switch (request ptr- request) { }}
Anti-Pattern 3:Unvalidated Parameter Types GlobalPlatform TEE API allows 4 parameters in TA calls Each parameter can be either a value or a pointer to a bufferTEE Result TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t paramTypes, TEE Params params[4]){paramTypes(0) // Use params[0] as a bufferrequest ptr (struct request struct *) params[0];TEEC MEMREF;switch (request ptr- request) { paramTypes(0) }TEEC VALUE;}
Anti-Pattern 3:Unvalidated Parameter Types GlobalPlatform TEE API allows 4 parameters in TA calls Each parameter can be either a value or a pointer to a bufferTEE Result TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t paramTypes, TEE Params params[4]){paramTypes(0) // Use params[0] as a bufferrequest ptr (struct request struct *) params[0];TEEC MEMREF;switch (request ptr- request) { paramTypes(0) }TEEC VALUE;}TA Memory leak/ corruption
Anti-Pattern 3:Unvalidated Parameter Types GlobalPlatform TEE API allows 4 parameters in TA calls Each parameter can be either a value or a pointer to a bufferTEE Result TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t paramTypes, TEE Params params[4]){paramTypes(0) // Use params[0] as a bufferrequest ptr (struct request struct *) params[0];TEEC MEMREF;switch (request ptr- request) { paramTypes(0) }TEEC VALUE;}TA Memory leak/ corruptionTA should check CA-supplied parameter types
Conclusion We showed that it is practically feasible to run real-world TZOSes andTAs in an emulator
Conclusion We showed that it is practically feasible to run real-world TZOSes andTAs in an emulator Large-scale fuzz testing of TAs using the emulator found severalpreviously unknown vulnerabilities in TAs with high reproducibility
Conclusion We showed that it is practically feasible to run real-world TZOSes andTAs in an emulator Large-scale fuzz testing of TAs using the emulator found severalpreviously unknown vulnerabilities in TAs with high reproducibility We identified vulnerability patterns unique to TA development Pointing to the need for TZ-specific developer education
Conclusion We showed that it is practically feasible to run real-world TZOSes andTAs in an emulator Large-scale fuzz testing of TAs using the emulator found severalpreviously unknown vulnerabilities in TAs with high reproducibility We identified vulnerability patterns unique to TA development Pointing to the need for TZ-specific developer educationThank you!
App (TA) Trusted App (TA) TrustZone OS (TZOS) Secure World/TEE HW Crypto Keys Secure Peripherals Dynamic analysis needs ability to monitor target Debugging –needs memory/registers Feedback-driven fuzz testing –needs list of basic blocks covered However, cannot instrument TZ softw
