finding 1 day vulnerabilities in trusted applications
play

Finding 1-Day Vulnerabilities in Trusted Applications using - PowerPoint PPT Presentation

Oct 02, 2023 •178 likes •352 views

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

  1. Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nürnberg, Germany BAR’20

  2. BAR’20 Motivation • How secure are Trusted Execution Environments (TEEs)? • What errors do vendors make? • In 2016 Huawei’s TEE got exploited • CVE-2016-8764 [2] • Type confusion bug in the Secure Storage Trusted Application (TA) • How to facilitate binary-diff-based analyses of 1-days in TAs? ⇒ Filter patches dealing with user input ⇒ Compare constraints introduced by patches a a https://www.youtube.com/watch?v=XjbGTZrg9DA 2/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  3. BAR’20 Background • Two “Worlds” • Two OSs Normal World Secure World • Two user spaces Client Applications Trusted Applications • Client Application (CA) logically ... ... interacts with TA TEE Internal Core API • Logical channel is carried out by Rich Dispatcher Operating System (Rich OS) and Rich OS Trusted OS Trusted Operating System (Trusted OS) • GlobalPlatform (GP) specification defines “ libc ” of TAs 3/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  4. BAR’20 Challenges and Related Work Challenges • TAs are closed source • No dynamic analysis Normal World Secure World ( i.e., debugging) Client Applications Trusted Applications • No TA modifications ( i.e., instrumentation) ... ... TEE Internal Core API Related Work Dispatcher • PartEmu [1] Rich OS Trusted OS • TEEGris Usermode [4] Our prototype, SimTA , focuses on • GP Internal Core API 4/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  5. BAR’20 TA Lifecycle while ( 1 ) { 1 LifecycleData* data = MsgRcv(); 2 3 switch ( data->lifecycle_cmd ) { 4 case OPEN_SESS: 5 • TA_CreateEntryPoint : if (data->init) { 6 Constructor TA_CreateEntryPoint(); 7 } 8 • TA_OpenSessionEntryPoint : TA_OpenSessionEntryPoint(...); 9 Opens client session break ; 10 case INVOKE_CMD: 11 • TA_InvokeCommandEntryPoint : TA_InvokeCommandEntryPoint(...); 12 break ; Invocation of TA commands 13 case CLOSE_SESS: 14 • TA_CloseSessionEntryPoint : TA_CloseSessionEntryPoint(...); 15 if (data->deinit) { 16 Closes client session TA_DestroyEntryPoint(); 17 } • TA_DestroyEntryPoint : 18 break ; 19 Destructor default : 20 break ; 21 } 22 MsgSnd(data); 23 } 24 5/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  6. BAR’20 TA Parameters TEE_Result TA_OpenSessionEntryPoint( 1 uint32_t paramTypes, typedef union { 2 1 [inout] TEE_Param params[4], struct { 3 2 [out][ctx] void ** sessionContext unsigned int buffer; 4 3 ); unsigned int size; 5 4 } memref; 6 5 TEE_Result TA_InvokeCommandEntryPoint( struct { 7 6 [ctx] void * sessionContext, unsigned int a; 8 7 uint32_t commandID, unsigned int b; 9 8 uint32_t paramTypes, } value; 10 9 [inout] TEE_Param params[4] } TEE_Param; 11 10 ); 12 6/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  7. BAR’20 TA CmdId-Handler TA_InvokeCommandEntryPoint(sessCtx, cmdId, paramTypes, params) { 1 switch ( cmdId ) { 2 case FOPEN: 3 if (paramTypes != FOPEN_PTYPES) 4 goto ptype_error; 5 6 char * path; size_t pathsz; 7 uint32_t flags; 8 TEE_ObjectHandle obj; 9 10 path = params[0]->memref.buffer; 11 pathsz = params[0]->memref.size; 12 flags = params[1]->value.a; 13 14 TEE_OpenPersistentObject(TEE_STORAGE_PRIVATE, path, pathsz, flags, &obj); 15 ... 16 break ; 17 case FREAD: 18 ... 