Independent Security Researcher
Elevating The TrustZone To Achieve A Powerful Android Kernel Exploit
In today's mobile security world, where attack surfaces are constantly being tightened and new mitigations keep being introduced, kernel exploits are a highly complex matter. This imposes multiple obstacles for anyone looking to develop such exploits. First, reliability is an issue. The involvement of many moving parts (e.g. race conditions, heap grooming) makes reliably exploiting the kernel a very hard task. Second, even once you manage to build a successful exploit, there is then the cumbersome process of carefully adapting it for each device/version you wish to run it on.
In this talk, I will present a different approach to Android kernel exploitation, intended to overcome the obstacles mentioned above. I will describe a vulnerability I found in the Android kernel (CVE-2021-1961), and the interesting way I exploited it.
My exploitation method revolves around utilizing an even higher privileged component, the TrustZone. By doing this, I managed to overcome all existing security mitigations in the Android kernel, creating a 100% reliable exploit. Not only that, but the exploit is powerful enough to work on all combinations of devices/versions without requiring any code adaptation. In the talk, I will discuss what makes this exploitation technique so powerful, how come it bypasses existing mitigations so easily, and why it should probably even bypass future expected mitigations.
Besides the exploit itself, I will go into detail about the communication protocol between the kernel and the Qualcomm TrustZone (AKA QSEE), and where its weaknesses lie. Additionally, I will explain how you can start your own research in this area.
Tamir Zahavi-Brunner’s main areas of focus are reverse engineering and vulnerability research of mobile and low-level embedded software. Previously, Tamir was a security researcher at Zimperium where he discovered and reported many Android vulnerabilities.