leveldown security Thomas Roth Next generation mobile rootkits Hack In Paris 2013 http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Hi! • Thomas Roth • Embedded security (Payment terminals etc.) • Distributed computing (and breaking) • Web-stuff • Social: @stacksmashing http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Prologue Mobile rootkits & Trustzone http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth What are we protecting? Communication Data Payment TrackingCredentials http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth In the wild • CarrierIQ (Usage statistics) • FinFisher (Governmental surveillance) • Cloaker (Research) http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Where do they hide? CPU Baseband Memory http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Where do they hide? CPU Baseband Memory TrustZone http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Short ARM intro • 32-bit RISC architecture • All instructions 32 bit long • Except in “Thumb-mode”, 16-bit instructions • Peripherals are mapped in memory (i.e. IOs at 0x40000000) • CP15 = System Control Coprocessor • Controls features like MMU, power saving, caches ... http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth ARM TrustZone • Allows the processor to switch into a “secure mode” • Secure access to screen, keyboard and other peripherals • Tries to protect against: “...malware, trojans and rootkits” • So called TEEs (Trusted Execution Environments) run in it • Introduced with ARMv6KZ Source for quotes: http://www.arm.com/products/processors/technologies/trustzone.php http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://www.arm.com/products/processors/technologies/trustzone.php http://www.arm.com/products/processors/technologies/trustzone.php leveldown security Thomas Roth ARM TrustZone • Allows the processor to switch into a “secure mode” • Secure access to screen, keyboard and other peripherals • Tries to protect against: “...malware, trojans and rootkits” • So called TEEs (Trusted Execution Environments) run in it • Introduced with ARMv6KZ Source for quotes: http://www.arm.com/products/processors/technologies/trustzone.php http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://www.arm.com/products/processors/technologies/trustzone.php http://www.arm.com/products/processors/technologies/trustzone.php leveldown security Thomas Roth ARM TrustZone • Splits the CPU into two worlds: Secure and normal • Communication between both worlds via shared memory mappings • State of the CPU is indicated to peripherals using a bit on AXB/AHB • Allowing secure-only on- & off-chip peripherals http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Trusted Execution Environments • Small operating system running in TrustZone and providing services to the ‘real’ operating system/apps • You write apps for them and pay ??? to integrate them • Use them via a driver in your operating system • Drivers are often open-source http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas RothSource: http://www.anandtech.com/show/4480/ti-omap4-first-to-be-awarded-netflix-hd-1080p-hd-sri-certification Example: Netflix • Netflix requires a device-certification • For SD, the device just needs to be fast enough to play video • For HD, the labels require ‘end-to-end’ DRM, so that the video-stream can’t be grabbed at any time • Video decoding running in TrustZone with direct access to screen, no way to record it from Android http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://www.anandtech.com/show/4480/ti-omap4-first-to-be-awarded-netflix-hd-1080p-hd-sri-certification http://www.anandtech.com/show/4480/ti-omap4-first-to-be-awarded-netflix-hd-1080p-hd-sri-certification leveldown security Thomas Roth Attacker Model • Protect against: • Device owners (DRM and other copy protection methods) • Malware (Steal PayPass informations from the device) • Freedom http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth How does it work? • A second register set to the first CPU core • Mode switch from normal world: • SMC instruction (Secure Monitor Call) • Hardware exception (IRQ, FIQ, etc.) • NS bits on the internal bus (AXI/AHB) for indicating state to peripherals http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas RothDiagram inspired by: http://www.arm.com/products/processors/technologies/trustzone.php How does it work? Normal World Secure World Monitor Mode SMC instruction or Hardware exception Privileged modes User mode Privileged modes User mode http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://www.arm.com/products/processors/technologies/trustzone.php http://www.arm.com/products/processors/technologies/trustzone.php leveldown security Thomas Roth How does it actually work? Standard CPU modes User, FIQ, IRQ, SVC ... SMC Mode Hardware interrupt/SMC call State handling & NS-bit http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth How does it actually work? • SMC: (Always has the NS bit enabled) • Detect whether coming from normal or secure world • Store registers of current world • Load registers of new world • Toggle NS bit • Give execution to new world http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Memory in TrustZone Normal World Secure World TrustZone enabled MMU Normal-world memory Secure-only memoryShared http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Memory in TrustZone • Normal-world only sees its own memory as well as the shared segment • Secure-world can access everything http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Memory in TrustZone • Normal-world only sees its own memory as well as the shared segment • Secure-world can access everything I guess you see why this is could useful... http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process Start 1. stage bootloader (ROM) 2. stage bootloader (Flash) Hardware abstraction Integrity verification of 