TEEPwn: Breaking TEEs by Experience
4-Day Training | Hybrid
| 21-24 November 2021

TEEPwn: Breaking TEEs by Experience

The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It is designed with a system-level approach, where you will experience exploitation of powerful vulnerabilities specific for TEE technology. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.
Co-Founder, Raelize B.V
Co-Founder, Raelize B.V

Available seats

TBA

Difficulty

Intermediate
US$ 4,299

Attend in-person

at ADNEC Abu Dhabi

Attend online

via livestream

Date

21-24 November 2021

Time

09:00 to 17:00 GST/GMT+4

A Trusted Execution Environments (TEE) is notoriously hard to secure due to the interaction between complex hardware and a large Trusted Code Base (TCB). The security provided by different TEE implementations has been broken on a wide variety of devices, including mobile phones, smart TVs and even modern vehicles.

The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where you will experience exploitation of powerful vulnerabilities specific for TEE technology. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Your journey starts with achieving a comprehensive understanding of TEE technology. You will learn how hardware and software cooperate in order to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios. All practical exercises are performed on our emulated attack platform which is using ARM TrustZone to implement multiple TEE implementations.

You will take on different roles, as an attacker in control of:

  • the REE, achieving privileged code execution inside the TEE
  • the REE, accessing assets protected by a Trusted Application (TA)
  • a TA, escalating privileges to the TEE OS
  • a TA, accessing the protected assets of another TA

You will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

Do not worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, many exercises can be completed in complex way which keeps the exercises interesting to experienced attendees as well.

  • Security Analysts, Researchers and Practitioners interested in TEE security
  • Software Security Developers and Architects interested in an offensive TEE perspective
  • Experience with C programming and ARM64 assembly
  • Understanding of typical software vulnerabilities
  • Familiarity with reverse engineering and typical exploitation techniques
  • Familiarity with modern OS security concepts

The TEEPwn experience consists of 4 exciting days during which we will give several lectures covering fundamental topics. Nonetheless, the emphasis will be on the exciting hands-on exercises for which you will get a personal cloud-based Virtual Machine (VM) that can be accessed using modern browser.

The lectures are given through Zoom and a Discord server is available for support.

  • Gain a system-level understanding of TEE security
  • Identify vulnerabilities across the entire TEE attack surface
  • Gain hands-on experience with TEE-specific exploitation techniques
  • Gain a strong understanding of ARM TrustZone-based TEEs

1. Stable Internet connection with sufficient bandwidth

2. Any modern computer system or laptop:

  • With sufficient memory (~8 GB)
  • With sufficient disk space (~50 GB)
  • Installed with a recent version of VMware (or similar)

+Testimonials

No data was found

+agenda

Title

Details

Date

TEE Fundamentals

– TEE overview
– Security model

21-24 November 2021
ARM TrustZone-based TEEs

– TEE SW components
– TEE attacker model
– TEE attack surface

21-24 November 2021
REE --> TEE attacks

– Secure Monitor
– TEE OS (SMC interface)
– Exploitation:
– Vulnerable SMC handlers
– Broken design
– Unchecked Pointers
– Restricted writes
– Range checks

21-24 November 2021
REE --> TA attacks

– Communicating with TAs
– Global Platform APIs
– Exploitation:
– Type confusion
– TOCTOU (Double fetch)

21-24 November 2021
TA --> TEE attacks

– TEE OS (Syscall interface)
– Drivers
– Exploitation:
– Unchecked pointers from TA
– Vulnerable crypto primitives

21-24 November 2021
TA --> TA attacks

– State confusion

21-24 November 2021

Book your spot for this training

+TRAINERS

Cristofaro Mune
Co-Founder, Raelize B.V

Cristofaro Mune (@pulsoid) has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs.

He is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices.

His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.

Niek Timmers
Co-Founder, Raelize B.V

Niek Timmers (@tieknimmers) is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.

+OTHER COURSES YOU MIGHT BE INTERESTED IN

x86-64 All You Can Learn Buffet!
US$ 4,299
x86-64 All You Can Learn Buffet!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.


Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 Reset Vector Firmware class.
4-Day Training Hybrid
x86-64 Reset Vector Firmware
US$ 2,299
x86-64 Reset Vector Firmware

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 OS Internals
US$ 2,299
x86-64 OS Internals

This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 Assembly
US$ 2,299
x86-64 Assembly

This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.

 

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

 
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.  
2-Day Training Hybrid