Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip

Presented at Black Hat USA 2022, Aug. 11, 2022, 3:20 p.m. (40 minutes).

The Titan M chip was introduced by Google in their Pixel 3 devices, and in a previous study, we analyzed this chip and presented its internals and protections. Based on this acquired background, in this new talk we will focus on how we performed software vulnerability research on such a constrained target, despite the limited information available.

We will dive into how our black-box fuzzer works and its associated limitations. We then show how emulation-based solutions manage to outperform hardware-bound approaches. By combining a coverage-guided fuzzer (AFL++), an emulator (Unicorn) and some optimizations tailored for this target, we managed to find an interesting vulnerability, which was only allowing to set a single byte to 1, with several constraints on the offset. Despite looking hard to exploit, we present how we managed to obtain code execution from it, and leaked the secrets contained in the secure module.

This talk is the tale of how we mixed together various known techniques and open source tools, against such a mysterious chip, with almost no debugging support. Often relying only on return codes to develop our tools and exploits, we hope to offer interesting insights for other security researchers studying similar targets.


Presenters:

  • Damiano Melotti - Security Researcher, Quarkslab
    Damiano Melotti (@DamianoMelotti) is a security researcher at Quarkslab. He is mostly interested in systems security, especially in mobile platforms (Android) and automated vulnerability research.
  • Maxime Rossi Bellom - Security Researcher and Team Leader, Quarkslab
    Maxime Rossi Bellom (@max_r_b) is a security researcher and team leader working at Quarkslab. He is interested in embedded and mobile software security, and recently started to look into hardware as well. In his previous life, he spent quite some time designing defenses for Android based systems.

Links:

Similar Presentations: