| skipped 8 lines |
| 9 | 9 | | - Attacking the ARM's TrustZone |
| 10 | 10 | | - https://blog.quarkslab.com/attacking-the-arms-trustzone.html |
| 11 | 11 | | |
| 12 | | - | - Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017) |
| 13 | | - | - https://www.riscure.com/uploads/2017/08/euskalhack_2017_-_secure_initialization_of_tees_when_secure_boot_falls_short.pdf |
| | 12 | + | - ARM TrustZone Security Whitepaper |
| | 13 | + | - http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf |
| 14 | 14 | | |
| 15 | | - | - Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM |
| 16 | | - | - https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html#amlogic-s905-soc-bypassing-not-so |
| | 15 | + | - Web Site ARM TrustZone |
| | 16 | + | - https://developer.arm.com/ip-products/security-ip/trustzone |
| | 17 | + | |
| | 18 | + | - TrustZone Explained: Architectural Features and Use Cases |
| | 19 | + | - http://sefcom.asu.edu/publications/trustzone-explained-cic2016.pdf |
| 17 | 20 | | |
| 18 | | - | - Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017 |
| 19 | | - | - https://pdfs.semanticscholar.org/f62b/db9f1950329f59dc467238737d2de1a1bac4.pdf (slides) |
| 20 | | - | - http://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf (paper) |
| | 21 | + | - Trustworthy Execution on Mobile Devices |
| | 22 | + | - https://netsec.ethz.ch/publications/papers/paper-hyperphone-TRUST-2012.pdf |
| 21 | 23 | | |
| 22 | 24 | | - Nick Stephens : how does someone unlock your phone with nose. (give big picture of NWd <> SWd communications and exploits) |
| 23 | 25 | | - https://fr.slideshare.net/GeekPwnKeen/nick-stephenshow-does-someone-unlock-your-phone-with-nose |
| 24 | 26 | | |
| | 27 | + | # TEE Exploits/Security Analysis |
| 25 | 28 | | |
| 26 | | - | |
| 27 | | - | ### Motorola |
| 28 | | - | |
| 29 | | - | - Unlocking the Motorola Bootloader (10/02/2016) |
| 30 | | - | - http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html |
| 31 | | - | |
| 32 | | - | ### Huawei |
| | 29 | + | ## HiSilicon/Huawei (TrustedCore) |
| 33 | 30 | | |
| 34 | 31 | | - Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme) |
| 35 | 32 | | - https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android-wp.pdf |
| skipped 5 lines |
| 41 | 38 | | - Nailgun: Break the privilege isolation in ARM devices (PoC #2 only) |
| 42 | 39 | | - https://github.com/ningzhenyu/nailgun |
| 43 | 40 | | |
| 44 | | - | ### QSEE |
| | 41 | + | ## Qualcomm (QSEE) |
| 45 | 42 | | |
| 46 | 43 | | - Reflections on Trusting TrustZone (2014) |
| 47 | 44 | | - https://www.blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-on-Trusting-TrustZone.pdf |
| skipped 37 lines |
| 85 | 82 | | - The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019) |
| 86 | 83 | | - https://cfp.recon.cx/media/tz_apps_fuzz.pdf |
| 87 | 84 | | |
| | 85 | + | - Downgrade Attack on TrustZone |
| | 86 | + | - http://ww2.cs.fsu.edu/~ychen/paper/downgradeTZ.pdf |
| 88 | 87 | | |
| 89 | | - | ### Samsung |
| | 88 | + | ### Motorola (Qualcomm SoC) |
| 90 | 89 | | |
| 91 | | - | #### Kinibi & MobiCore |
| | 90 | + | - Unlocking the Motorola Bootloader (10/02/2016) |
| | 91 | + | - http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html |
| | 92 | + | |
| | 93 | + | ### HTC (Qualcomm SoC) |
| | 94 | + | |
| | 95 | + | - Here Be Dragons: Vulnerabilities in TrustZone (14/08/2014) |
| | 96 | + | - https://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html |
| | 97 | + | |
| | 98 | + | ## Trustonic (Kinibi & MobiCore) |
| 92 | 99 | | |
| 93 | 100 | | - Unbox Your Phone:Parts I, II & III |
| 94 | 101 | | - https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c |
| skipped 5 lines |
| 100 | 107 | | - KINIBI TEE: Trusted Application Exploitation (2018-12-10) |
| 101 | 108 | | - https://www.synacktiv.com/posts/exploit/kinibi-tee-trusted-application-exploitation.html |
| 102 | 109 | | |
| 103 | | - | - Reverse Engineering Samsung S6 SBOOT - Part I & II |
| 104 | | - | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html |
| 105 | | - | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html |
| 106 | | - | |
| 107 | 110 | | - TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV |
| 108 | 111 | | - https://labs.bluefrostsecurity.de/blog/2019/05/27/tee-exploitation-on-samsung-exynos-devices-introduction/ |
| 109 | 112 | | - https://labs.bluefrostsecurity.de/files/TEE.pdf |
| skipped 1 lines |
| 111 | 114 | | - Breaking Samsung's ARM TrustZone (BlackHat USA 2019) |
| 112 | 115 | | - https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf |
| 113 | 116 | | |
| 114 | | - | #### TEEGRIS |
| | 117 | + | ## Samsung (TEEGRIS) |
| 115 | 118 | | |
| 116 | 119 | | - Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov |
