horizontal privilege escalation in trusted applications · darius suciu stephen mclaughlin laurent...

National Security Institute

Radu Sion

Horizontal Privilege Escalation in Trusted Applications

Darius Suciu Stephen McLaughlin Laurent Simon

2July 19, 2020

Hooper

Stony Brook Network Security and Applied Cryptography Laboratory


Background: Bugs over time

Linux lines of code over time Linux vulnerabilities over time

Source: Meng, Dan, et al. "Security-first architecture: deploying physically isolated active security processors for safeguarding the future of computing."

Source: https://commons.wikimedia.org/wiki/File:Lines_of_Code_Linux_Kernel.svg

3July 19, 2020

Hooper



Normal World

Applications

App App

App

Background: TrustZone

Secure World

Secure OS

Rich Operating

System

ARM Cortex Processor

Monitor

Trusted Applications

TATAApp

4July 19, 2020

Hooper



Background: TrustZone Attacks

Secure World

Secure OS

Normal World

Rich Operating

System

Applications


Monitor


TAApp

App App

TAAppApp

Privilege escalation

5July 19, 2020

Hooper



Background: Boomerang[1] attack

Secure World

Secure OS

Normal World

Rich Operating

System

Applications


App App

Monitor


TAApp

App

App

App

TA


[1] Machiry, Aravind, et al. "BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments." NDSS. 2017.

6July 19, 2020

Hooper



Background: Privilege escalation

Rich Operating System

Applications

AppApp AppApp

Secure Operating System

Monitor

Horizontal privilege escalation (HPE)

Vertical p

rivilege escalation

7July 19, 2020

Hooper



HPE attack using TA

Secure World

Secure OS

Normal World

Rich Operating

System

Applications


App App

Monitor


TAApp

App

App

App

TA


8July 19, 2020

Hooper



Storing data in Secure World

Secure World

TA

Normal World

App

A: Write(data)

B: Store(data)

Global

Storage

9July 19, 2020

Hooper



Global data attack examples

Secure World

TA

Normal World

Victim

App

Malicious

App

Data leakage Data compromise Decryption oracle

Global

2: Read(data)

1: Write(data)

Secure World

TA

Normal World

Victim

App

Malicious

App

Global

3: Read decrypted input

Secure World

TA

Normal World

Victim

App

Malicious

App2: Modify

(data)

1: Write(data)

3: Read(data)

2: Request decrypt(key, input)

1: Write(key)

Global

10July 19, 2020

Hooper



Stored data attack examples

Secure World

TA1

Normal World

Victim

App

Malicious

App

Data leakage Data compromise Decryption oracle

Global

3: Read(data)

1: Save(data)

TA2

Global

Storage

2: Write(data)

Secure World

TA1

Normal World

Victim

App

Malicious

App

Global

4: Write(data)

1: Save(data)

TA2

Global

Storage

2: Write(data)

Secure World

TA1

Normal World

Victim

App

Malicious

App

Global

4: Read(key)

1: Save(key)

TA2

Global

Storage

2: Write(key)

4: Load(data)

3: Modify(data)

5: Read(data)

6: Load(data)

5: Read decrypted input

3: Request decrypt (key, input)

11July 19, 2020

Hooper



HPE manual analysis

95 TA binaries analyzed

3 major TrustZone environments investigated(Kinibi, QSEE, Teegris)

HPE enabling vulnerabilities discovered (3 types)

12July 19, 2020

Hooper



Findings: vulnerable TAs

100%

42% 100%

0% 0% 0% 0%

28%

27% 100%

0% 0% 0% 0% 50%

25% 100%

0% 0% 0% 0%

2

10

3

1

2

6

2

7

11

3 3

4

5 5

2

12

3

5

3 3 3

0

2

4

6

8

10

12

14

TA group

Nu

mb

er in

eac

h g

rou

p

Vulnerable Investigated

Kinibi QSEE Teegris

13July 19, 2020

Hooper



Findings: vulnerable TAs

50%

25% 100%

0% 0% 0% 0%

2

12

3

5

3 3 3

DRM Key management Attestation Hardware drivers Device integrity Authentication Utility0

