<div class="csl-bib-body">
<div class="csl-entry">Marth, D., Hlauschek, C., Schanes, C., & Grechenig, T. (2022). Abusing Trust: Mobile Kernel Subversion via TrustZone Rootkits. In <i>2022 IEEE Security and Privacy Workshops (SPW)</i> (pp. 265–276). https://doi.org/10.1109/SPW54247.2022.9833891</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/139755
-
dc.description.abstract
The Arm TrustZone is the de facto standard for hardware-backed Trusted Execution Environments (TEEs) on mobile devices, providing isolation for secure computations to be shielded from the normal world, and thus from the rest of the system. Most real-world TEEs are proprietary, difficult-to-inspect, and notoriously insecure: In the past years, it has been demonstrated over and over again that TEEs of millions of devices worldwide, and the Trusted Applications (TAs) they harbor, are often vulnerable to attacks such as control flow hijacking. Not only do we have to trust these TEEs to provide a secure environment for TAs such as keystore and Digital Rights Management (DRM), code running in the secure world provided by the Arm TrustZone also has full access to the memory of the regular operating system (OS). Since Thomas Roth first proposed a TrustZone-based rootkit in 2013, progress regarding such rootkits seems to have stalled in the offensive research community. The biggest challenge for TrustZone rootkits is that no interpretation of normal world memory is available in the secure world. Automated reverse engineering of kernel data structures at runtime is one way to implement rootkit functions. We present mechanisms to engineer the interpretation of Linux kernel memory for malicious subversion and the circumvention of basic protection mechanisms from the secure world. We provide a fully working proof-of-concept rootkit located in the Arm TrustZone to demonstrate the proposed mechanisms. We evaluate and show compatibility of the rootkit across different versions of the Linux kernel despite changing data structures. Our results highlight the feasibility of TrustZone rootkits that potentially survive kernel updates and raise awareness about the real danger of having to put trust into unvetted proprietary vendor code, which, as we show, can easily be abused.
en
dc.language.iso
en
-
dc.subject
Privacy
en
dc.subject
Codes
en
dc.subject
Runtime
en
dc.subject
Linux
en
dc.subject
Reverse engineering
en
dc.subject
Data structures
en
dc.subject
Security
en
dc.title
Abusing Trust: Mobile Kernel Subversion via TrustZone Rootkits
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.contributor.affiliation
RISE–Research Industrial Systems Engineering GmbH
-
dc.contributor.affiliation
RISE–Research Industrial Systems Engineering GmbH
-
dc.contributor.affiliation
RISE–Research Industrial Systems Engineering GmbH
-
dc.contributor.affiliation
RISE–Research Industrial Systems Engineering GmbH
-
dc.description.startpage
265
-
dc.description.endpage
276
-
dcterms.dateSubmitted
2022
-
dc.type.category
Full-Paper Contribution
-
tuw.booktitle
2022 IEEE Security and Privacy Workshops (SPW)
-
tuw.researchTopic.id
I2
-
tuw.researchTopic.id
C3
-
tuw.researchTopic.name
Computer Engineering and Software-Intensive Systems
-
tuw.researchTopic.name
Computational System Design
-
tuw.researchTopic.value
50
-
tuw.researchTopic.value
50
-
tuw.publication.orgunit
E194-03 - Forschungsbereich Business Informatics
-
tuw.publisher.doi
10.1109/SPW54247.2022.9833891
-
dc.description.numberOfPages
12
-
tuw.event.name
2022 IEEE Security and Privacy Workshops (SPW)
-
tuw.event.startdate
26-05-2022
-
tuw.event.enddate
26-05-2022
-
tuw.event.online
Hybrid
-
tuw.event.type
Event for scientific audience
-
tuw.event.country
US
-
tuw.event.presenter
Marth, Daniel
-
tuw.event.presenter
Hlauschek, Clemens
-
tuw.event.presenter
Schanes, Christian
-
tuw.event.presenter
Grechenig, Thomas
-
wb.sciencebranch
Informatik
-
wb.sciencebranch
Wirtschaftswissenschaften
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.oefos
5020
-
wb.sciencebranch.value
90
-
wb.sciencebranch.value
10
-
item.openairetype
conference paper
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
item.languageiso639-1
en
-
item.fulltext
no Fulltext
-
item.cerifentitytype
Publications
-
item.grantfulltext
none
-
crisitem.author.dept
RISE–Research Industrial Systems Engineering GmbH
-
crisitem.author.dept
RISE–Research Industrial Systems Engineering GmbH
-
crisitem.author.dept
E194-03 - Forschungsbereich Business Informatics
-
crisitem.author.dept
E194-03 - Forschungsbereich Business Informatics
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering