Reversing and Fuzzing the Google Titan M Chip

Reversing and Offensive-Oriented Trends Symposium Pub Date : 2021-11-18 DOI:10.1145/3503921.3503922

Damiano Melotti, Maxime Rossi-Bellom, Andrea Continella

{"title":"Reversing and Fuzzing the Google Titan M Chip","authors":"Damiano Melotti, Maxime Rossi-Bellom, Andrea Continella","doi":"10.1145/3503921.3503922","DOIUrl":null,"url":null,"abstract":"Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware.","PeriodicalId":379610,"journal":{"name":"Reversing and Offensive-Oriented Trends Symposium","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Reversing and Offensive-Oriented Trends Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3503921.3503922","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware.

查看原文本刊更多论文

逆转和模糊谷歌泰坦M芯片

谷歌最近在其Pixel智能手机中推出了一款名为Titan M的安全芯片，可以在防篡改硬件中实现可信执行环境(TEE)。通过保护特定的安全敏感操作，tee已被证明可以有效地减少智能手机暴露的攻击面。然而，研究表明TEE代码和执行也可以被攻击者瞄准和利用，因此，研究它们的安全性是我们对其特性信任的基础。在本文中，我们首次对Titan m进行了安全分析。首先，我们对其固件进行了逆向工程，并回顾了Android操作系统中负责与芯片通信的开源代码。通过利用已知的漏洞，我们然后动态检查内存布局和芯片的内部。最后，利用所获得的知识，我们设计并实现了一个结构感知的黑盒模糊器。使用我们的模糊器，经过几秒钟的测试，我们重新发现了几个已知的漏洞，证明了我们的解决方案的有效性。此外，我们在最新版本的固件中发现并报告了一个新的漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Reversing and Offensive-Oriented Trends Symposium

自引率

0.00%

发文量