TEEPwn

-Breaking TEE by Experience -

In close cooperation with Raelize B.V., the Netherlands Forensic Institute (NFI) is offering a training course for breaking TEE.

Many modern devices are equipped with a Trusted Execution Environments (TEE), an isolated subsystem used for performing security sensitive tasks and handling security sensitive data (e.g., encryption keys). Digital forensic experts aiming to break into modern devices will acknowledge that a TEE is nowadays a common component in a modern security architecture. Even though a TEE is notoriously hard to secure due to the the interaction between hardware and a significant code base, it’s often even harder to analyze and understand it. It’s usually not straightforward to escalate from the non-secure world into the secure world.

Description

The TEEPwn experience takes an offensive perspective and dives into the darker corners of TEE security. It’s designed with a system-level approach, where students will experience exploitation of powerful vulnerabilities specific for devices equipped with a TEE. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Students will be taken on a journey that starts with achieving a comprehensive understanding of TEE security. They will learn how hardware and software cooperate in order to enforce effective security boundaries. They will then use this understanding for identifying interesting vulnerabilities across the entire TEE attack surface. Students will be challenged to exploit these vulnerabilities using multiple realistic forensic scenarios.

All practical exercises are performed on our custom emulated attack platform which is based on ARM TrustZone and includes multiple TEE implementations.

Students will take on different roles, as a digital forensic expert in control of:

  • the REE, achieving privileged code execution in the TEE
  • the REE, accessing assets protected by a Trusted Application (TA)
  • a TA, escalating privileges to the TEE OS
  • a TA, accessing the protected assets of another TA

Students will be guided towards an unexpected range of TEE-specific attack vectors and vulnerabilities, which can be leveraged for novel and creative exploits, allowing students to refine their skills to a new level.

Format

The TEEPwn experience takes students on a journey of 4 days of 8 hours where they will attend lectures (30%) and perform exciting hands-on exercises (70%).

Students will get access to a Virtual Machine (VM) which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, students will have access to this VM forever so they can continue with the exercises after the training has ended.

Level

The training level of the TEEPwn experience is “Intermediate”.

Agenda

  • Fundamentals
    • Overview of TEE
    • Security model
  • ARM TrustZone
    • TEE software
    • TEE attacker model
    • TEE attack surface
  • REE-to-TEE attacks
    • Secure Monitor (S-EL3)
    • TEE OS (S-EL1)
    • Identify and exploit vulnerabilities related to:
      • Vulnerable SMC handlers
      • Broken design
      • Unchecked pointers
      • Restricted writes
      • Range checks
  • REE-to-TA attacks
    • Communicating with a TA
    • Global Platform API
    • Identify and exploit vulnerabilities related to:
      • Type confusion
      • ToCToU / Double fetch
  • TA-to-TEE attacks
    • TEE OS (syscall interface)
    • Drivers
    • Identify and exploit vulnerabilities related to:
      • Unchecked pointers
      • Vulnerable hardware primitives
  • TA-to-TA attacks
    • State confusion

Objectives

The primary objectives are:

  • gain a system-level understanding of TEE security
  • identify vulnerabilities across the entire TEE attack surface
  • gain hands-on experience with TEE-specific exploitation techniques
  • gain a solid understanding of ARM TrustZone-based TEEs

Target group

This training is intended for:

  • Digital police investigators
  • Forensic investigators and Security Analysts in other law-enforcement agencies

Preferably from ENFSI-labs and/or NATO countries.

Prerequisites

The students are expected to:

  • have experience with C programming
  • have experience with the ARM architecture and assembly (AArch64)
  • have a solid understanding of modern operating systems
  • have an understanding of typical software vulnerabilities
  • be familiar with reverse engineering (AArch64)
  • be familiar with typical exploitation techniques

There’s no need to meet all of the above expectations. Less-experienced students can rely on our guidance, hints and solutions, whereas more experienced students will not.

Requirements

The students are expected to have a laptop:

  • with sufficient storage (>50 GB) and memory (~16 GB)
  • installed a modern browser (i.e., Google Chrome)
  • installed with virtual machine software (i.e., VMWare)

Deliverables

The students will get access to:

  • a personal virtual machine (VM) with all the required tooling installed
  • access to the exercise modules and instructions

To continue after the training has ended, students will also get access to:

  • ability to run the exercise modules forever
  • ability to copy the exercise modules and instructions

Dates and duration

Dates
4-7 November 2025

Duration
Four consecutive days, 9.00-17.00 h

Participants

5-18 participants

Costs

  • 4-days TEEPwn training: € 4250,- per participant. This includes lunches and coffee/tea refreshments
  • Dutch Police: please fill out the registration form, ask for a quotation in the field Remarks. Selection may take place by a police coordinator.

N.B.: No VAT will be added.

Hotel and travel costs are not included.

Location

Netherlands Forensic Institute in The Hague, The Netherlands

Note

The course is taught in English.

More information and registration

For more information, please complete our contact form. Please indicate on the form you are interested in the training 'TEEPwn'.

For registration, please complete the registration form. If a quotation is needed, please fill out the registration form, ask for a quotation in the field Remarks.