TrustZone has emerged as a leading option for security-critical tasks on ARM devices. It has been billed as a "100% secure solution" for restricting access to sensitive device hardware components and securely storing highly privileged information. As a result, TrustZone is used on millions of mobile devices for diverse tasks including managing secure boot, storing DRM keys on behalf of digital content providers, supporting mobile payments, and performing integrity validation on the live operating system kernel.
This talk will take a deep technical dive into the inner workings of a major vendor's TrustZone kernel, which is currently deployed on millions of Android devices. After providing a review of prior work in TrustZone exploitation, this talk will describe a previously unpublished vulnerability in this TrustZone implementation, and provide details on steps taken to exploit this vulnerability. The talk will conclude with a discussion of the ramifications of this vulnerability and others like it, including a live demonstration of using it to permanently unlock the bootloader of a major Android phone.