RustZone: Writing Trusted Applications in Rust Eric Evenchick - - PowerPoint PPT Presentation

rustzone writing trusted applications in rust
SMART_READER_LITE
LIVE PREVIEW

RustZone: Writing Trusted Applications in Rust Eric Evenchick - - PowerPoint PPT Presentation

Oct 18, 2023 534 likes •849 views

RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me Principal Research Consultant @ Atredis Partners Founder, Developer of Open Source Hardware Things @ Linklayer Labs Outline Trusted

slide-1
SLIDE 1

RustZone: Writing Trusted Applications in Rust

Eric Evenchick Black Hat Asia 2018

slide-2
SLIDE 2

About Me

  • Principal Research Consultant

@ Atredis Partners

  • Founder, Developer of Open

Source Hardware Things @ Linklayer Labs

slide-3
SLIDE 3

Outline

  • Trusted Execution Environments
  • TrustZone
  • TEE Problems
  • Rust
  • Rust + TrustZone
  • Demo
  • Questions
slide-4
SLIDE 4

Trusted Execution Environments

slide-5
SLIDE 5

What?

  • An isolated environment within a processor for performing secure
  • perations
  • Segmentation of code, data, and hardware access
  • Combination of hardware features and software
slide-6
SLIDE 6

Today’s TEEs

  • Hardware:
  • AMD: Platform Security Processor
  • Intel: Trusted Execution Technology, Software Guard Extensions (SGX)
  • ARM: TrustZone
  • Software:
  • Trustonic Kinibi
  • Qualcomm QSEE
  • OP-TEE
slide-7
SLIDE 7

Use Cases

  • Authentication
  • Android GateKeeper
  • Financial Applications
  • Secure Boot
  • DRM
  • WideVine
  • An additional layer of protection from

the host OS

  • Protect the system from the user L
slide-8
SLIDE 8

TrustZone

slide-9
SLIDE 9

The TrustZone TEE

  • The ARM TEE
  • Normal and Secure Worlds
  • Normal World: Rich OS and applications

(Linux, Android, QNX, etc…)

  • Secure World: Limited operating system

and Trusted Applications

  • Processor can switch between two worlds
  • Configure processor to restrict access to

resources

slide-10
SLIDE 10

TrustZone in Practice

http://genode.org/documentation/articles/trustzone

slide-11
SLIDE 11

TEE Problems

slide-12
SLIDE 12

TEE OS Protections

  • ASLR is Rare
  • No Stack Canaries or Guard Pages
  • Secure World has fewer protections than

Normal World?

  • No High Level Language Support, we must

write C!

slide-13
SLIDE 13

Writing (good) C is Hard

  • Common Memory Problems
  • Buffer overflows
  • Use after free
  • Type Issues
  • Void means nothing, and everything!
  • Limited Help from Compiler
  • Programmers can do Silly Things
  • memcpy, strcpy, sprintf, etc…
slide-14
SLIDE 14

Example: WideVine Trusted Application

  • DRM Implementation for Android
  • Undocumented Command with Buffer

Overflow

  • End Result: Arbitrary Code Execution in

Secure World

  • More info: http://bits-

please.blogspot.ca/2016/05/qsee- privilege-escalation-vulnerability.html

slide-15
SLIDE 15

Example: Samsung OTP Buffer Overflow

  • Service in Normal World to

generate a One-Time Password (OTP)

  • Any user can access this service!
  • Trusted Application parses request

leading to stack buffer overflow

slide-16
SLIDE 16

Rust

slide-17
SLIDE 17

What’s Rust?

  • New systems programming language
  • In development since 2010, sponsored by Mozilla
  • Works for embedded:
  • Works without libc
  • Compiles to bytecode
  • No garbage collection or runtime
  • Raw memory access
slide-18
SLIDE 18

Why Rust?

  • Compile time memory safety checks
  • Memory ownership and borrow checking
  • Find bugs at compile time, not runtime
  • eg, match
  • Good tools, getting better
  • Great C Foreign Function Interface!
slide-19
SLIDE 19

Rust / C FFI

  • Call C from Rust and Call Rust from C
  • Need unsafe blocks for:
  • 1. Dereferencing a raw pointer
  • 2. Calling an unsafe function or method
  • 3. Accessing or modifying a mutable static variable
  • 4. Implementing an unsafe trait
  • Goal: limit unsafe code
slide-20
SLIDE 20

Learning Rust

  • The Rust Book: https://doc.rust-lang.org/book/
  • Paper version soon: https://nostarch.com/Rust
  • Rust by Example: https://rustbyexample.com/
  • Julia Evans’ Blog: https://jvns.ca/categories/rust/
slide-21
SLIDE 21

Rust + TrustZone

slide-22
SLIDE 22

Step 1: Get an OS

  • Need an OS to run in the Secure World
  • OP-TEE
  • Free and Open Source
  • Implementations for many platforms, including QEMU
  • Well Documented
  • https://www.op-tee.org/
slide-23
SLIDE 23

Step 2: Generate Rust Bindings

  • We need Rust bindings for OP-TEE’s API
  • bindgen to the rescue!

extern "C" { pub fn TEE_MACInit(operation: TEE_OperationHandle, IV: *const c_types::c_void, IVLen: u32); } void TEE_MACInit( TEE_OperationHandle operation, const void *IV, uint32_t IVLen);

bindgen

slide-24
SLIDE 24

Step 3: Write a Rust Library

  • Yes, a library.
  • Need to implement 5 functions:
  • TA_CreateEntryPoint
  • TA_DestroyEntryPoint
  • TA_OpenSessionEntryPoint
  • TA_CloseSessionEntryPoint
  • TA_InvokeCommandEntryPoint
slide-25
SLIDE 25

Step 3: Write a Rust Library

pub fn InvokeCommandEntryPoint(_sessionContext: *mut c_types::c_void, commandID: u32, _paramTypes: u32, params: &mut [optee::TEE_Param; 4]) ->

  • ptee::TEE_Result

{ ta_print!("Rust TA InvokeCommandEntryPoint"); match commandID { 0 => { unsafe {params[0].value.as_mut().a += 1}; ta_print!("Incremented Value"); }, 1 => { unsafe {params[0].value.as_mut().a -= 1}; ta_print!("Decremented Value"); }, _ => { return optee::TEE_ERROR_BAD_PARAMETERS; } } return optee::TEE_SUCCESS; }

slide-26
SLIDE 26

Step 4: Compile, Link, Sign

Compiled Rust Library Compiled TA Header libutee, libmpa, libutil Linker OP-TEE Linker Script TA ELF Signed TA sign.py

slide-27
SLIDE 27

Demo

slide-28
SLIDE 28

Conclusions

slide-29
SLIDE 29

Conclusions

  • TEEs are useful, but have the usual issues
  • Rust is an potential replacement for C with some added benefits
  • Should you write your Trusted Applications in Rust?
slide-30
SLIDE 30

Thanks! Questions?

eric@evenchick.com @ericevenchick https://github.com/ericevenchick/rustzone