During the last year and a half, we (Damiano Melotti, Maxime Rossi Bellom & Philippe Teuwen) studied the Titan M, a security chip introduced by Google in their Pixel smartphones, starting from the Pixel 3.Among other events, we presented our results at Black Hat EU 2021, together with a whitepaper that contains all the background knowledge we acquired in the first part of this research.In this blog post, we dive into CVE-2022-20233, the latest vulnerability we found on the chip's firmware.First, we show how we found this vulnerability, using emulation-based fuzzing with AFL++ in Unicorn mode.Then, we go over the exploitation and its inherent challenges, that eventually led us to obtain code execution on the chip.
The Titan M was introduced by Google in their Pixel devices in 2018.The main goal was to reduce the attack surface available to attackers, mitigating hardware tampering and side-channel attacks.Indeed, the chip lies on a separate system-on-a-chip (SoC) in the device, runs its own firmware, and communicates with the Application Processor (AP) through the SPI bus.It implements several APIs that guarantee a higher level of protection for the most security sensitive features of the smartphone, such as secure boot or a hardware-backed Keystore with StrongBox.
Download Game Attack On Titan 1 Android Offline
Download 🔥 https://tinurll.com/2yGbOD 🔥
In the first steps of this research, we focused on reverse engineering the Titan M firmware, which is based on Embedded Controller (EC), a lightweight open source OS for micro-controllers.This OS is fairly simple, and is built around the concept of tasks, with a fixed stack size and no heap (so no complex dynamic allocation).This is an important point that will turn out to be useful later: the Titan M chip has essentially a static memory layout, therefore we can assume some objects to always be located at the same address.
The simplicity of the OS also helps when it comes to security, especially by completely eliminating some temporal memory safety bugs associated with dynamic allocation.In addition, thanks to it's Memory Protection Unit (MPU), the chip's memory is configured such that no Write and eXecute permissions are granted to a region at the same time.Secure boot is implemented thanks to some signature checks performed before loading the firmware.Despite these properties, no common exploit mitigation techniques can be found on the chip, except for a hardcoded stack canary that is placed at the end of the tasks' stacks to detect errors.This leaves Titan M fairly exposed to memory corruption vulnerabilities, therefore we decided to explore how to fuzz it and look for some of them.
As broadly known, fuzzing is an extremely effective way to find memory corruption bugs in code bases written in unsafe languages, such as C.However, fuzzing a security chip without access to the sources, and with plenty of hardware-dependent code, can be quite a challenge.We decided to explore two different techniques, namely black-box and emulation-based fuzzing.
We have already shown how to perform black-box fuzzing in our previous presentations, but briefly going over it again is useful to understand the differences with the other approach we explored.In general, black-box fuzzing of targets like Titan M can be quite simple: all we need is a channel to interact with what we want to test, and a way to tell if it crashes or reaches unexpected states.In our case, in the previous steps of this research, we had developed nosclient, a custom client that runs natively on Android and communicates directly with the kernel driver responsible for the communication with the chip.The possibility to send arbitrary messages gave us both the channel to communicate with Titan M, and the signal to infer what happened while processing them, represented by the return code from the library functions we use.
Most of the tasks communicating with Android use Protobuf to serialize messages.Therefore, we could leverage this grammar, accessible thanks to the open source definitions in the AOSP, to mutate these messages with libprotobuf-mutator.For Nugget, one of the tasks that is not using Protobuf, we used the evergreen Radamsa to generate our test cases.
This approach did bring some interesting results, which when it comes to fuzzing, can be measured in bugs.We could find again several bugs we already knew about, while fuzzing an older version of the firmware, including the buffer overflow we had exploited during last year's research.Moreover, we discovered two new crashes in the latest version of the firmware at the time, although both were caused by the same null pointer dereference, that was not considered serious enough to be a vulnerability and end up in an Android Security Bulletin.
Despite its relatively straightforward setup, and the advantage of testing in the real world, black-box fuzzing comes with a number of shortcomings.First of all, detection is extremely difficult, since we can only spot the bugs that cause crashes or faulty return codes.But most importantly, a well-known limitation is that black-box fuzzing tends to only exercise the targets' shallow states, given the lack of visibility over their internals.As a consequence, we might have been only scratching the surface of the Titan M firmware, which could also explain why all the detected crashes happened after just a few minutes of fuzzing.
