Date | Day | Time | Duration |
22 Aug | Monday | 0900-13:00 SGT/GMT +8 | 8 Hours – Presentations & Hands-on exercises |
23 Aug | Tuesday | 0900-13:00 SGT/GMT +8 | 8 Hours – Presentations & Hands-on exercises |
24 Aug | Wednesday | 0900-13:00 SGT/GMT +8 | 8 Hours – Presentations & Hands-on exercises |
25 Aug | Thursday | 0900-13:00 SGT/GMT +8 | 8 Hours – Hands-on Exercises |
The 4th day is an optional day, which may be used by the attendees to complete the left-over exercises. During this day, only online support is available via Discord. No in-person presence is available from the trainers nor required by the attendees.
The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).
Your journey starts by achieving a comprehensive understanding of TEEs, where you will learn how hardware and software concur to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will then be challenged along the path to exploit them in multiple scenarios. All vulnerabilities are identified and exploited on our emulated attack platform which implements an ARMv8 (64-bit) TEE based on ARM TrustZone.
You will take on different roles, as an attacker in control of:
TEEPwn will guide you into an unexpected range of attack vectors and TEE-specific exploitation techniques, which may be leveraged for novel and creative software exploits. refining your skills to a new level.
Deliverables
During the training we will provide you with the following:
We will also provide you the following in order to continue with the exercises after the training:
Format
This TEEPwn experience will be given in a hybrid format where attendees are able to join in-person and online at the same time. Attendees need to select the desired format before the start of the training.
Both formats include an optional 4th day which may be used by the attendees to complete the left-over exercises. During this day, for both formats, only online support is available via Discord. No in-person presence is available from the trainers nor required by the attendees.
Topics Covered
- TEE overview - Security model
- TEE SW components - TEE attacker model - TEE attack surface
- Secure Monitor - TEE OS (SMC interface) - Exploitation: - Vulnerable SMC handlers - Broken design - Unchecked Pointers - Restricted writes - Range checks
- Communicating with TAs - Global Platform APIs - Exploitation: - Type confusion - TOCTOU (Double fetch)
- TEE OS (Syscall interface) - Drivers - Exploitation: - Unchecked pointers from TA - Vulnerable crypto primitives
- State confusion
1. Stable Internet connection with sufficient bandwidth
2. Any modern computer system or laptop: