Awesome
TEE Basics & General
-
Introduction to Trusted Execution Environment: ARM's TrustZone
-
Introduction to TEE (original title: TEEを中心とするCPUセキュリティ機能の動向 )
-
Attacking the ARM's TrustZone
-
ARM TrustZone Security Whitepaper
-
Web Site ARM TrustZone
-
TrustZone Explained: Architectural Features and Use Cases
-
Trustworthy Execution on Mobile Devices
-
Demystifying ARM Trustzone : A Comprehensive Survey
-
Understanding Trusted Execution Environments and Arm TrustZone (by Azeria)
-
SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems
-
Giving Mobile Security the Boot (by Jonathan Levin)
-
The ARMs race to TrustZone (by Jonathan Levin)
TEE Exploits/Security Analysis
HiSilicon/Huawei (TrustedCore)
-
Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme)
-
EL3 Tour : Get the Ultimate Privilege of Android Phone (Infiltrate19)
-
Nailgun: Break the privilege isolation in ARM devices (PoC #2 only)
-
Nick Stephens : how does someone unlock your phone with nose. (give big picture of NWd <> SWd communications and exploits) GeekPwn 2016
Qualcomm (QSEE)
-
Reflections on Trusting TrustZone (2014)
-
Getting arbitrary code execution in TrustZone's kernel from any context (28/03/2015)
-
Exploring Qualcomm's TrustZone implementation (04/08/2015)
-
Full TrustZone exploit for MSM8974 (10/08/2015)
-
TrustZone Kernel Privilege Escalation (CVE-2016-2431)
-
War of the Worlds - Hijacking the Linux Kernel from QSEE
-
QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
-
Exploring Qualcomm's Secure Execution Environment (26/04/2016)
-
Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)
-
Trust Issues: Exploiting TrustZone TEEs (24 July 2017)
-
Breaking Bad. Reviewing Qualcomm ARM64 TZ and HW-enabled Secure Boot on Android (4-9.x)
-
Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores CVE-2018-11976 (NCC)
-
Qualcomm TrustZone Integer Signedness bug (12/2014)
-
The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019)
-
Downgrade Attack on TrustZone
Motorola (Qualcomm SoC)
- Unlocking the Motorola Bootloader (10/02/2016)
HTC (Qualcomm SoC)
- Here Be Dragons: Vulnerabilities in TrustZone (14/08/2014)
Trustonic (Kinibi & MobiCore)
-
Unbox Your Phone: Parts I, II & III
- https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c
- https://medium.com/taszksec/unbox-your-phone-part-ii-ae66e779b1d6
- https://medium.com/taszksec/unbox-your-phone-part-iii-7436ffaff7c7
- https://github.com/puppykitten/tbase
- https://github.com/puppykitten/tbase/blob/master/unboxyourphone_ekoparty.pdf
-
KINIBI TEE: Trusted Application Exploitation (2018-12-10)
-
TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV
-
Breaking Samsung's ARM TrustZone (BlackHat USA 2019)
-
Launching feedback-driven fuzzing on TrustZone TEE (HITBGSEC2019)
-
A Deep Dive into Samsung's trustzone
- (Part 1 - intro) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-1.html
- (Part 2 - fuzzing TAs) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-2.html
- (Part 3 - exploiting EL3) https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-3.html
Samsung (TEEGRIS)
-
Breaking TEE Security :
- (Part 1 - Intro) https://www.riscure.com/blog/tee-security-samsung-teegris-part-1
- (Part 2 - Exploiting TAs) https://www.riscure.com/blog/tee-security-samsung-teegris-part-2
- (Part 3 - EoP TAs > TOS) https://www.riscure.com/blog/tee-security-samsung-teegris-part-3
-
Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov
-
Bug Hunting S21’s 10ADAB1E FW (OffensiveCon 2022)
Apple (Secure Enclave)
- Demystifying the Secure Enclave Processor by Tarjei Mandt, Mathew Solnik, and David Wang
Intel (Intel SGX)
- Intel SGX Explained by Victor Costan and Srinivas Devadas
TEE Fuzzing
-
PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation
-
The Road to Qualcomm TrustZone Apps Fuzzing
-
Launching feedback-driven fuzzing on TrustZone TEE (HITB GSEC 2019 Singapore)
-
Fuzzing Embedded (Trusted) Operating Systems Using AFL (Martijn Bogaard | nullcon Goa 2019) OP-TEE
-
SAN19-225 Fuzzing embedded (trusted) operating systems using AFL (Martijn Bogaard) OP-TEE
TEE Secure Boot
-
Reverse Engineering Samsung S6 SBOOT - Part I & II
-
Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017)
-
Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM
-
Qualcomm Secure Boot and Image Authentication Technical Overview
-
Breaking Samsung's Root of Trust - Exploiting Samsung Secure Boot (BlackHat 2020)
-
Overview of Secure Boot state in the ARM-based SoCs (Hardware-Aided Trusted Computing devroom - Maciej Pijanowski- FOSDEM 2021)
-
Dive-Into-Android-TA-BugHunting-And-Fuzzing (Kanxue SDC 2023) - https://github.com/guluisacat/MySlides/blob/main/KanxueSDC2023/%E3%80%90%E8%AE%AE%E9%A2%98%E3%80%91%E6%B7%B1%E5%85%A5Android%E5%8F%AF%E4%BF%A1%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98.pdf
TEE Videos
-
Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes
-
Daniel Komaromy - Enter The Snapdragon (2014-10-11)
-
BSides DC 2018 & DerbiCon VIII - On the nose: Bypassing Huaweis Fingerprint Authentication by Exploiting the TrustZone by Nick Stephens
-
An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture by Josh Thomas and Charles Holmes Android Security Symposium in Vienna, Austria, 9-11 September 2015
-
Android and trusted execution environments by Jan-Erik Ekberg (Trustonic) at the Android Security Symposium in Vienna, Austria, 9-11 September 2015
-
34C3 2017 - Console Security - Switch by Plutoo, Derrek and Naehrwert
-
34C3 2017 - TrustZone is not enough by Pascal Cotret
-
RootedCON 2017 - What your mother never told you about Trusted Execution Environment... by José A. Rivas
- audio Spanish original https://www.youtube.com/watch?v=lzrIzS84mdk
- English translation https://www.youtube.com/watch?v=Lzb5OfE1M7s
-
BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking
-
No ConName 2015 - (Un)Trusted Execution Environments by Pau Oliva
- video: audio Spanish only https://vimeo.com/150787883
- slides: https://t.co/vFATxEa7sy
-
BH US 2014 - Reflections on Trusting TrustZone by Dan Rosenberg
-
ARM TrustZone for dummies by Tim Hummels
Microarchitectural attacks applied to TEE
-
ARMageddon: Cache attacks on mobile devices
-
Cache storage channels: Alias-driven attacks and verified countermeasures.
-
34C3 - Microarchitectural Attacks on Trusted Execution Environments
-
TruSpy: Cache side-channel information leakage from the secure world on ARM devices
Tools
Emulate
-
QEMU Support for Exynos9820 S-Boot
-
Emulating Exynos 4210 BootROM in QEMU
Reverse
-
TZAR unpacker
-
IDA MCLF Loader
-
Ghidra MCLF Loader
Other useful resources
-
ARM Trusted Firmware: reference implementation of secure world for Cortex A and Cortex M
-
OP-TEE: open source ARM TrusZone based TEE
-
Trust Issues: Exploiting TrustZone TEEs by Project Zero Team
-
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017
-
TEE research (Some useful IDA and Ghidra plugins for TEE research)