Abusing Trust: Mobile Kernel Subversion via TrustZone Rootkits

The Arm TrustZone is the de facto standard for hardware-backed Trusted Execution Environments (TEEs) on mobile devices, providing isolation for secure computations to be shielded from the normal world, and thus from the rest of the system. Most real-world TEEs are proprietary, difficult-to-inspect, and notoriously insecure: In the past years, it has been demonstrated over and over again that TEEs of millions of devices worldwide, and the Trusted Applications (TAs) they harbor, are often vulnerable to attacks such as control flow hijacking. Not only do we have to trust these TEEs to provide a secure environment for TAs such as keystore and Digital Rights Management (DRM), code running in the secure world provided by the Arm TrustZone also has full access to the memory of the regular operating system (OS). Since Thomas Roth first proposed a TrustZone-based rootkit in 2013, progress regarding such rootkits seems to have stalled in the offensive research community. The biggest challenge for TrustZone rootkits is that no interpretation of normal world memory is available in the secure world. Automated reverse engineering of kernel data structures at runtime is one way to implement rootkit functions. We present mechanisms to engineer the interpretation of Linux kernel memory for malicious subversion and the circumvention of basic protection mechanisms from the secure world. We provide a fully working proof-of-concept rootkit located in the Arm TrustZone to demonstrate the proposed mechanisms. We evaluate and show compatibility of the rootkit across different versions of the Linux kernel despite changing data structures. Our results highlight the feasibility of TrustZone rootkits that potentially survive kernel updates and raise awareness about the real danger of having to put trust into unvetted proprietary vendor code, which, as we show, can easily be abused.