Unearthing the TrustedCore - A Critical Review on Huawei’s Trusted Execution Environment

Explore a critical review of Huawei's Trusted Execution Environment (TEE) implementation, TrustedCore, in this award-winning conference talk. Delve into the reverse-engineering process of TC's components, their interconnections, and integration with the Android system. Uncover multiple severe design and implementation flaws affecting popular Huawei devices. Examine the Trusted Application (TA) loader, revealing vulnerabilities that compromise code confidentiality. Investigate the design of Huawei's keystore system and its impact on hardware-backed cryptography and full-disk encryption. Learn about an exploitable memory corruption within the keymaster TA, enabling arbitrary code execution within ARM TrustZone. Discover how researchers bypassed mitigation techniques like stack canaries and Address Space Layout Randomization (ASLR). Gain insights into the responsible disclosure process and the implications of these findings for mobile device security.

Intro
Motivation
Outline
Trusted Execution Environments (TEES)
ARM Trustzone on ARMVB-A Systems
TEEs in the Field (on Android)
Overview
TrustedCore - Normal World
TrustedCore-Secure World
Loading Encrypted Trusted Applications (cont.)
Protection of Crypto Keys
Scope & Consequences
Export-Protected Crypto Keys
The Key Encryption Key (KEK)
Memory Corruption in keymaster TA
Exploit Mitigations
Lessons Learned - Hardware-Protected Crypto Keys
Lessons Learned - Attack Surface