DeepSec 2022 Talk: Auditing Closed Source Trusted Applications for Qualcomm Secure Execution Environment (QSEE)- Hector Marco & Fernando Vano
Smartphones have become essential devices for carrying out many daily activities, including security-sensitive tasks such as authentication and payments. The security of sensitive data in modern mobile devices relies on hardware-enabled Trusted Execution Environments, amongst which ARM TrustZone is one of the most widely used. Qualcomm Secure Execution Environment (QSEE) is one of the most widespread commercial TEE solutions in the smartphone space, used by many devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.
In order to audit the QSEE environment, security researchers have to face distinct challenges. On the one hand, the software components of QSEE (i.e., trusted operating system and trusted applications) are not open sourced and can be quite complex, which requires a considerable extent of reverse engineering efforts to conduct analysis and to assess their security. On the other hand, to the best of our knowledge, there are no publicly available emulators for QSEE Trusted Applications that assist in debugging and auditing their code.
In this talk, we share the knowledge we obtained from a careful reverse engineering examination of different QSEE Trusted Applications and operating systems (QSEE-OS), showing the different versions of QSEE-OS and the differences regarding how trusted applications are loaded in each of the QSEE-OS versions. Besides, we will present the different tools we have developed throughout our research to assist in the security evaluation of QSEE, including a debugger for QSEE Trusted Applications fully integrated with GDB and Ghidra and a coverage-based fuzzer for QSEE Trusted Applications. Such tools are essential for us to better understand the internals and behaviour of the trusted applications, to find attack surfaces and to identify vulnerable code for further analyzing and fuzzing.
We asked Hector and Fernando a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- A practical understanding of the Qualcomm’s Trusted Execution Environment implementation.
- A characterisation of the different QSEE OS versions.
- Implementation details about how Trustlets are loaded for version v2 and higher.
- The importance of auditing the Trusted Execution Environment and why current tools are insufficient.
- Tooling presentation containing: Debugger and fuzzer and why they should be connected.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
There is a lack of tools to audit the secure world of many devices. We trust the secure world but we have few reliable information about this, essentially because you cannot just use the already developed tools to test applications in the secure world. Because of this lack, we developed a tool to allow users to audit the secure world.
Why do you think this is an important topic?
The secure world is much less known than the normal world. Vulnerabilities in Linux (normal world) are very interesting but vulnerabilities on a trusted OS are much more valuable since they are handling very sensitive information, such as private keys used to enforce current smartphone security when devices are off or blocked. Therefore, the secure world is considered the most important aspect in terms of security.
What kind of technical knowledge is required to follow the talk?
A basic knowledge of the secure architecture of a modern smartphone will help to better follow the presentation. The normal world, the secure world, the monitor, the mechanism employed to communicate between all those components the basic tools to do emulation, debugging and fuzzing: Qemu, AFL, Qiling, Unicorn, GDB, etc. Those will help to better understand our contribution and identify the key components that are being changed to allow the emulation, debugging and fuzzing of the Trusted Execution Environment.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
The Trusted Execution Environment is becoming more and more complex. Although there is a standard for the Trusted Execution Environment, some vendors are not following it and the final implementation depends on a specific device or group of similar devices. From the basic ARM TrustZone to a dedicated chip (Google Titan-M) makes the Trusted Execution Environment a challenging environment to be easily audited. This could be the main downfalls when trying to audit the Trusted Execution Environment of a particular device and unless vendors follow the standard, the Trusted Execution Environment will be more difficult to audit since tools need to be adapted, but also they would probably make similar mistakes which will contain similar vulnerabilities.
Hector Marco is a cybersecurity expert with more than 15 years of experience. He holds a PhD in cybersecurity where he found multiple vulnerabilities that have been awarded by Google and Packet Storm Security. He is the founder of Cyber Intelligence S.L., a Spanish experienced company specialized in software and hardware security. The company has developed their own tools and methods which allow to perform unique pentestings and vulnerability assessments. Cyber Intelligence has led several national and international security contracts and has successfully evaluated multiple products, discovering multiple 1- and 0-day vulnerabilities.
Fernando Vano is a Lead Security Researcher at Cyber Intelligence S.L., where he specializes in smartphone security, reverse engineering and fuzzing. He holds a PhD in cybersecurity and his major research interests include mobile devices, memory management in cloud computing, critical infrastructures and virtualization technologies. During the last few years, he has taken part in many cybersecurity research projects. Fernando is the author of many articles of computer security and cloud computing. He has contributed frequently as a reviewer for international scientific conferences and reputable scientific journals.