| 117 | 120 | | - http://allsoftwaresucks.blogspot.com/2019/05/reverse-engineering-samsung-exynos-9820.html |
| 118 | 121 | | |
| 119 | | - | ## TEE Videos |
| | 122 | + | ## Apple (Secure Enclave) |
| | 123 | + | |
| | 124 | + | - Demystifying the Secure Enclave Processor by Tarjei Mandt, Mathew Solnik, and David Wang |
| | 125 | + | - http://mista.nu/research/sep-paper.pdf |
| | 126 | + | - *slides* https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf |
| | 127 | + | |
| | 128 | + | ## Intel (Intel SGX) |
| | 129 | + | |
| | 130 | + | - Intel SGX Explained by Victor Costan and Srinivas Devadas |
| | 131 | + | - https://css.csail.mit.edu/6.858/2017/readings/costan-sgx.pdf |
| | 132 | + | |
| | 133 | + | # TEE Secure Boot |
| | 134 | + | |
| | 135 | + | - Reverse Engineering Samsung S6 SBOOT - Part I & II |
| | 136 | + | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html |
| | 137 | + | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html |
| | 138 | + | |
| | 139 | + | - Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017) |
| | 140 | + | - https://www.riscure.com/uploads/2017/08/euskalhack_2017_-_secure_initialization_of_tees_when_secure_boot_falls_short.pdf |
| | 141 | + | |
| | 142 | + | - Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM |
| | 143 | + | - https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html#amlogic-s905-soc-bypassing-not-so |
| | 144 | + | |
| | 145 | + | - Qualcomm Secure Boot and Image Authentication Technical Overview |
| | 146 | + | - https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview-v20 |
| | 147 | + | |
| | 148 | + | # TEE Videos |
| 120 | 149 | | |
| 121 | 150 | | - Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes |
| 122 | 151 | | - video: https://www.youtube.com/watch?v=L2Mo8WcmmZo |
| skipped 6 lines |
| 129 | 158 | | - https://www.youtube.com/watch?v=QFFhdqP7Dxg |
| 130 | 159 | | - https://www.youtube.com/watch?v=MdoGCXGHGnY |
| 131 | 160 | | |
| | 161 | + | - 34C3 2017 - Console Security - Switch by Plutoo, Derrek and Naehrwert |
| | 162 | + | - https://media.ccc.de/v/34c3-8941-console_security_-_switch |
| | 163 | + | |
| | 164 | + | - 34C3 2017 - TrustZone is not enough by Pascal Cotret |
| | 165 | + | - https://media.ccc.de/v/34c3-8831-trustzone_is_not_enough |
| | 166 | + | |
| | 167 | + | - RootedCON 2017 - What your mother never told you about Trusted Execution Environment... by José A. Rivas |
| | 168 | + | - *audio Spanish original* https://www.youtube.com/watch?v=lzrIzS84mdk |
| | 169 | + | - *English translation* https://www.youtube.com/watch?v=Lzb5OfE1M7s |
| | 170 | + | |
| 132 | 171 | | - BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking |
| 133 | 172 | | - https://www.youtube.com/watch?v=7NkojB9gLXM |
| 134 | 173 | | |
| skipped 1 lines |
| 136 | 175 | | - video: *audio Spanish only* https://vimeo.com/150787883 |
| 137 | 176 | | - slides: https://t.co/vFATxEa7sy |
| 138 | 177 | | |
| 139 | | - | ## Tools |
| | 178 | + | - BH US 2014 - Reflections on Trusting TrustZone by Dan Rosenberg |
| | 179 | + | - https://www.youtube.com/watch?v=7w40mS5yLjc |
| 140 | 180 | | |
| 141 | | - | ### Emulate |
| | 181 | + | # Tools |
| | 182 | + | |
| | 183 | + | ## Emulate |
| 142 | 184 | | |
| 143 | 185 | | - QEMU Support for Exynos9820 S-Boot |
| 144 | 186 | | - https://github.com/astarasikov/qemu |
| skipped 1 lines |
| 146 | 188 | | - Emulating Exynos 4210 BootROM in QEMU |
| 147 | 189 | | - https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html#emulating-exynos-4210-bootrom-in-qemu |
| 148 | 190 | | |
| 149 | | - | ### Reverse |
| | 191 | + | ## Reverse |
| 150 | 192 | | |
| 151 | 193 | | - TZAR unpacker |
| 152 | 194 | | - https://gist.github.com/astarasikov/f47cb7f46b5193872f376fa0ea842e4b#file-unpack_startup_tzar-py |
| skipped 4 lines |
| 157 | 199 | | - Ghidra MCLF Loader |
| 158 | 200 | | - https://github.com/NeatMonster/mclf-ghidra-loader |
| 159 | 201 | | |
| | 202 | + | # Other useful resources |
| | 203 | + | |
| | 204 | + | - ARM Trusted Firmware: reference implementation of secure world for Cortex A and Cortex M |
| | 205 | + | - https://www.trustedfirmware.org/ |
| | 206 | + | |
| | 207 | + | - OP-TEE: open source ARM TrusZone based TEE |
| | 208 | + | - https://www.op-tee.org/ |
| | 209 | + | |
| | 210 | + | - Trust Issues: Exploiting TrustZone TEEs by Project Zero Team |
| | 211 | + | - https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html |
| | 212 | + | |
| | 213 | + | - Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017 |
| | 214 | + | - https://pdfs.semanticscholar.org/f62b/db9f1950329f59dc467238737d2de1a1bac4.pdf (slides) |
| | 215 | + | - http://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf (paper) |
| | 216 | + | |
Eduardo Novella
committed
with
GitHub
5 years ago