2. stage bootloader Initialization of TrustZone + TrustZone Kernel Lockdown of TrustZone Load & configure OS Operating System Android Windows ... http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process Start 1. stage bootloader (ROM) 2. stage bootloader (Flash) Hardware abstraction Integrity verification of 2. stage bootloader Initialization of TrustZone + TrustZone Kernel Lockdown of TrustZone Load & configure OS Operating System Android Windows ... T R U S T E D http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth By the way • “Unlocking” a bootloader does not mean that you can do what you want. • Most hardware vendors still lockdown a significant part of the boot chain, locking you out of TrustZone. http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Hardware support • All modern smartphone CPUs: • Qualcomm Snapdragon • TI OMAP • ... http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth So basically... • The vendor installs a small operating system in a part of the CPU • This OS can do -anything- and third party apps are installed in it http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth So basically... • The vendor installs a small operating system in a part of the CPU • This OS can do -anything- and third party apps are installed in it What could possibly go wrong? http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Chapter 1 Building a rootkit in TrustZone http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security What? • Super small rootkit that runs in TrustZone (and now even in SMC!) • First TrustZone rootkit • Implemented entirely in assembler • (Compilers are for losers) http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Why? • It’s fun! • People haven’t talked about the problems that come with TrustZone • The ‘trusted’ in Trusted Computing is not only about the user trusting the hardware, but also about the vendor distrusting the user http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Why? http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Where to test? • Developing on actual hardware: • Need an OMAP HS (not GP) Dev-board • Beagleboards & co (OMAP) switch to normal world in ROM • (Hardware is locked down with strong keys) http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Where to test? • Software emulation: • QEMU supports ARM • Paper “A flexible software development and emulation framework for ARM TrustZone” • “qemu-trustzone” • Johannes Winter, Paul Wiegele, Martin Pirker, and Ronald Toegl • Open-source (GPL) TEE by sierraware (Open Virtualization) http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Where to test? • Using hardware hack for $vendor to execute code in TrustZone http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Where to test? • Let’s just hack into a TEE! http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Getting a binary-image of a TEE • Firmware updates are signed, but not encrypted. • Firmware updates are often downloaded via HTTP. • Vendors have ‘hidden’ FTP-servers. http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Workflow • Disassemble bootloader • IDA Pro & co can’t just find code parts, need to analyze by hand & with scripts • Analyze coprocessor instructions to find memory layout • (almost automated) http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Looking for mitigations http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Looking for mitigations • No ASLR • No DEP (NX) • Executable heap, stack, data, everything http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Exploiting like it’s 1999 Yeah Baby! http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Let’s talk about strncpy • strncpy(char *destination, char *source, size_t destination_size); • strncpy sucks, it only NUL-terminates if: • strlen(destination) < destination_size • (Please, use strlcpy. Also, did I mention I do code reviews?) • Still often pretty hard to exploit. Thomas Roth http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Where to test? • Official boards seem to be hard to obtain • QEMU • On smartphone via hardware hack • On smartphone via software exploit Thomas Roth http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Scheduling the rootkit • Switch to monitor mode in (ir)regular intervals without help of the operating system • The latency induced by the switch to the rootkit must be kept as low as possible http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Latency Normal world interrupt/SMC Monitor code Rootkit scheduler Monitor code Back to normal world http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Latency Normal world interrupt/SMC Monitor code Rootkit scheduler Monitor code Back to normal world http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas RothSource: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/CACCDCDH.html Scheduling the rootkit • ARM actually gives tips for running TrustZone invisible to the normal world: Does the Secure world care about direct or indirect Normal world visibility of its execution? If yes, then consider obfuscating interrupt timing, disabling Non-secure access to the Performance Counters, and performing selective cache maintenance on critical address ranges on world switch. http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/CACCDCDH.html http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/CACCDCDH.html leveldown security Thomas Roth Scheduling the rootkit • How is control transferred to the monitor mode? • IRQ? Used a lot by the OS & can be masked by normal world • External abort? Too unreliable & environment dependent • FIQ? Can be locked down (NMI) • Overwrite the interrupt vector (like Cloaker does) • TZIC - TrustZone Interrupt Controller http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth IRQ ‘interception’ IRQ Triggered Monitor saves state Rootkit executes Monitor restores state “Real” IRQ handler is