The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where students will experience exploitation of powerful vulnerabilities specific for devices equipped with a TEE. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Students will be taken on a journey that starts with achieving a comprehensive understanding of TEE security. They will learn how hardware and software cooperate in order to enforce effective security boundaries. They will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. Students will be challenged to exploit these vulnerabilities using multiple realistic forensic scenarios.

All practical exercises are performed on our custom emulated attack platform which is based on ARM TrustZone and includes multiple TEE implementations.

Students will take on different roles, as a digital forensic expert in control of:

• the REE, achieving privileged code execution in the TEE
• the REE, accessing assets protected by a Trusted Application (TA)
• a TA, escalating privileges to the TEE OS
• a TA, accessing the protected assets of another TA

Students will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing students to refine their skills to a new level.

Format
The TEEPwn experience takes students on a journey of 4 days of 8 hours where they will attend lectures (30%) and perform exciting hands-on exercises (70%).

Students will get access to a Virtual Machine (VM) which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, students will have access to this VM forever so they can continue with the exercises after the training has ended.

Level
The training level of the TEEPwn experience is “Intermediate”.

Agenda

Fundamentals
Overview of TEE
Security model
ARM TrustZone
TEE software
TEE attacker model
TEE attack surface
REE-to-TEE attacks
Secure Monitor (S-EL3)
TEE OS (S-EL1)
Identify and exploit vulnerabilities related to:
Vulnerable SMC handlers
Broken design
Unchecked pointers
Restricted writes
Range checks
REE-to-TA attacks
Communicating with a TA
Global Platform API
Identify and exploit vulnerabilities related to:
Type confusion
ToCToU / Double fetch
TA-to-TEE attacks
TEE OS (syscall interface)
Drivers
Identify and exploit vulnerabilities related to:
Unchecked pointers
Vulnerable hardware primitives
TA-to-TA attacks
State confusion

Objectives
The primary objectives are:

• gain a system-level understanding of TEE security
• identify vulnerabilities across the entire TEE attack surface
• gain hands-on experience with TEE-specific exploitation techniques
• gain a solid understanding of ARM TrustZone-based TEEs

Prerequisites
The students are expected to:

• have experience with C programming
• have experience with the ARM architecture and assembly (AArch64)
• have a solid understanding of modern operating systems
• have an understanding of typical software vulnerabilities
• be familiar with reverse engineering (AArch64)
• be familiar with typical exploitation techniques
  

There’s no need to meet all of the above expectations. Less-experienced students can rely on our guidance, hints and solutions, whereas more experienced students will not.

Requirements
The students are expected to have a laptop:

• with sufficient storage (>50 GB) and memory (~16 GB)
• installed a modern browser (i.e., Google Chrome)
• installed with virtual machine software (i.e., VMWare)

Deliverables
The students will get access to:

• a personal virtual machine (VM) with all the required tooling installed
• access to the exercise modules and instructions

To continue after the training has ended, students will also get access to:

• ability to run the exercise modules forever
• ability to copy the exercise modules and instructions

Dates and duration
Dates
21-24 May 2024

Duration
Four consecutive days, 9.00-17.00 h

Participants
5-18 participants

Costs
4-days TEEPwn training: € 4250,- per participant. This includes lunches and coffee/tea refreshments
Dutch Police: please fill out the registration form, ask for a quotation in the field Remarks. Selection may take place by a police coordinator.
N.B.: No VAT will be added.

Hotel and travel costs are not included.

Location
Netherlands Forensic Institute in The Hague, The Netherlands

Note
The course is taught in English.