2

4

6

8

10

12

14

TA group

Nu

mb

er In

eac

h g

rou

p

Vulnerable Investigated

Teegris

Manual analysis: two engineers, four weeks

14July 19, 2020

Hooper



HPE vulnerability impactData leakage

Example: Encryption key leaked to attacker

Data compromise

Example: Encryption key replaced with attacker data

Decryption oracle

Example: DRM content decrypted for malicious app

Encryption oracle

Example: Encrypted keys replaced with attacker data

Signing oracle

Example: TA signs forged attestation data

15July 19, 2020

Hooper



Findings: HPE attack vectors

2 3 3 2 2

11

2 2 3 2 2

11

2 2 2 1 2

93

3

6

3 3

6

3 3

6

1

2

1

5

9

1

2

1

5

9

1

2

1

5

9

0

5

10

15

20

25

30

HPE attack vectors

Nu

mb

er id

enti

fied

in e

ach

gro

up

DRM Key management Attestation

Kinibi QSEE Teegris

16July 19, 2020

Hooper



Findings: HPE attack vectors

2 2 2 1 2

93 3

6

1

2

1

5

9

Key leakage Data compromise Decryption oracle Encryption oracle Signing oracle Total0

5

10

15

20

25

30

HPE attack vectors

Nu

mb

er id

enti

fied

in e

ach

gro

up


Teegris

17July 19, 2020

Hooper



Hooper: Automatic HPE detection

Symbolic execution

State matching

Vulnerability checking

Phase 1 Phase 2 Phase 3

TA binary

Path semantics

State inspection

Bugs found

18July 19, 2020

Hooper



Hooper: Cross-invocation trackingSimProceduresTA execution paths

Basic blocks

Paired paths using X

Paired paths using Storage[Y]

Cross-invocation data flows

Match global

variable

Match storage

locations

X = input output = X

Storage[Y] = input

output = Storage[Y]

Entry

Send output

19July 19, 2020

Hooper



Automatic analysis results

2 2 2

1

2

9

3 3

0 0 0

6

1

0

2

1

5

9

100% 100%

50% 100%

100%

88%

33% 33%0 0 0

33%

100%0

100%

100%

100%

100%

0

1

2

3

4

5

6

7

8

9

10

HPE attack vector

Nu

mb

er

of

atta

ck v

ecto

rs i

den

tifi

ed

Teegris

Identified False negatives


20July 19, 2020

Hooper



Automatic analysis results

65

4

2

7

20

66%60% 75%

100%

100%

75%

Data leakage Data compromise Decryption oracle Encryption oracle Signing oracle Total0

5

10

15

20

25

HPE attack vector

Nu

mb

er o

f at

tack

vec

tors

id

enti

fied

Teegris

Identified False negatives

Vulnerabilities found in 24 hours vs 4 weeks of manual analysis

21July 19, 2020

Hooper



Mitigations

Resolve TA multi-tenant interference

Introduce session management inside all multi-tenant TAs

Standardized TA session management

Introduce a library for managing sessions inside TAs

Fine-grained access to Secure World storage

Partition Secure World storage and enforce fine-grained access control

Minimize access to TAs

Use fine-grained access policies to prevent unauthorized access to TAs

22July 19, 2020

Hooper



Conclusion

Some TAs store data from multiple applications across invocations

Insufficient access control exposes TA-managed data to attackers

Three type of HPE-enabling vulnerabilities found in 23 TAs

Automatic binary analysis can help identify HPE vulnerabilities

Platform-wide fine-grained access control would help mitigate HPE

23July 19, 2020

Hooper



Thank you!Contact information:

Darius Suciu [email protected]

Stephen McLaughlin [email protected]

Laurent Simon [email protected]

Radu Sion [email protected]

Questions?

horizontal privilege escalation in trusted applications · darius suciu stephen mclaughlin laurent...

Documents