{
	"id": "ca8ce50f-4c5b-47d1-b866-a20a4349c1fc",
	"created_at": "2026-04-06T00:13:29.133369Z",
	"updated_at": "2026-04-10T13:12:10.453044Z",
	"deleted_at": null,
	"sha1_hash": "5f5fbc0352480b4b681e80c7a6788de1d05a4ba4",
	"title": "An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture | Program | Android Security Symposium 2015",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60796,
	"plain_text": "An infestation of dragons: Exploring vulnerabilities in the ARM\r\nTrustZone architecture | Program | Android Security Symposium\r\n2015\r\nArchived: 2026-04-05 19:21:17 UTC\r\nJosh Thomas\r\nAtredis Partners, Houston, TX, USA\r\nJosh Thomas is a founding member of Atredis Partners, a niche consulting shop performing reverse engineering\r\nand security assessments of hardware and software products for vendors and end customers. Previously, he was a\r\nSenior Research Scientist with Accuvant's Applied Research team, and has worked as a Senior Research Engineer\r\nat The MITRE Corporation. Josh specializes in mobile, embedded systems, protocol and architecture analysis and\r\nhas a deep history with malware and advanced root-kit research. Josh has written for multiple journals and\r\nindustry publications over the past years and he has open sourced the entirety of his work for the DARPA Cyber\r\nFast Track program.\r\nCharles Holmes\r\nAtredis Partners, Boston, MA, USA\r\nCharles Holmes has spent nearly the last decade working on sensitive projects for various US government and\r\nresearch organizations. Charles specializes in mobile security, malware and rootkit development, and advanced\r\nsoftware engineering.\r\nPrior to joining Atredis, Charles was a Senior Research Lead with The MITRE Corporation. In that role, Charles\r\nhttps://usmile.at/symposium/program/2015/thomas-holmes\r\nPage 1 of 2\n\nled research into a variety of mobile platforms including Apple, Android, Telematics, and Blackberry.\r\nBefore shifting focus to mobile security, Charles worked on a variety of projects for the Department of Defense.\r\nThese projects included the next generation software for the dismounted soldier, tactical radio networking, RFID\r\ncard readers, nuclear threat modeling, and mission planning systems.\r\nARM TrustZone is being heavily marketed as a be all solution for mobile security. Through extensive marketing\r\npromising BYOD, secure PIN entry, and protection against APT\r\n(http://www.arm.com/products/processors/technologies/trustzone/index.php) and the prevalence of ARM devices\r\non mobile platforms, millions of devices now contain an implementation of TrustZone. However, the current\r\ndrivers for TrustZone adoption primarily relate to vendor lock and Digital Rights Management (DRM), rather than\r\nincreasing the difficulty in compromising user data. Further, due to TZ architecture, the inclusion of DRM\r\nprotections provide a net reduction in real world security provided to the device owner.\r\nIn this talk, we provide an overview of the ARM TrustZone architecture as utilized by modern Android,\r\nBlackberry, and Windows phones. We discuss its potential, its current use cases, its shortcomings, and its impact\r\non the security of modern phones. At this point, we dive into the details of the Qualcomm implementation, which\r\nis utilized on the flagship mobile devices from each major vendor, excluding Apple. Specifically, we cover\r\nvulnerabilities in codebases from Qualcomm, OEM Vendors, and 3rd Parties, as well as attack surface,\r\nexploitation pathways, difficulties, and successes.\r\nGet the slides here.\r\nSource: https://usmile.at/symposium/program/2015/thomas-holmes\r\nhttps://usmile.at/symposium/program/2015/thomas-holmes\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://usmile.at/symposium/program/2015/thomas-holmes"
	],
	"report_names": [
		"thomas-holmes"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f5fbc0352480b4b681e80c7a6788de1d05a4ba4.pdf",
		"text": "https://archive.orkl.eu/5f5fbc0352480b4b681e80c7a6788de1d05a4ba4.txt",
		"img": "https://archive.orkl.eu/5f5fbc0352480b4b681e80c7a6788de1d05a4ba4.jpg"
	}
}