Reversing and Fuzzing the Google Titan M Chip

Damiano Melotti; Maxime Rossi-Bellom; Andrea Continella

doi:10.1145/3503921.3503922

Reversing and Fuzzing the Google Titan M Chip

Damiano Melotti
, Maxime Rossi-Bellom
, Andrea Continella

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

10 Citations (Scopus)

197 Downloads (Pure)

Abstract

Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware.

Original language	English
Title of host publication	ROOTS 2021 - Proceedings of the 5th Reversing and Offensive-Oriented Trends Symposium 2021, co-Located with DEEPSEC
Publisher	Association for Computing Machinery
Number of pages	10
ISBN (Electronic)	9781450396028
DOIs	https://doi.org/10.1145/3503921.3503922
Publication status	Published - 28 Nov 2021
Event	5th Reversing and Offensive-Oriented Trends Symposium, ROOTS 2021 - ARCOTEL Wimberger, Vienna, Austria Duration: 18 Nov 2021 → 19 Nov 2021 Conference number: 5

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	5th Reversing and Offensive-Oriented Trends Symposium, ROOTS 2021
Abbreviated title	ROOTS 2021
Country/Territory	Austria
City	Vienna
Period	18/11/21 → 19/11/21
Other	co-Located with DEEPSEC Conference

Keywords

Android Security
Fuzzing
Reverse Engineering
Trusted Execution Environments
Vulnerability Research
Cybersecurity
22/1 OA procedure

Access to Document

10.1145/3503921.3503922

10.1145_3503921.3503922Final published version, 713 KBLicence: Taverne

Cite this

@inproceedings{182861e6b5a74d5291efc2d790b385ca,

title = "Reversing and Fuzzing the Google Titan M Chip",

abstract = "Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware.",

keywords = "Android Security, Fuzzing, Reverse Engineering, Trusted Execution Environments, Vulnerability Research, Cybersecurity, 22/1 OA procedure",

author = "Damiano Melotti and Maxime Rossi-Bellom and Andrea Continella",

note = "Funding Information: We would like to thank our reviewers for their valuable comments and inputs to improve our paper. Moreover, we thank Philippe Teuwen and the other engineers at Quarkslab, who contributed to this research by providing useful suggestions and insights. We acknowledge the support of the Government of Canada{\textquoteright}s New Frontiers in Research Fund (NFRF), NFRFE-2019-00806. Funding Information: We would like to thank our reviewers for their valuable comments and inputs to improve our paper. Moreover, we thank Philippe Teuwen and the other engineers at Quarkslab, who contributed to this research by providing useful suggestions and insights. We acknowledge the support of the Government of Canada's New Frontiers in Research Fund (NFRF), NFRFE-2019-00806. Publisher Copyright: {\textcopyright} 2021 ACM.; 5th Reversing and Offensive-Oriented Trends Symposium, ROOTS 2021, ROOTS 2021 ; Conference date: 18-11-2021 Through 19-11-2021",

year = "2021",

month = nov,

day = "28",

doi = "10.1145/3503921.3503922",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "ROOTS 2021 - Proceedings of the 5th Reversing and Offensive-Oriented Trends Symposium 2021, co-Located with DEEPSEC",

address = "United States",

}

Melotti, D, Rossi-Bellom, M & Continella, A 2021, Reversing and Fuzzing the Google Titan M Chip. in ROOTS 2021 - Proceedings of the 5th Reversing and Offensive-Oriented Trends Symposium 2021, co-Located with DEEPSEC. ACM International Conference Proceeding Series, Association for Computing Machinery, 5th Reversing and Offensive-Oriented Trends Symposium, ROOTS 2021, Vienna, Austria, 18/11/21. https://doi.org/10.1145/3503921.3503922

Reversing and Fuzzing the Google Titan M Chip. / Melotti, Damiano; Rossi-Bellom, Maxime; Continella, Andrea.
ROOTS 2021 - Proceedings of the 5th Reversing and Offensive-Oriented Trends Symposium 2021, co-Located with DEEPSEC. Association for Computing Machinery, 2021. (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Reversing and Fuzzing the Google Titan M Chip

AU - Melotti, Damiano

AU - Rossi-Bellom, Maxime

AU - Continella, Andrea

N1 - Conference code: 5

PY - 2021/11/28

Y1 - 2021/11/28

N2 - Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware.

AB - Google recently introduced a secure chip called Titan M in its Pixel smartphones, enabling the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore, studying their security lays the basis of the trust we have in their features. In this paper, we provide the first security analysis of Titan M. First, we reverse engineer the firmware and we review the open source code in the Android OS that is responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory layout and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer. Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we identify and report a new vulnerability in the latest version of the firmware.

KW - Android Security

KW - Fuzzing

KW - Reverse Engineering

KW - Trusted Execution Environments

KW - Vulnerability Research

KW - Cybersecurity

KW - 22/1 OA procedure

UR - https://www.scopus.com/pages/publications/85124526766

U2 - 10.1145/3503921.3503922

DO - 10.1145/3503921.3503922

M3 - Conference contribution

AN - SCOPUS:85124526766

T3 - ACM International Conference Proceeding Series

BT - ROOTS 2021 - Proceedings of the 5th Reversing and Offensive-Oriented Trends Symposium 2021, co-Located with DEEPSEC

PB - Association for Computing Machinery

T2 - 5th Reversing and Offensive-Oriented Trends Symposium, ROOTS 2021

Y2 - 18 November 2021 through 19 November 2021

ER -

Reversing and Fuzzing the Google Titan M Chip

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this