finding 1 day vulnerabilities in trusted applications
play

Finding 1-Day Vulnerabilities in Trusted Applications using - PowerPoint PPT Presentation

Oct 02, 2023 •178 likes •352 views

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

  1. Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nürnberg, Germany BAR’20

  2. BAR’20 Motivation • How secure are Trusted Execution Environments (TEEs)? • What errors do vendors make? • In 2016 Huawei’s TEE got exploited • CVE-2016-8764 [2] • Type confusion bug in the Secure Storage Trusted Application (TA) • How to facilitate binary-diff-based analyses of 1-days in TAs? ⇒ Filter patches dealing with user input ⇒ Compare constraints introduced by patches a a https://www.youtube.com/watch?v=XjbGTZrg9DA 2/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  3. BAR’20 Background • Two “Worlds” • Two OSs Normal World Secure World • Two user spaces Client Applications Trusted Applications • Client Application (CA) logically ... ... interacts with TA TEE Internal Core API • Logical channel is carried out by Rich Dispatcher Operating System (Rich OS) and Rich OS Trusted OS Trusted Operating System (Trusted OS) • GlobalPlatform (GP) specification defines “ libc ” of TAs 3/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  4. BAR’20 Challenges and Related Work Challenges • TAs are closed source • No dynamic analysis Normal World Secure World ( i.e., debugging) Client Applications Trusted Applications • No TA modifications ( i.e., instrumentation) ... ... TEE Internal Core API Related Work Dispatcher • PartEmu [1] Rich OS Trusted OS • TEEGris Usermode [4] Our prototype, SimTA , focuses on • GP Internal Core API 4/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  5. BAR’20 TA Lifecycle while ( 1 ) { 1 LifecycleData* data = MsgRcv(); 2 3 switch ( data->lifecycle_cmd ) { 4 case OPEN_SESS: 5 • TA_CreateEntryPoint : if (data->init) { 6 Constructor TA_CreateEntryPoint(); 7 } 8 • TA_OpenSessionEntryPoint : TA_OpenSessionEntryPoint(...); 9 Opens client session break ; 10 case INVOKE_CMD: 11 • TA_InvokeCommandEntryPoint : TA_InvokeCommandEntryPoint(...); 12 break ; Invocation of TA commands 13 case CLOSE_SESS: 14 • TA_CloseSessionEntryPoint : TA_CloseSessionEntryPoint(...); 15 if (data->deinit) { 16 Closes client session TA_DestroyEntryPoint(); 17 } • TA_DestroyEntryPoint : 18 break ; 19 Destructor default : 20 break ; 21 } 22 MsgSnd(data); 23 } 24 5/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  6. BAR’20 TA Parameters TEE_Result TA_OpenSessionEntryPoint( 1 uint32_t paramTypes, typedef union { 2 1 [inout] TEE_Param params[4], struct { 3 2 [out][ctx] void ** sessionContext unsigned int buffer; 4 3 ); unsigned int size; 5 4 } memref; 6 5 TEE_Result TA_InvokeCommandEntryPoint( struct { 7 6 [ctx] void * sessionContext, unsigned int a; 8 7 uint32_t commandID, unsigned int b; 9 8 uint32_t paramTypes, } value; 10 9 [inout] TEE_Param params[4] } TEE_Param; 11 10 ); 12 6/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  7. BAR’20 TA CmdId-Handler TA_InvokeCommandEntryPoint(sessCtx, cmdId, paramTypes, params) { 1 switch ( cmdId ) { 2 case FOPEN: 3 if (paramTypes != FOPEN_PTYPES) 4 goto ptype_error; 5 6 char * path; size_t pathsz; 7 uint32_t flags; 8 TEE_ObjectHandle obj; 9 10 path = params[0]->memref.buffer; 11 pathsz = params[0]->memref.size; 12 flags = params[1]->value.a; 13 14 TEE_OpenPersistentObject(TEE_STORAGE_PRIVATE, path, pathsz, flags, &obj); 15 ... 16 break ; 17 case FREAD: 18 ... 19 } 20 return ; 21 ptype_error: 22 log("bad param types"); 23 return ; 24 } 25 7/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  8. BAR’20 TA Address Space 0xffffffff shared mem 0xc8020000 • Address space retrieved via stack 0x011b80000 CVE-2016-8764 exploit heap • globaltask implements GP 0x011b40000 Internal Core API storageTA • globaltask is the only library code rodata • TA does not perform syscalls 0x01040000 data • shared mem contains params globaltask code rodata data 0x0119e000 0x00000000 8/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  9. BAR’20 SimTA • Maps memory according to our analysis using angr [3] • Hooks input/output of lifecycle via angr-SimProcedures • Modular implementation of call sequences • Allows for selectively chosen symbolic inputs • Hooks GP Internal Core API via angr-SimProcedures • Specification of functions available from GP • Implements all functions used by storageTA • Can be found on GitHub: https://github.com/teesec/simta 9/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  10. BAR’20 Evaluation – Approach • Analysis of Secure Storage TA • VNS-L21C432B130 vs VNS-L21C432B160 • Used Zynamic’s BinDiff to identify patches 1 1 3 2 2 • SimTA provides 4 • filter mode – identifies patches dealing 5 6 6 with user-controlled input 9 9 8 8 7 7 • exec mode – runs both versions with selectively chosen symbolic inputs • Found three 1-days 10/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  11. BAR’20 Evaluation – CVE-2016-8764 Re-Discovery 1 TA_InvokeCommandEntryPoint(sessCtx, cmdId, 2 paramTypes, params) { 3 switch ( cmdId ) { 4 case FOPEN: 5 ... • Type confusion 6 break ; 7 case FREAD: 8 // if (paramTypes != FOPEN_PTYPES) 9 // goto ptype_error; 1 enum TEE_ParamType { 10 char *dst = params[0]->buffer; 2 TEE_PARAM_TYPE_NONE = 0x0, 11 int sz = params[0]->size; 3 TEE_PARAM_TYPE_VALUE_INPUT = 0x1, 12 ... 4 TEE_PARAM_TYPE_VALUE_OUTPUT = 0x2, 13 TEE_ReadObjectData(obj, dst, sz); 5 TEE_PARAM_TYPE_VALUE_INOUT = 0x3, 14 break ; 6 TEE_PARAM_TYPE_MEMREF_INPUT = 0x5, 15 ... 7 TEE_PARAM_TYPE_MEMREF_OUTPUT = 0x6, 16 ... 8 TEE_PARAM_TYPE_MEMREF_INOUT = 0x7, 17 } 9 }; 18 return ; 19 ptype_error: 20 log("bad param types"); 21 return ; 22 } 11/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  12. BAR’20 Evaluation – Heap-based buffer overflow 1 TA_InvokeCommandEntryPoint(sessCtx, cmdId, 2 paramTypes, params) { 3 switch ( cmdId ) { 4 case FOPEN: 5 ... 6 char * path; 7 param0_buf = params[0]->memref.buffer; 8 param0_sz = params[0]->memref.size; 9 10 // if(strlen(param0_buf) != param0_sz) • Missing length check 11 // return -1 12 • Passing attacker provided buffer length 13 path = malloc(strlen(param0_buf)); 14 to MemMove operation 15 ... 16 17 MemMove(path, param0_buf, param0_sz); ... 18 break ; 19 case FREAD: 20 ... 21 ... 22 23 } 24 return ; 25 } 12/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  13. BAR’20 Future Work and Limitations • Support more Trusted Core (TC) TAs 1 1 • Larger analysis covering different 3 2 2 versions and more TC TAs 4 5 6 6 • Investigate compatibility with other 8 9 8 9 7 7 TEEs 13/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  14. BAR’20 THE END Questions? 14/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  15. BAR’20 References Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye, Koushik Sen, and Michael Grace. Partemu: Enabling dynamic analysis of real-world trustzone software using emulation. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 2020) (To Appear) , August 2020. NIST. Cve-2016-8764. https://nvd.nist.gov/vuln/detail/CVE-2016-8764 , 2017. Accessed: 2019-08-28. 15 (1) /16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  16. BAR’20 Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy , 2016. Alexander Tarasikov. Qemu teegris usermode. https://github.com/astarasikov/qemu/tree/teegris_usermode , 2019. Accessed: 2019-11-30. 16 (2) /16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/ About Me 2004-2008-2013 2013-2016 2016-present p Hack for fun software and system security Tencent

