On the Nose - Bypassing Huawei's Fingerprint Authentication by Exploiting the TrustZone

Explore the intricacies of bypassing Huawei's fingerprint authentication by exploiting the TrustZone in this 45-minute conference talk from Derbycon 2018. Delve into the modern mobile security architecture and the exploit chain, focusing on Huawei's TrustZone system architecture. Learn about the journey from userland to kernel, including a custom unmap implementation bug and exploitation techniques like redirecting the fops table. Discover the process of entering the Secure World, passing arguments to a Trustlet, and hijacking TEE_Malloc. Investigate the Trusted Core Environment, finding primitives, and disabling fingerprint authentication by locating and manipulating the responsible trustlet. Follow the userland daemon to identify and patch vulnerabilities in this comprehensive exploration of mobile security vulnerabilities.

Intro
The Goal
The modern mobile security architecture
The exploit chain
Disclaimer - Chipset determines the TEE
Huawei's Trustzone system architecture
Userland to Kernel
Bug #2- A custom unmap implementation?
Exploitation - Redirecting the fops table
Kernel to Trustlet
Into to the Secure World - Passing args to a Trustlet
Exploitation - Hijacking TEE_Malloc
Trusted Core Environment
Trusted Core - Finding Primitives
Disable Fingerprint Auth • Find trustle responsible for recognizing Fingerprints
Follow the userland daemon
Finding and patching