#HITB2021AMS скачать в хорошем качестве

#HITB2021AMS

Modern devices are nowadays often equipped with a Trusted Execution Environment (TEE) to support secure parallel execution of security critical use cases. For example, it’s very likely a TEE is involved whenever you make a payment or watch a DRM-protected stream on your mobile phone. Nonetheless, we were surprised and intrigued at the same time, to find the Qualcomm TEE named QSEE present on several Qualcomm IPQ40xx-based networking devices. We’ve identified multiple exploitable vulnerabilities in QSEE which we exploited to achieve arbitrary code execution. Qualcomm indicated to us that fixes are available and that their customer are notified. This gives us the opportunity to discuss the technical details of these vulnerabilities and our exploits. At Raelize, we like to look further than just software vulnerabilities. We know very very well that the security of a device is determined by more than just its software architecture. Our system-level perspective on security typically steers us towards attacking devices using a-typical methods. We decided to test the resilience of the Qualcomm IPQ40xx SoC towards Electromagnetic Fault Injection (EMFI) attacks. We have been able to fully compromise the TEE without leveraging any software vulnerability. As far as we know, this is one of the very few examples where Fault Injection is used to attack a TEE in order to achieve arbitrary code execution. In this talk, we start by introducing the target after which we dive right into the technical details of both the software and hardware vulnerabilities we’ve identified. Then, we describe how we used these vulnerabilities in order to achieve code execution within QSEE. We finalize the talk by placing the attacks into context and analyzing the impact for a vulnerable device. It’s important to raelize that these vulnerabilities are tightly coupled to the hardware that’s used to produce these devices. Therefore, the amount of vulnerable devices in the field is likely significant. It has to be seen if the vulnerable population decreases any time soon as the software vulnerabilities are present in a component that’s not often updated by the device manufacturers. The hardware vulnerabilities simply cannot be fixed easily. === Cristofaro Mune @pulsoid has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs. He is founder and security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers. ---- Niek has been in the security field for 10+ years. He has been analyzing and evaluating the security of advanced security products and technologies for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io and NULLCON.