Recon Montreal 2019

The road to Qualcomm TrustZone apps fuzzing
2019-06-29, 16:00–16:30, Grand Salon

We reverse engineered Qualcomm TrustZone applications, emulated them on Android OS and assessed their reliability. During the investigation, numerous engineering challenges, such as bypassing Qualcomm’s Chain Of Trust to load patched trustlets, executing Qualcomm OS related system calls on Android and many others, were solved.

In this talk we will discuss Trusted Execution Environment (TEE) which protects the most important data on mobile device. We will demonstrate how we automatically discovered many vulnerabilities in trusted components provided by device manufacturers as part of Qualcomm’s TEE backed by ARM TrustZone.

On Application CPU, TrustZone creates an isolated virtual Secure World running on top of a dedicated Qualcomm OS. Secure World’s trusted apps are responsible for the business logic of mobile data security. Those apps must be the most protected part of the mobile device, which makes them crucial and challenging target for security research.

We reverse engineered the Qualcomm TrustZone ecosystem and found that trusted apps constitute the perfect target for the fuzzing-based vulnerability research due to its internal structure and the TEE architecture itself. In order to be able to fuzz trusted apps, we had to discover ways to execute them in the Normal World (Android OS); to load patched app into the Secure World, bypassing Qualcomm’s Chain Of Trust; to adapt trusted app for running on a device of another manufacturer; and more. We are going to show our way through those challenges to build a workable fuzzer for TrustZone apps.

See also: Slides