Facebook-f Twitter Youtube Linkedin
Cart

TEEPwn: Breaking TEEs by Experience [ATTEND ONLINE SIN2022]

$4,299.00

REGISTER

Duration

4 days

Delivery Method

in-person

Level

intermediate

Seats Available

20

Duration

4 days

Delivery Method

in-person

Level

intermediate

 

This 4-day TEEPwn course is one of two Raelize’s Pwn training courses. The other is BOOTPwn which is being held in Amsterdam this May. To find out more about this August’s 2-day TEEPwn course, click here.

 ATTEND IN-PERSON: Onsite in Singapore   

ATTEND ONLINE: Virtual via Zoom and Discord

     

DATE: 22-25 August 2022

TIME: 09:00 to 17:00 SGT/GMT +8

Date Day Time Duration
22 Aug Monday 0900-13:00 SGT/GMT +8 8 Hours – Presentations & Hands-on exercises
23 Aug Tuesday 0900-13:00 SGT/GMT +8 8 Hours – Presentations & Hands-on exercises
24 Aug Wednesday 0900-13:00 SGT/GMT +8 8 Hours – Presentations & Hands-on exercises
25 Aug Thursday 0900-13:00 SGT/GMT +8 8 Hours – Hands-on Exercises

Please note:

The 4th day is an optional day, which may be used by the attendees to complete the left-over exercises. During this day, only online support is available via Discord. No in-person presence is available from the trainers nor required by the attendees.

 

It’s notoriously hard to secure a Trusted Execution Environment (TEE) due to the interaction between complex hardware and a large trusted code base (TCB). The security provided by TEEs has been broken on a wide variety of devices, including mobile phones, smart TVs and even vehicles. Publicly disclosed TEE vulnerabilities were often exploited directly from the less-trusted Rich Execution Environment (REE). Many of these vulnerabilities were speandcific for TEEs and required novel exploitation techniques.

The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).

Your journey starts by achieving a comprehensive understanding of TEEs, where you will learn how hardware and software concur to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will then be challenged along the path to exploit them in multiple scenarios. All vulnerabilities are identified and exploited on our emulated attack platform which implements an ARMv8 (64-bit) TEE based on ARM TrustZone.

You will take on different roles, as an attacker in control of:

  • the REE, attempting to achieve privileged code execution in the TEE.
  • the REE, trying to access assess protected by a Trusted Application (TA).
  • a TA, aiming to escalate privileges to TEE OS.
  • a TA, accessing the protected assets of other TAs.

TEEPwn will guide you into an unexpected range of attack vectors and TEE-specific exploitation techniques, which may be leveraged for novel and creative software exploits. refining your skills to a new level.

 

 

Deliverables

During the training we will provide you with the following:

  • cloud-based virtual machine with all the required tooling installed
  • access to the exercise modules and instructions
  • walk through videos for the hands-on exercises

We will also provide you the following in order to continue with the exercises after the training:

  • offline virtual machine with all tooling preinstalled
  • ability to copy the exercise modules and instructions
  • ability to run the exercise modules forever

 

Format

This TEEPwn experience will be given in a hybrid format where attendees are able to join in-person and online at the same time. Attendees need to select the desired format before the start of the training.

  • Option1: The in-person format requires attendees to join us on-site in Singapore for 3 days full of lectures and practical exercises. The lectures and support are provided in-person using a classroom setting.
  • Option 2: The online format requires attendees to join us online for 3 days full of lectures and practical exercises. The lectures from the in-person classroom are virtually streamed using Zoom. Support is provided virtually via Discord.

Both formats include an optional 4th day which may be used by the attendees to complete the left-over exercises. During this day, for both formats, only online support is available via Discord. No in-person presence is available from the trainers nor required by the attendees.

 

Topics Covered

  • TEE Fundamentals
    • TEE overview
    • Security model
  • ARM TrustZone-based TEEs
    • TEE SW components
    • TEE attacker model
    • TEE attack surface
  • REE –> TEE attacks
    • Secure Monitor
    • TEE OS (SMC interface)
    • Exploitation:
      • Vulnerable SMC handlers
      • Broken design
      • Unchecked Pointers
      • Restricted writes
      • Range checks
  • REE –> TA attacks
    • Communicating with TAs
    • Global Platform APIs
    • Exploitation:
      • Type confusion
      • TOCTOU (Double fetch)
  • TA –> TEE attacks
    • TEE OS (Syscall interface)
    • Drivers
    • Exploitation:
      • Unchecked pointers from TA
      • Vulnerable crypto primitives
  • TA –> TA attacks
    • State confusion

 

 

This 4-day TEEPwn course is one of two Raelize’s Pwn training courses. The other is BOOTPwn which is being held in Amsterdam this May. To find out more about this August’s 2-day TEEPwn course, click here.

 

Agenda

  • TEE Fundamentals

    - TEE overview - Security model

  • ARM TrustZone-based TEEs

    - TEE SW components - TEE attacker model - TEE attack surface

  • REE --> TEE attacks

    - Secure Monitor - TEE OS (SMC interface) - Exploitation: - Vulnerable SMC handlers - Broken design - Unchecked Pointers - Restricted writes - Range checks

  • REE --> TA attacks

    - Communicating with TAs - Global Platform APIs - Exploitation: - Type confusion - TOCTOU (Double fetch)

  • TA --> TEE attacks

    - TEE OS (Syscall interface) - Drivers - Exploitation: - Unchecked pointers from TA - Vulnerable crypto primitives

  • TA --> TA attacks

    - State confusion

Why You Should Take This Course

The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).

Who Should Attend

  • Security Analysts and Researchers, interested in new techniques.
  • Software Security Developers/Architects interested in TEE software attack techniques.

Key Learning Objectives

  • Explore TEE security at the system level

  • Gain strong understanding of TrustZone-based TEEs

  • Identify vulnerabilities across the entire TEE attack surface

  • Experience TEE-specific exploitation techniques

    • Prerequisite Knowledge

    • Experience with C/C++ programming
    • Experience with the ARM architecture (AArch64)
    • Understanding of typical software vulnerabilities
    • Familiarity with reverse engineering and typical exploitation techniques
    • Familiarity with modern OS security concepts

    Hardware / Software Requirements

    1. Stable Internet connection with sufficient bandwidth

    2. Any modern computer system or laptop:

    • With sufficient memory (~8 GB)
    • With sufficient disk space (~50 GB)
    • Installed with a recent version of VMware (or similar)

    Your Instructor

    No data was found

    HACK IN THE BOX LIMITED

    Masdar City, United Arab Emirates