19 } 20 return ; 21 ptype_error: 22 log("bad param types"); 23 return ; 24 } 25 7/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  8. BAR’20 TA Address Space 0xffffffff shared mem 0xc8020000 • Address space retrieved via stack 0x011b80000 CVE-2016-8764 exploit heap • globaltask implements GP 0x011b40000 Internal Core API storageTA • globaltask is the only library code rodata • TA does not perform syscalls 0x01040000 data • shared mem contains params globaltask code rodata data 0x0119e000 0x00000000 8/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  9. BAR’20 SimTA • Maps memory according to our analysis using angr [3] • Hooks input/output of lifecycle via angr-SimProcedures • Modular implementation of call sequences • Allows for selectively chosen symbolic inputs • Hooks GP Internal Core API via angr-SimProcedures • Specification of functions available from GP • Implements all functions used by storageTA • Can be found on GitHub: https://github.com/teesec/simta 9/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  10. BAR’20 Evaluation – Approach • Analysis of Secure Storage TA • VNS-L21C432B130 vs VNS-L21C432B160 • Used Zynamic’s BinDiff to identify patches 1 1 3 2 2 • SimTA provides 4 • filter mode – identifies patches dealing 5 6 6 with user-controlled input 9 9 8 8 7 7 • exec mode – runs both versions with selectively chosen symbolic inputs • Found three 1-days 10/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  11. BAR’20 Evaluation – CVE-2016-8764 Re-Discovery 1 TA_InvokeCommandEntryPoint(sessCtx, cmdId, 2 paramTypes, params) { 3 switch ( cmdId ) { 4 case FOPEN: 5 ... • Type confusion 6 break ; 7 case FREAD: 8 // if (paramTypes != FOPEN_PTYPES) 9 // goto ptype_error; 1 enum TEE_ParamType { 10 char *dst = params[0]->buffer; 2 TEE_PARAM_TYPE_NONE = 0x0, 11 int sz = params[0]->size; 3 TEE_PARAM_TYPE_VALUE_INPUT = 0x1, 12 ... 4 TEE_PARAM_TYPE_VALUE_OUTPUT = 0x2, 13 TEE_ReadObjectData(obj, dst, sz); 5 TEE_PARAM_TYPE_VALUE_INOUT = 0x3, 14 break ; 6 TEE_PARAM_TYPE_MEMREF_INPUT = 0x5, 15 ... 7 TEE_PARAM_TYPE_MEMREF_OUTPUT = 0x6, 16 ... 8 TEE_PARAM_TYPE_MEMREF_INOUT = 0x7, 17 } 9 }; 18 return ; 19 ptype_error: 20 log("bad param types"); 21 return ; 22 } 11/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  12. BAR’20 Evaluation – Heap-based buffer overflow 1 TA_InvokeCommandEntryPoint(sessCtx, cmdId, 2 paramTypes, params) { 3 switch ( cmdId ) { 4 case FOPEN: 5 ... 6 char * path; 7 param0_buf = params[0]->memref.buffer; 8 param0_sz = params[0]->memref.size; 9 10 // if(strlen(param0_buf) != param0_sz) • Missing length check 11 // return -1 12 • Passing attacker provided buffer length 13 path = malloc(strlen(param0_buf)); 14 to MemMove operation 15 ... 16 17 MemMove(path, param0_buf, param0_sz); ... 18 break ; 19 case FREAD: 20 ... 21 ... 22 23 } 24 return ; 25 } 12/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  13. BAR’20 Future Work and Limitations • Support more Trusted Core (TC) TAs 1 1 • Larger analysis covering different 3 2 2 versions and more TC TAs 4 5 6 6 • Investigate compatibility with other 8 9 8 9 7 7 TEEs 13/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  14. BAR’20 THE END Questions? 14/16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  15. BAR’20 References Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye, Koushik Sen, and Michael Grace. Partemu: Enabling dynamic analysis of real-world trustzone software using emulation. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 2020) (To Appear) , August 2020. NIST. Cve-2016-8764. https://nvd.nist.gov/vuln/detail/CVE-2016-8764 , 2017. Accessed: 2019-08-28. 15 (1) /16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

