Trusted Execution Environments (TEEs) are notoriously hard to secure due to the interaction between complex hardware and a large trusted code bases (TCBs). The security provided by TEEs has been broken on a wide variety of devices, including mobile phones, smart TVs and even vehicles. Publicly disclosed TEE vulnerabilities were often exploited directly from the less-trusted Rich Execution Environment (REE). Many of these vulnerabilities were specific for TEEs and required novel exploitation techniques.
The TEEPwn experience provides an offensive system-level perspective and dives into the darker corners of TEE Security. It is designed with a system-level approach, where you will experience powerful exploitation of TEE vulnerabilities. The TEEPwn experience is hands-on, gamified and driven by an exciting jeopardy-style Capture the Flag (CTF).
Your journey starts by achieving a comprehensive understanding of TEEs, where you will learn how hardware and software concur to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will then be challenged along the path to exploit them in multiple scenarios.
All vulnerabilities are identified and exploited on our emulated attack platform, implementing a 64- bit TEEs based on ARM TrustZone.
You will take on different roles, as an attacker in control of:
TEEPwn will guide you into an unexpected range of attack vectors and TEE-specific exploitation techniques, which may be leveraged for novel and creative software exploits, refining your skills to a new level.
During the training you will get access to:
To continue practicing after the training is completed:
Cristofaro Mune @pulsoid has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs. He is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
Niek Timmers @tieknimmers is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.