IlluminaTEE: Effective Man-At-The-End Attacks from within ARM TrustZone

Schulze SM, Lindenmeier C, Röckl J, Freiling F (2024)

Publication Type: Conference contribution

Publication year: 2024

Publisher: ACM

Pages Range: 11-21

Conference Proceedings Title: CheckMATE '24: Proceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks

Event location: Salt Lake City, UT US

DOI: 10.1145/3689934.3690838

Abstract

To break end-to-end encryption used by apps (e.g., messengers) today, attackers must obtain code execution directly on an end device to access data before it is encrypted, resulting in Man-At-The-End (MATE) attacks. The effectiveness of such attacks rises with the privilege level the code is executed on, e.g., the system or hypervisor level employing techniques such as virtual machine introspection (VMI). Another option to perform MATE attacks is to place software in trusted execution environments (TEEs), as on many platforms, these have the highest privilege while also providing security guarantees. However, unlike hypervisors, TEEs were primarily built to achieve isolation and not introspection. For this reason, TEEs usually lack technical means like hardware breakpoints, apparently limiting the possibilities of fine-grained system monitoring. By presenting IlluminaTEE, a sophisticated TEE-based introspection tool, we show that TEE-based introspection is as powerful as VMI. By applying a novel technique which we call state-change trapping, we show that IlluminaTEE can extract highly ephemeral personal data from arbitrary applications. We implement IlluminaTEE as an extension to the TEE firmware of real hardware with a stock version of Android and demonstrate that we can extract the encryption keys of the Signal messenger, one of the most highly ephemeral and privacy-critical bits of data existing on personal devices today. This highlights the need to implement better software protection mechanisms to mitigate the risks of powerful MATE attackers.

Authors with CRIS profile

Sven Matti Schulze Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Christian Lindenmeier Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Jonas Röckl Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Schulze, S.M., Lindenmeier, C., Röckl, J., & Freiling, F. (2024). IlluminaTEE: Effective Man-At-The-End Attacks from within ARM TrustZone. In Schrittwieser S, Ianni M (Eds.), CheckMATE '24: Proceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks (pp. 11-21). Salt Lake City, UT, US: ACM.

MLA:

Schulze, Sven Matti, et al. "IlluminaTEE: Effective Man-At-The-End Attacks from within ARM TrustZone." Proceedings of the CheckMATE '24, Salt Lake City, UT Ed. Schrittwieser S, Ianni M, ACM, 2024. 11-21.

BibTeX: Download