Attend in-personat ADNEC Abu Dhabi
Attend onlinevia livestream
Date21-24 November 2021
Time09:00 to 17:00 GST/GMT+4
A Trusted Execution Environments (TEE) is notoriously hard to secure due to the interaction between complex hardware and a large Trusted Code Base (TCB). The security provided by different TEE implementations has been broken on a wide variety of devices, including mobile phones, smart TVs and even modern vehicles.
The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where you will experience exploitation of powerful vulnerabilities specific for TEE technology. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.
Your journey starts with achieving a comprehensive understanding of TEE technology. You will learn how hardware and software cooperate in order to enforce effective security boundaries. You will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios. All practical exercises are performed on our emulated attack platform which is using ARM TrustZone to implement multiple TEE implementations.
You will take on different roles, as an attacker in control of:
You will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.
Do not worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, many exercises can be completed in complex way which keeps the exercises interesting to experienced attendees as well.
The TEEPwn experience consists of 4 exciting days during which we will give several lectures covering fundamental topics. Nonetheless, the emphasis will be on the exciting hands-on exercises for which you will get a personal cloud-based Virtual Machine (VM) that can be accessed using modern browser.
The lectures are given through Zoom and a Discord server is available for support.
1. Stable Internet connection with sufficient bandwidth
2. Any modern computer system or laptop:
– TEE overview
– Security model
– TEE SW components
– TEE attacker model
– TEE attack surface
– Secure Monitor
– TEE OS (SMC interface)
– Vulnerable SMC handlers
– Broken design
– Unchecked Pointers
– Restricted writes
– Range checks
– Communicating with TAs
– Global Platform APIs
– Type confusion
– TOCTOU (Double fetch)
– TEE OS (Syscall interface)
– Unchecked pointers from TA
– Vulnerable crypto primitives
– State confusion
Cristofaro Mune (@pulsoid) has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs.
He is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices.
His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
Niek Timmers (@tieknimmers) is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.
This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.
This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email email@example.com
This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email firstname.lastname@example.org
This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.
You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email email@example.com