Post on 04-Aug-2021
National Security Institute
Radu Sion
Horizontal Privilege Escalation in Trusted Applications
Darius Suciu Stephen McLaughlin Laurent Simon
2July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Background: Bugs over time
Linux lines of code over time Linux vulnerabilities over time
Source: Meng, Dan, et al. "Security-first architecture: deploying physically isolated active security processors for safeguarding the future of computing."
Source: https://commons.wikimedia.org/wiki/File:Lines_of_Code_Linux_Kernel.svg
3July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Normal World
Applications
App App
App
Background: TrustZone
Secure World
Secure OS
Rich Operating
System
ARM Cortex Processor
Monitor
Trusted Applications
TATAApp
4July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Background: TrustZone Attacks
Secure World
Secure OS
Normal World
Rich Operating
System
Applications
ARM Cortex Processor
Monitor
Trusted Applications
TAApp
App App
TAAppApp
Privilege escalation
5July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Background: Boomerang[1] attack
Secure World
Secure OS
Normal World
Rich Operating
System
Applications
ARM Cortex Processor
App App
Monitor
Trusted Applications
TAApp
App
App
App
TA
Privilege escalation
[1] Machiry, Aravind, et al. "BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments." NDSS. 2017.
6July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Background: Privilege escalation
Rich Operating System
Applications
AppApp AppApp
Secure Operating System
Monitor
Horizontal privilege escalation (HPE)
Vertical p
rivilege escalation
7July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
HPE attack using TA
Secure World
Secure OS
Normal World
Rich Operating
System
Applications
ARM Cortex Processor
App App
Monitor
Trusted Applications
TAApp
App
App
App
TA
Privilege escalation
8July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Storing data in Secure World
Secure World
TA
Normal World
App
A: Write(data)
B: Store(data)
Global
Storage
9July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Global data attack examples
Secure World
TA
Normal World
Victim
App
Malicious
App
Data leakage Data compromise Decryption oracle
Global
2: Read(data)
1: Write(data)
Secure World
TA
Normal World
Victim
App
Malicious
App
Global
3: Read decrypted input
Secure World
TA
Normal World
Victim
App
Malicious
App2: Modify
(data)
1: Write(data)
3: Read(data)
2: Request decrypt(key, input)
1: Write(key)
Global
10July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Stored data attack examples
Secure World
TA1
Normal World
Victim
App
Malicious
App
Data leakage Data compromise Decryption oracle
Global
3: Read(data)
1: Save(data)
TA2
Global
Storage
2: Write(data)
Secure World
TA1
Normal World
Victim
App
Malicious
App
Global
4: Write(data)
1: Save(data)
TA2
Global
Storage
2: Write(data)
Secure World
TA1
Normal World
Victim
App
Malicious
App
Global
4: Read(key)
1: Save(key)
TA2
Global
Storage
2: Write(key)
4: Load(data)
3: Modify(data)
5: Read(data)
6: Load(data)
5: Read decrypted input
3: Request decrypt (key, input)
11July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
HPE manual analysis
95 TA binaries analyzed
3 major TrustZone environments investigated(Kinibi, QSEE, Teegris)
HPE enabling vulnerabilities discovered (3 types)
12July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Findings: vulnerable TAs
100%
42% 100%
0% 0% 0% 0%
28%
27% 100%
0% 0% 0% 0% 50%
25% 100%
0% 0% 0% 0%
2
10
3
1
2
6
2
7
11
3 3
4
5 5
2
12
3
5
3 3 3
0
2
4
6
8
10
12
14
TA group
Nu
mb
er in
eac
h g
rou
p
Vulnerable Investigated
Kinibi QSEE Teegris
13July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Findings: vulnerable TAs
50%
25% 100%
0% 0% 0% 0%
2
12
3
5
3 3 3
DRM Key management Attestation Hardware drivers Device integrity Authentication Utility0
2
4
6
8
10
12
14
TA group
Nu
mb
er In
eac
h g
rou
p
Vulnerable Investigated
Teegris
Manual analysis: two engineers, four weeks
14July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
HPE vulnerability impactData leakage
Example: Encryption key leaked to attacker
Data compromise
Example: Encryption key replaced with attacker data
Decryption oracle
Example: DRM content decrypted for malicious app
Encryption oracle
Example: Encrypted keys replaced with attacker data
Signing oracle
Example: TA signs forged attestation data
15July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Findings: HPE attack vectors
2 3 3 2 2
11
2 2 3 2 2
11
2 2 2 1 2
93
3
6
3 3
6
3 3
6
1
2
1
5
9
1
2
1
5
9
1
2
1
5
9
0
5
10
15
20
25
30
HPE attack vectors
Nu
mb
er id
enti
fied
in e
ach
gro
up
DRM Key management Attestation
Kinibi QSEE Teegris
16July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Findings: HPE attack vectors
2 2 2 1 2
93 3
6
1
2
1
5
9
Key leakage Data compromise Decryption oracle Encryption oracle Signing oracle Total0
5
10
15
20
25
30
HPE attack vectors
Nu
mb
er id
enti
fied
in e
ach
gro
up
DRM Key management Attestation
Teegris
17July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Hooper: Automatic HPE detection
Symbolic execution
State matching
Vulnerability checking
Phase 1 Phase 2 Phase 3
TA binary
Path semantics
State inspection
Bugs found
18July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Hooper: Cross-invocation trackingSimProceduresTA execution paths
Basic blocks
Paired paths using X
Paired paths using Storage[Y]
Cross-invocation data flows
Match global
variable
Match storage
locations
X = input output = X
Storage[Y] = input
output = Storage[Y]
Entry
Send output
19July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Automatic analysis results
2 2 2
1
2
9
3 3
0 0 0
6
1
0
2
1
5
9
100% 100%
50% 100%
100%
88%
33% 33%0 0 0
33%
100%0
100%
100%
100%
100%
0
1
2
3
4
5
6
7
8
9
10
HPE attack vector
Nu
mb
er
of
atta
ck v
ecto
rs i
den
tifi
ed
Teegris
Identified False negatives
DRM Key management Attestation
20July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Automatic analysis results
65
4
2
7
20
66%60% 75%
100%
100%
75%
Data leakage Data compromise Decryption oracle Encryption oracle Signing oracle Total0
5
10
15
20
25
HPE attack vector
Nu
mb
er o
f at
tack
vec
tors
id
enti
fied
Teegris
Identified False negatives
Vulnerabilities found in 24 hours vs 4 weeks of manual analysis
21July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Mitigations
Resolve TA multi-tenant interference
Introduce session management inside all multi-tenant TAs
Standardized TA session management
Introduce a library for managing sessions inside TAs
Fine-grained access to Secure World storage
Partition Secure World storage and enforce fine-grained access control
Minimize access to TAs
Use fine-grained access policies to prevent unauthorized access to TAs
22July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Conclusion
Some TAs store data from multiple applications across invocations
Insufficient access control exposes TA-managed data to attackers
Three type of HPE-enabling vulnerabilities found in 23 TAs
Automatic binary analysis can help identify HPE vulnerabilities
Platform-wide fine-grained access control would help mitigate HPE
23July 19, 2020
Hooper
Stony Brook Network Security and Applied Cryptography Laboratory
National Security Institute
Thank you!Contact information:
Darius Suciu dsuciu@cs.stonybrook.edu
Stephen McLaughlin s.mclaughlin@samsung.com
Laurent Simon cam.lmrs2@gmail.com
Radu Sion sion@cs.stonybrook.edu
Questions?