An alternative approach that we focused on is emulation-based fuzzing.In short, given that the firmware is publicly available, why not try to emulate its execution on our laptop?Leveraging our background knowledge on how it works, coming from hours of reverse engineering, we can set up an emulation framework to run the firmware instruction by instruction, and analyze its behavior.This is also a very good feedback for a coverage-guided fuzzer, which can prioritize inputs leading to new instructions being reached and adjust its mutator accordingly.
There exist a number of different ways to implement a solution like this.We tried a few, but we ended up using the Unicorn emulator engine, and AFL++ as fuzzing framework.Unicorn is a QEMU-based project that only supports CPU emulation, without full-system emulation.Rather than a limitation, this was an advantage in our case, since we could set up our scripts very easily, and implement some ad-hoc tweaks to improve the detection of bugs or work around some issues.In addition, Unicorn integrates very well with AFL++, thanks to its unicorn mode, which essentially allows to fuzz pretty much anything that can be emulated with Unicorn.The only step required is the definition of the place_input_callback, a function that writes inputs in the target's memory at every interaction.
Thanks to this, we could also test other functions in the Titan M firmware, while not forgetting about reasonable attack scenarios.Nonetheless, after a couple of fuzzing campaigns around the SPI rescue feature that did not lead to any significant result, we decided to focus on the tasks again, replicating a similar experiment as the one we did in a black-box setting.AFL++ allows to have custom mutators, hence we plugged libprotobuf-mutator again and emulated three tasks of the firmware separately: Keymaster, Identity, and Weaver.We decided to ignore AVB due to the limited attack surface it exposes, with most of the interactions happening while the device is in bootloader mode.
First and foremost, we asked ourselves whether we could once again find the bugs we already knew about, to prove the effectiveness of this new solution.Fortunately, the answer was positive, with the exception of one bug, which takes us to the limitations of emulation-based fuzzing.As we all know, indeed, there is no free lunch, and also in this case, this approach brings some drawbacks.
To address the second issue, Unicorn allows to set a number of custom hooks to monitor certain memory accesses or specific fragments of code.We did implement some heuristics to catch some patterns of bugs, like broken calls to memcpy that ended up reading from the Boot ROM (that is mapped at address 0x0).On the other hand, this comes at a cost: hooks impact performance, and there is always a trade-off between the time spent reverse engineering to identify these patterns, and the time you actually let the fuzzer run freely.
But now, let's get into the tasty part.While fuzzing the Keymaster task, we discovered an interesting crash caused by a UC_ERR_WRITE_UNMAPPED, while processing an ImportKey request.This crash was occurring in a strb instruction, meaning that the firmware was trying to write 1 byte in an unmapped memory area. Note that the vulnerable firmware was introduced by Google's Pixel security update of May 2022.
As we can see from the Protobuf definitions, ImportKey messages contain a KeyParameters field, which in turn is made of one or more KeyParameter objects.The bug occurs while processing the tags in a key parameter: the vulnerable function loops through the list of parameters, and for each one it checks if the tag is 0x20005, corresponding to DIGEST.When such parameters are found, the function takes the associated integer field, and after some checks it uses it as an offset of a stack buffer to set a byte to 1.By passing a large enough integer as parameter, it is possible to write out of bounds that one byte value of 0x01.
The code snippet below, both in assembly and decompiled view, shows these checks as well as the strb instruction causing the out of bounds write and subsequent crash. At that point, r1 is 0x1, r7 is the buffer address and r3 is the integer field of the current KeyParameter.
The vulnerability can actually be triggered as many times as the number of parameters with a DIGEST tag, with the only limitation of remaining within the maximum size of the KeyParameters list.This results in multiple, 1-byte, out-of-bounds writes.Such writes are however far from arbitrary, due to the checks on the offset.Without entering into details of the bit-wise operations, the least significant byte can only be 0x0, 0x2 or 0x4. 152ee80cbc
us232r-10-bulk driver download
double dhamaal full movie download mp4 hd