| skipped 8 lines |
9 | 9 | | - Attacking the ARM's TrustZone |
10 | 10 | | - https://blog.quarkslab.com/attacking-the-arms-trustzone.html |
11 | 11 | | |
12 | | - | - Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017) |
13 | | - | - https://www.riscure.com/uploads/2017/08/euskalhack_2017_-_secure_initialization_of_tees_when_secure_boot_falls_short.pdf |
| 12 | + | - ARM TrustZone Security Whitepaper |
| 13 | + | - http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf |
14 | 14 | | |
15 | | - | - Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM |
16 | | - | - https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html#amlogic-s905-soc-bypassing-not-so |
| 15 | + | - Web Site ARM TrustZone |
| 16 | + | - https://developer.arm.com/ip-products/security-ip/trustzone |
| 17 | + | |
| 18 | + | - TrustZone Explained: Architectural Features and Use Cases |
| 19 | + | - http://sefcom.asu.edu/publications/trustzone-explained-cic2016.pdf |
17 | 20 | | |
18 | | - | - Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017 |
19 | | - | - https://pdfs.semanticscholar.org/f62b/db9f1950329f59dc467238737d2de1a1bac4.pdf (slides) |
20 | | - | - http://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf (paper) |
| 21 | + | - Trustworthy Execution on Mobile Devices |
| 22 | + | - https://netsec.ethz.ch/publications/papers/paper-hyperphone-TRUST-2012.pdf |
21 | 23 | | |
22 | 24 | | - Nick Stephens : how does someone unlock your phone with nose. (give big picture of NWd <> SWd communications and exploits) |
23 | 25 | | - https://fr.slideshare.net/GeekPwnKeen/nick-stephenshow-does-someone-unlock-your-phone-with-nose |
24 | 26 | | |
| 27 | + | # TEE Exploits/Security Analysis |
25 | 28 | | |
26 | | - | |
27 | | - | ### Motorola |
28 | | - | |
29 | | - | - Unlocking the Motorola Bootloader (10/02/2016) |
30 | | - | - http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html |
31 | | - | |
32 | | - | ### Huawei |
| 29 | + | ## HiSilicon/Huawei (TrustedCore) |
33 | 30 | | |
34 | 31 | | - Exploiting Trustzone on Android (BH-US 2015) by Di Shen(@returnsme) |
35 | 32 | | - https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android-wp.pdf |
| skipped 5 lines |
41 | 38 | | - Nailgun: Break the privilege isolation in ARM devices (PoC #2 only) |
42 | 39 | | - https://github.com/ningzhenyu/nailgun |
43 | 40 | | |
44 | | - | ### QSEE |
| 41 | + | ## Qualcomm (QSEE) |
45 | 42 | | |
46 | 43 | | - Reflections on Trusting TrustZone (2014) |
47 | 44 | | - https://www.blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-on-Trusting-TrustZone.pdf |
| skipped 37 lines |
85 | 82 | | - The road to Qualcomm TrustZone apps fuzzing (RECON Montreal 2019) |
86 | 83 | | - https://cfp.recon.cx/media/tz_apps_fuzz.pdf |
87 | 84 | | |
| 85 | + | - Downgrade Attack on TrustZone |
| 86 | + | - http://ww2.cs.fsu.edu/~ychen/paper/downgradeTZ.pdf |
88 | 87 | | |
89 | | - | ### Samsung |
| 88 | + | ### Motorola (Qualcomm SoC) |
90 | 89 | | |
91 | | - | #### Kinibi & MobiCore |
| 90 | + | - Unlocking the Motorola Bootloader (10/02/2016) |
| 91 | + | - http://bits-please.blogspot.com/2016/02/unlocking-motorola-bootloader.html |
| 92 | + | |
| 93 | + | ### HTC (Qualcomm SoC) |
| 94 | + | |
| 95 | + | - Here Be Dragons: Vulnerabilities in TrustZone (14/08/2014) |
| 96 | + | - https://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html |
| 97 | + | |
| 98 | + | ## Trustonic (Kinibi & MobiCore) |
92 | 99 | | |
93 | 100 | | - Unbox Your Phone:Parts I, II & III |
94 | 101 | | - https://medium.com/taszksec/unbox-your-phone-part-i-331bbf44c30c |
| skipped 5 lines |
100 | 107 | | - KINIBI TEE: Trusted Application Exploitation (2018-12-10) |
101 | 108 | | - https://www.synacktiv.com/posts/exploit/kinibi-tee-trusted-application-exploitation.html |
102 | 109 | | |
103 | | - | - Reverse Engineering Samsung S6 SBOOT - Part I & II |
104 | | - | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html |
105 | | - | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html |
106 | | - | |
107 | 110 | | - TEE Exploitation on Samsung Exynos devices by Eloi Sanfelix: Parts I, II, III, IV |
108 | 111 | | - https://labs.bluefrostsecurity.de/blog/2019/05/27/tee-exploitation-on-samsung-exynos-devices-introduction/ |
109 | 112 | | - https://labs.bluefrostsecurity.de/files/TEE.pdf |
| skipped 1 lines |
111 | 114 | | - Breaking Samsung's ARM TrustZone (BlackHat USA 2019) |
112 | 115 | | - https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf |
113 | 116 | | |
114 | | - | #### TEEGRIS |
| 117 | + | ## Samsung (TEEGRIS) |
115 | 118 | | |
116 | 119 | | - Reverse-engineering Samsung Exynos 9820 bootloader and TZ by @astarasikov |
117 | 120 | | - http://allsoftwaresucks.blogspot.com/2019/05/reverse-engineering-samsung-exynos-9820.html |
118 | 121 | | |
119 | | - | ## TEE Videos |
| 122 | + | ## Apple (Secure Enclave) |
| 123 | + | |
| 124 | + | - Demystifying the Secure Enclave Processor by Tarjei Mandt, Mathew Solnik, and David Wang |
| 125 | + | - http://mista.nu/research/sep-paper.pdf |
| 126 | + | - *slides* https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf |
| 127 | + | |
| 128 | + | ## Intel (Intel SGX) |
| 129 | + | |
| 130 | + | - Intel SGX Explained by Victor Costan and Srinivas Devadas |
| 131 | + | - https://css.csail.mit.edu/6.858/2017/readings/costan-sgx.pdf |
| 132 | + | |
| 133 | + | # TEE Secure Boot |
| 134 | + | |
| 135 | + | - Reverse Engineering Samsung S6 SBOOT - Part I & II |
| 136 | + | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-i.html |
| 137 | + | - https://blog.quarkslab.com/reverse-engineering-samsung-s6-sboot-part-ii.html |
| 138 | + | |
| 139 | + | - Secure initialization of TEEs: when secure boot falls short (EuskalHack 2017) |
| 140 | + | - https://www.riscure.com/uploads/2017/08/euskalhack_2017_-_secure_initialization_of_tees_when_secure_boot_falls_short.pdf |
| 141 | + | |
| 142 | + | - Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM |
| 143 | + | - https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html#amlogic-s905-soc-bypassing-not-so |
| 144 | + | |
| 145 | + | - Qualcomm Secure Boot and Image Authentication Technical Overview |
| 146 | + | - https://www.qualcomm.com/documents/secure-boot-and-image-authentication-technical-overview-v20 |
| 147 | + | |
| 148 | + | # TEE Videos |
120 | 149 | | |
121 | 150 | | - Ekoparty-13 (2017) Daniel Komaromy - Unbox Your Phone - Exploring and Breaking Samsung's TrustZone SandBoxes |
122 | 151 | | - video: https://www.youtube.com/watch?v=L2Mo8WcmmZo |
| skipped 6 lines |
129 | 158 | | - https://www.youtube.com/watch?v=QFFhdqP7Dxg |
130 | 159 | | - https://www.youtube.com/watch?v=MdoGCXGHGnY |
131 | 160 | | |
| 161 | + | - 34C3 2017 - Console Security - Switch by Plutoo, Derrek and Naehrwert |
| 162 | + | - https://media.ccc.de/v/34c3-8941-console_security_-_switch |
| 163 | + | |
| 164 | + | - 34C3 2017 - TrustZone is not enough by Pascal Cotret |
| 165 | + | - https://media.ccc.de/v/34c3-8831-trustzone_is_not_enough |
| 166 | + | |
| 167 | + | - RootedCON 2017 - What your mother never told you about Trusted Execution Environment... by José A. Rivas |
| 168 | + | - *audio Spanish original* https://www.youtube.com/watch?v=lzrIzS84mdk |
| 169 | + | - *English translation* https://www.youtube.com/watch?v=Lzb5OfE1M7s |
| 170 | + | |
132 | 171 | | - BH US 2015 - Fingerprints On Mobile Devices: Abusing And Leaking |
133 | 172 | | - https://www.youtube.com/watch?v=7NkojB9gLXM |
134 | 173 | | |
| skipped 1 lines |
136 | 175 | | - video: *audio Spanish only* https://vimeo.com/150787883 |
137 | 176 | | - slides: https://t.co/vFATxEa7sy |
138 | 177 | | |
139 | | - | ## Tools |
| 178 | + | - BH US 2014 - Reflections on Trusting TrustZone by Dan Rosenberg |
| 179 | + | - https://www.youtube.com/watch?v=7w40mS5yLjc |
140 | 180 | | |
141 | | - | ### Emulate |
| 181 | + | # Tools |
| 182 | + | |
| 183 | + | ## Emulate |
142 | 184 | | |
143 | 185 | | - QEMU Support for Exynos9820 S-Boot |
144 | 186 | | - https://github.com/astarasikov/qemu |
| skipped 1 lines |
146 | 188 | | - Emulating Exynos 4210 BootROM in QEMU |
147 | 189 | | - https://fredericb.info/2018/03/emulating-exynos-4210-bootrom-in-qemu.html#emulating-exynos-4210-bootrom-in-qemu |
148 | 190 | | |
149 | | - | ### Reverse |
| 191 | + | ## Reverse |
150 | 192 | | |
151 | 193 | | - TZAR unpacker |
152 | 194 | | - https://gist.github.com/astarasikov/f47cb7f46b5193872f376fa0ea842e4b#file-unpack_startup_tzar-py |
| skipped 4 lines |
157 | 199 | | - Ghidra MCLF Loader |
158 | 200 | | - https://github.com/NeatMonster/mclf-ghidra-loader |
159 | 201 | | |
| 202 | + | # Other useful resources |
| 203 | + | |
| 204 | + | - ARM Trusted Firmware: reference implementation of secure world for Cortex A and Cortex M |
| 205 | + | - https://www.trustedfirmware.org/ |
| 206 | + | |
| 207 | + | - OP-TEE: open source ARM TrusZone based TEE |
| 208 | + | - https://www.op-tee.org/ |
| 209 | + | |
| 210 | + | - Trust Issues: Exploiting TrustZone TEEs by Project Zero Team |
| 211 | + | - https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html |
| 212 | + | |
| 213 | + | - Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments (A.Machiry) 2017 |
| 214 | + | - https://pdfs.semanticscholar.org/f62b/db9f1950329f59dc467238737d2de1a1bac4.pdf (slides) |
| 215 | + | - http://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf (paper) |
| 216 | + | |