  16. BAR’20 Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy , 2016. Alexander Tarasikov. Qemu teegris usermode. https://github.com/astarasikov/qemu/tree/teegris_usermode , 2019. Accessed: 2019-11-30. 16 (2) /16 2020-02-23 | M. Busch | FAU Erlangen-Nürnberg | Finding 1-Day Vulnerabilities in Trusted Applications

Recommend

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua

Finding Vulnerabilities with Fuzzing Chao Zhang Tsinghua University http://netsec.ccert.edu.cn/chaoz/ About Me 2004-2008-2013 2013-2016 2016-present p Hack for fun software and system security Tencent

1.23k views • 98 slides
Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been

Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been

Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been mostly focusing on Fixing vulnerabilities inherent to languages Finding/protecting against programmer follies Today we will look at

682 views • 42 slides
The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov https://s2e.systems Ready-for-use docker image, demos, tutorials, source code, documentation Vitaly Chipounov Ph.D. in 2014 at EPFL, Switzerland

827 views • 57 slides
RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me

RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me

RustZone: Writing Trusted Applications in Rust Eric Evenchick Black Hat Asia 2018 About Me Principal Research Consultant @ Atredis Partners Founder, Developer of Open Source Hardware Things @ Linklayer Labs Outline Trusted

847 views • 30 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
WRITE A WICKED QUERY Finding Trusted Resources for Legal and Policy Research (Or, Better Spells

WRITE A WICKED QUERY Finding Trusted Resources for Legal and Policy Research (Or, Better Spells

WRITE A WICKED QUERY Finding Trusted Resources for Legal and Policy Research (Or, Better Spells For Better Magic!) QUERIES ARE MATHEMATICAL EQUATIONS I am a good witch All Good Witches Like MATH ADDITION Addition + Combines two or

423 views • 27 slides
Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack every computer that we own. Most

503 views • 48 slides
Practical Applications of Client-Side Trusted Computing David Goltzsche, 2018-04-23 3rd year PhD

Practical Applications of Client-Side Trusted Computing David Goltzsche, 2018-04-23 3rd year PhD

Practical Applications of Client-Side Trusted Computing David Goltzsche, 2018-04-23 3rd year PhD student at distributed systems group, TU Braunschweig, Germany Research area: trusted execution, distributed systems Advisor: Rdiger Kapitza

939 views • 12 slides
Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

579 views • 40 slides
Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data

Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data

Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data Set Applications from over 300 commercial and US government customers Scanned 9,910 applications over past 18 months Ranged in size

723 views • 34 slides
TrustED'16 (Workshop of ACM CCS 2016) Security of CCTV & Video Surveillance Systems:

TrustED'16 (Workshop of ACM CCS 2016) Security of CCTV & Video Surveillance Systems:

TrustED'16 (Workshop of ACM CCS 2016) Security of CCTV & Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations Andrei Costin andrei@firmware.re Agenda Problems and Motivation Prior Work Threats,

810 views • 41 slides
Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work with: Hao Lu, Michael D. Ernst GUIs are everywhere in modern software 2 Multithreading in GUI applications UI thread A GUI Application UI event

680 views • 36 slides
Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon

Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon

Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services Youngjin Kwon , Alan Dunn, Michael Lee, Owen Hofmann, Yuanzhong Xu, Emmett Witchel 1 Securing OS is difficult OS vulnerabilities in 2014 from national

1.06k views • 78 slides
Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Introduction $whoami Pavol Luptk 10+ years of practical experience in security and seeking

594 views • 15 slides
We have seen two applications: signal smoothing root finding Today we look

We have seen two applications: signal smoothing root finding Today we look

Lesson 10 D IFFERENTIATION AND I NTEGRATION We have seen two applications: signal smoothing root finding Today we look differentation integration These will form the basis for solving ODEs D IFFERENTIATION OF F OURIER

573 views • 38 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King Microsoft Research, Redmond Lisa Johansen

428 views • 16 slides
TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code

703 views • 48 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and

Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and

Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and affordable caregivers to families on demand. Why create RestUp? Americans provide $470 Billion in unpaid care in 2015. Emergency Staffing

324 views • 8 slides
Probability Theory as Extended Logic: Probability Theory as Extended Logic: Applications to motif

Probability Theory as Extended Logic: Probability Theory as Extended Logic: Applications to motif

Probability Theory as Extended Logic: Probability Theory as Extended Logic: Applications to motif finding and clustering Applications to motif finding and clustering Ab initio motif finding: regular expressions, MEME, Gibbs-Sampling.

504 views • 48 slides
Wild, Wild West How to Corral All Your Developers into Creating Secure Code Jonathan Beck

Wild, Wild West How to Corral All Your Developers into Creating Secure Code Jonathan Beck

Wild, Wild West How to Corral All Your Developers into Creating Secure Code Jonathan Beck Original State Static and Dynamic programs are great at finding vulnerabilities. Penetration Test performed to deeply inspect applications.

615 views • 27 slides

More recommend