Reversing and Fuzzing the Google Titan M Chip
Saved in:
| Title: | Reversing and Fuzzing the Google Titan M Chip |
|---|---|
| Authors: | Melotti, Damiano, Rossi-Bellom, Maxime, Continella, Andrea |
| Source: | Reversing and Offensive-oriented Trends Symposium. :1-10 |
| Publisher Information: | ACM, 2021. |
| Publication Year: | 2021 |
| Subject Terms: | Cybersecurity, Trusted Execution Environments, Reverse Engineering, Vulnerability Research, Fuzzing, 0202 electrical engineering, electronic engineering, information engineering, 22/1 OA procedure, 02 engineering and technology, Android Security |
| Description: | Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware. |
| Document Type: | Article Conference object |
| DOI: | 10.1145/3503921.3503922 |
| Rights: | URL: https://www.acm.org/publications/policies/copyright_policy#Background |
| Accession Number: | edsair.doi.dedup.....b0a42a111d2d19dd115412a13cead00b |
| Database: | OpenAIRE |
Nájsť tento článok vo Web of Science | Abstract: | Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware. |
|---|---|
| DOI: | 10.1145/3503921.3503922 |