4-Day Training | 21-24 Nov

TEEPwn: Breaking TEEs by Experience [HITB+ CYBERWEEK 2021]

Duration 4 days
Seats Available 15
Difficulty intermediate

$4,299.00

Register Now

Overview

ATTEND IN-PERSON: Onsite in Abu Dhabi

ATTEND ONLINE: Virtual via Zoom and Discord

DATE: 21-24 November 2021

TIME: 09:00 to 17:00 GST/GMT+4

FORMAT: Hybrid (Onsite or Virtual options)

Date Day Time Duration
21 Nov Sunday 0900-13:00 GST/GMT+4 8 Hours – Presentations & Hands-on exercises
22 Nov Monday 0900-13:00 GST/GMT+4 8 Hours – Presentations & Hands-on exercises
23 Nov Tuesday 0900-13:00 GST/GMT+4 8 Hours – Presentations & Hands-on exercises
24 Nov Wednesday 0900-13:00 GST/GMT+4 8 Hours – Hands-on Exercises

Please note:

The 4th day is an optional day, which may be used by the attendees to complete the left-over exercises. During this day, only online support is available via Discord. No in-person presence is available from the trainers nor required by the attendees.

 


 

Description

A Trusted Execution Environments (TEE) is notoriously hard to secure due to the interaction between complex hardware and a large Trusted Code Base (TCB). The security provided by different TEE implementations has been broken on a wide variety of devices, including mobile phones, smart TVs and even modern vehicles.

The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where you will experience exploitation of powerful vulnerabilities specific for TEE technology. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Your journey starts with achieving a comprehensive understanding of TEE technology. You will learn how hardware and software cooperate in order to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios. All practical exercises are performed on our emulated attack platform which is using ARM TrustZone to implement multiple TEE implementations.

You will take on different roles, as an attacker in control of:

  • the REE, achieving privileged code execution inside the TEE
  • the REE, accessing assets protected by a Trusted Application (TA)
  • a TA, escalating privileges to the TEE OS
  • a TA, accessing the protected assets of another TA

You will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

Do not worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, many exercises can be completed in complex way which keeps the exercises interesting to experienced attendees as well.

 

Deliverables

During the training we will provide you with the following:

  • cloud-based virtual machine with all the required tooling installed
  • access to the exercise modules and instructions
  • walk through videos for the hands-on exercises

We will also provide you the following in order to continue with the exercises after the training:

  • offline virtual machine with all tooling preinstalled
  • ability to copy the exercise modules and instructions
  • ability to run the exercise modules forever

 

Format

This TEEPwn experience will be given in a hybrid format where attendees are able to join in-person and online at the same time. Attendees need to select the desired format before the start of the training.

  • Option1: The in-person format requires attendees to join us on-site in Abu Dhabi for 3 days full of lectures and practical exercises. The lectures and support are provided in-person using a classroom setting.
  • Option 2: The online format requires attendees to join us online for 3 days full of lectures and practical exercises. The lectures from the in-person classroom are virtually streamed using Zoom. Support is provided virtually via Discord.

Both formats include an optional 4th day which may be used by the attendees to complete the left-over exercises. During this day, for both formats, only online support is available via Discord. No in-person presence is available from the trainers nor required by the attendees.

Why should you take this course?

The TEEPwn experience consists of 4 exciting days during which we will give several lectures covering fundamental topics. Nonetheless, the emphasizes will be on the exciting hands-on exercises for which you will get a personal cloud-based Virtual Machine (VM) that can be accessed using modern browser.

The lectures are given through Zoom and a Discord server is available for support.

Key Learning Objectives

  • Gain a system-level understanding of TEE security
  • Identify vulnerabilities across the entire TEE attack surface
  • Gain hands-on experience with TEE-specific exploitation techniques
  • Gain a strong understanding of ARM TrustZone-based TEEs

Who Should Attend

  • Security Analysts, Researchers and Practitioners interested in TEE security
  • Software Security Developers and Architects interested in an offensive TEE perspective

Prerequisite Knowledge

  • Experience with C programming and ARM64 assembly
  • Understanding of typical software vulnerabilities
  • Familiarity with reverse engineering and typical exploitation techniques
  • Familiarity with modern OS security concepts

Hardware / Software Requirements

1. Stable Internet connection with sufficient bandwidth

2. Any modern computer system or laptop:

  • With sufficient memory (~8 GB)
  • With sufficient disk space (~50 GB)
  • Installed with a recent version of VMware (or similar)

 

Agenda

Expand All

TEE Fundamentals

– TEE overview
– Security model

ARM TrustZone-based TEEs

– TEE SW components
– TEE attacker model
– TEE attack surface

REE --> TEE attacks

– Secure Monitor
– TEE OS (SMC interface)
– Exploitation:
– Vulnerable SMC handlers
– Broken design
– Unchecked Pointers
– Restricted writes
– Range checks

REE --> TA attacks

– Communicating with TAs
– Global Platform APIs
– Exploitation:
– Type confusion
– TOCTOU (Double fetch)

TA --> TEE attacks

– TEE OS (Syscall interface)
– Drivers
– Exploitation:
– Unchecked pointers from TA – Vulnerable crypto primitives

TA --> TA attacks

– State confusion

Sign Up For an Account

to track your favorites

Sign Up

Want a Training Not Seen Here?

Write to Us

Contact Us