called http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process 1.Setup secure-world 2.Setup monitor 3.Lockdown TrustZone (Switch to normal world) 4.Start operating system/bootloader http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process 1.Setup secure-world 2.Setup monitor 3.Lockdown TrustZone (Switch to normal world) 4.Start operating system/bootloader http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Secure World Memory Setup • Create page table for secure world • Turn on MMU • Configure stack • Recommendation if no TEE is already available: • Use physical address space next to a hardware mapping http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Secure World Initialization • Run initialization-routine of rootkit • Configure ‘system-call’ facility of rootkit (IRQ) • Load and create contexts for modules http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Secure World • Uses a timer-based slice ‘scheduler’ by default to keep time ~constant • (Timing by TZIC - TrustZone Interrupt Controller) • Store files in secure storage if available http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process 1.Setup secure-world 2.Setup monitor 3.Lockdown TrustZone (Switch to normal world) 4.Start operating system/bootloader http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Monitor • Store normal world register banks and switch on NS bit • Execute rootkit scheduler • Store secure world register banks and switch off NS bit http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Monitor • Check if coming from normal or secure world: • mrc p15, 0, r0, c1, c1, 0 • tst r0 • beq to_normal • bne to_secure http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Monitor • Storing the state of all register banks: STMIA r0!, {r0 - r13} CPS 0x19 ; SVC mode STMIA r0!, {r1, r13, lr} ... for all processor modes • ... And vice versa for restoring the register banks http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Monitor • Be aware of cache + pipeline stuff! • Use pipeline-flushing instructions • Be sure to have your cache configuration right http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Monitor setup • Configure TCM for latency reduction • Setup the interrupt interception mechanism • (Set IRQ to secure in SCR (Secure Configuration Register)) http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process 1.Setup secure-world 2.Setup monitor 3.Lockdown TrustZone (Switch to normal world) 4.Start operating system/bootloader http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Lockdown: SCR • Security Configuration Register (C1 C1 on CP15) • Disable modification of A & F bit in CPSR from Normal • World for External Abort, FIQ, IRQ • Actual NS bit http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Lockdown: SCR • Sample configuration: • mov r0, #0x3E • mcr p15, 0, r0, c1, c1, 0 • Sets world for IRQ + FIQ to secure • I decided to let the normal world mask the interrupts • (Avoid suspicion) http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Lockdown • Depending on the hardware, some other configurations might be needed, too • i.e. External storage may requires configuration to know which part is only accessible as secure • TZPC (TrustZone Protection Controller) configuration http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Boot process 1.Setup secure-world 2.Setup monitor 3.Lockdown TrustZone (Switch to normal world) 4.Start operating system/bootloader http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Start operating system • TrustZone is configured and ready to go • Operating system + loader starts unmodified • Nothing to see here, move along! http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Real world problems • $vendor does power management setup in TrustZone • Had to integrate vendor blob into custom TZ image http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Chapter 2 It boots! And now? http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth We... • Have an execution environment that is entirely separated from the normal OS • Configured the CPU and its peripherals to hide any traces from our existence • Get control of the CPU regularly http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth We can... • access all user data • manipulate memory of everything • communicate (kind of) http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Yay! http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Communication • Difficult • Talk to baseband • Access to UMTS, which at least very difficult to sniff • Create IP packets by directly talking to the network hardware • See Cloaker paper • Suspicious and easily detected http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth What else to do? • There’s quite some secret stuff in TrustZone implementations • http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Installation in the wild • Via exploit in app • Vendor delivered (either during manufacturing or by FW update) • Baseband attack http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Interoperability • Ports to new hardware can be done in under a week: • TrustZone is almost the same on all platforms • Mostly peripherals and memory stuff differs • TEE may has to be integrated, too • Easy to do, i.e. modify OpenVirtualization TEE or binary patch http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Detection methods • Latency • Be paranoid and only use phones that don’t have TrustZone • Good luck with that one. http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ leveldown security Thomas Roth Thank you! • Any questions? • Thomas Roth - thomas.roth@leveldown.de - @stacksmashing • Slides: http://leveldown.de/hip_2013.pdf http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ http://leveldown.de/ mailto:thomas.roth@leveldown.de mailto:thomas.roth@leveldown.de http://leveldown.de/hip_2013.pdf http://leveldown.de/hip_2013.pdf