1.23k views • 98 slides
Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been

Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been

Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been mostly focusing on Fixing vulnerabilities inherent to languages Finding/protecting against programmer follies Today we will look at

682 views • 42 slides
The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov https://s2e.systems Ready-for-use docker image, demos, tutorials, source code, documentation Vitaly Chipounov Ph.D. in 2014 at EPFL, Switzerland

827 views • 57 slides
RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me

RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me

RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me Principal Research Consultant @ Atredis Partners Founder, Developer of Open Source Hardware Things @ Linklayer Labs Outline Trusted

847 views • 30 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
WRITE A WICKED QUERY Finding Trusted Resources for Legal and Policy Research (Or, Better Spells

WRITE A WICKED QUERY Finding Trusted Resources for Legal and Policy Research (Or, Better Spells

WRITE A WICKED QUERY Finding Trusted Resources for Legal and Policy Research (Or, Better Spells For Better Magic!) QUERIES ARE MATHEMATICAL EQUATIONS I am a good witch All Good Witches Like MATH ADDITION Addition + Combines two or

423 views • 27 slides
Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack every computer that we own. Most

503 views • 48 slides
Practical Applications of Client-Side Trusted Computing David Goltzsche, 2018-04-23 3rd year PhD

Practical Applications of Client-Side Trusted Computing David Goltzsche, 2018-04-23 3rd year PhD

Practical Applications of Client-Side Trusted Computing David Goltzsche, 2018-04-23 3rd year PhD student at distributed systems group, TU Braunschweig, Germany Research area: trusted execution, distributed systems Advisor: Rdiger Kapitza

939 views • 12 slides
Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

579 views • 40 slides
Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data

Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data

Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data Set Applications from over 300 commercial and US government customers Scanned 9,910 applications over past 18 months Ranged in size

723 views • 34 slides
TrustED'16 (Workshop of ACM CCS 2016) Security of CCTV & Video Surveillance Systems:

TrustED'16 (Workshop of ACM CCS 2016) Security of CCTV & Video Surveillance Systems:

TrustED'16 (Workshop of ACM CCS 2016) Security of CCTV & Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations Andrei Costin andrei@firmware.re Agenda Problems and Motivation Prior Work Threats,

810 views • 41 slides
Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work with: Hao Lu, Michael D. Ernst GUIs are everywhere in modern software 2 Multithreading in GUI applications UI thread A GUI Application UI event

680 views • 36 slides
Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon

Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon

Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon , Alan Dunn, Michael Lee, Owen Hofmann, Yuanzhong Xu, Emmett Witchel 1 Securing OS is difficult OS vulnerabilities in 2014 from national

1.06k views • 78 slides
Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Introduction $whoami Pavol Luptk 10+ years of practical experience in security and seeking

594 views • 15 slides
We have seen two applications: signal smoothing root finding Today we look

We have seen two applications: signal smoothing root finding Today we look

Lesson 10 D IFFERENTIATION AND I NTEGRATION We have seen two applications: signal smoothing root finding Today we look differentation integration These will form the basis for solving ODEs D IFFERENTIATION OF F OURIER

573 views • 38 slides
Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related

Updates from the RISC-V TEE Group Nick Kossifidis <mick@ics.forth.gr> Security-related RISC-V Task Groups 2 About the TEE Task Group One of the most popular groups (112 registered members) Regular conference calls / mailing list

675 views • 13 slides
OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File System ELC Europe 2017, 23.10.2017 Marc Kleine-Budde <mkl@pengutronix.de> Slide 1 - http://www.pengutronix.de - 2017-10-23 Overview ARM

1.06k views • 18 slides
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia

1.1k views • 51 slides
Enarx Protection for data in use Mike Bursell Office of the CTO https://enarx.io Nathaniel

Enarx Protection for data in use Mike Bursell Office of the CTO https://enarx.io Nathaniel

Enarx Protection for data in use Mike Bursell Office of the CTO https://enarx.io Nathaniel McCallum Sr. Principal Engineer Trusted Execution Environments Trusted Execution Environments Host TEE TEE is a protected area within the host,

1.05k views • 22 slides
Unearthing the TrustedCore A Critical Review on Huaweis Trusted Execution Environment August

Unearthing the TrustedCore A Critical Review on Huaweis Trusted Execution Environment August

Unearthing the TrustedCore A Critical Review on Huaweis Trusted Execution Environment August 11, 2020 Marcel Busch , Johannes Westphal, Tilo Mller Friedrich-Alexander-University Erlangen-Nrnberg, Germany Motivation TEEs are the backbone

696 views • 35 slides
https://ggle.io/3K3w McIntyre Tee Shirts For Is your childs McIntyre t-shirt too small,

https://ggle.io/3K3w McIntyre Tee Shirts For Is your childs McIntyre t-shirt too small,

https://ggle.io/3K3w McIntyre Tee Shirts For Is your childs McIntyre t-shirt too small, description: https://ggle.io/3DVI ripped, torn or missing? Would you like to show your McIntyre school spirit at school events or when volunteering?

527 views • 19 slides
Easy Generation and Efficient Validation of Proofs for SAT and QBF Marijn J.H. Heule 1/37

Easy Generation and Efficient Validation of Proofs for SAT and QBF Marijn J.H. Heule 1/37

Easy Generation and Efficient Validation of Proofs for SAT and QBF Marijn J.H. Heule 1/37 Introduction to SAT and QBF Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT Inprocessing Clausal Proofs for QBF Preprocessing

919 views • 48 slides
Necessity of 45-day Transesophageal Echocardiography after WATCHMAN Procedure amid the COVID-19

Necessity of 45-day Transesophageal Echocardiography after WATCHMAN Procedure amid the COVID-19

Necessity of 45-day Transesophageal Echocardiography after WATCHMAN Procedure amid the COVID-19 Pandemic Bryan E-Xin Tan, M.D. PGY-3 Internal Medicine Rochester General Hospital No Conflict of Interest Necessity of 45-day Transesophageal RESULTS

250 views • 8 slides

More recommend