Breaking Samsung's ARM TrustZone

Explore an in-depth presentation on exploiting Samsung's ARM TrustZone implementation, focusing on leveraging new attack surfaces to hijack and exploit trusted components. Delve into the internals and interactions of Samsung-developed components, and examine various vulnerabilities that can be exploited to execute code at EL3, the highest privilege level on ARM-based systems. Learn about embedded security, runtime confirmation, execution environments, and privilege separation in ARM architectures. Discover Samsung's specific implementation, previous research, and the attack surface. Gain insights into tools like Liberator, Emulator, Eiffel, and Unicorn for vulnerability analysis. Understand the attack plan, including exploiting lack of error vulnerabilities, finding and retrieving the master key, bypassing signature checks, and instrumenting TrustZone. Conclude with techniques for debugging TrustZone components.

Introduction
Agenda
Embedded Security
Runtime Confirmation
Execution Environments
NS Bits
Privileges Separation
L1 L2 L3
Different software implementations
What is chosen actually useful
Samsungs implementation
Previous research
Architecture
Lifecycle
Attack Surface
Liberator
Emulator
EiffelUnicorn
Symbolic Execution
Vulnerability Overview
Attack Plan
Lack of Error
Vulnerability
Cisco
Map
Framework
Finding the Master Key
Retrieving the Master Key
Bypassing Signature Checks
Instrumentation of TrustZone
Debugging TrustZone