Recon Montreal 2019

»Attacking Hexagon: Security Analysis of Qualcomm's ADSP«
2019-06-29, 11:00–12:00, Grand Salon

We present a security analysis of Qualcomm's Hexagon ADSP. Emphasis is given to a new analysis of its attack surface that affects a large number of Android flagship devices.

Qualcomm's Hexagon ADSP is included in Qualcomm Snapdragon SoCs on many Android flagship devices from various manufacturers. Hexagon is used as an accelerator for tasks related to audio/image processing and machine learning. In this talk we focus on a security analysis of Hexagon.

First a general overview is presented along with examples of the functionality of the system. Then the system architecture is discussed, as well as the communication between the Android userspace and the ADSP. Next we examine the connection between ADSP, TrustZone and baseband, and the possible security considerations. In addition, we present our debugging horror stories on the ADSP, and usage of a development board that allows custom code to be run on it. We present the steps for the exploitation of an example memory corruption vulnerability, and we examine the unique characteristics of Hexagon affecting this task, e.g. the implemented mitigations. We include all the relevant Hexagon ISA background needed in detail, so no previous experience with it is required. Finally, we remark on the possible ramifications of our research that can affect the security of many modern Android devices with Qualcomm chipsets.

Our talk includes reverse engineering methodologies for the exotic architecture of Hexagon, efforts to understand obscure and incomplete documentation for proprietary systems, and bypass of security mitigations for many modern Android devices.

See also: Slides