Core Escalation: Unleashing the Power of Cross-Core Attacks on Heterogeneous System

Security

Explore the power of cross-core attacks on heterogeneous systems, uncovering vulnerabilities in Huawei smartphones and demonstrating attack vectors and potential escalations.

Key takeaways
  • Core escalation relies on cross-core attacks, where malware on one core attacks another core to gain access to higher privileges.
  • IOMCU and LPMCU are two vulnerable cores in Huawei smartphones, and exploiting them can lead to arbitrary code execution.
  • The ISP core is also vulnerable due to a lack of encryption and verification of firmware updates.
  • Shared memory is a common mechanism used by different cores, and exploiting it can lead to data breaches and privilege escalation.
  • The DMA transfer function can be used to override large amounts of data, making it a potential attack vector.
  • The CFGBus is a critical component that enables communication between cores, and exploiting its controls can lead to privilege escalation.
  • TEE OS is a proprietary operating system developed by Huawei, and its vulnerabilities can be exploited for privilege escalation and data breaches.
  • The secure world is divided into different privilege levels, and exploiting vulnerabilities in one level can compromise the entire secure world.
  • Cross-core communication can be exploited to gain access to higher privileges and compromise the secure world.
  • The ACPU and ISP cores have different privilege levels, and exploiting vulnerabilities in one core can compromise the secure world.
  • The LPMCU core has a mailbox handler that can be exploited to gain arbitrary code execution.
  • The DMSS and CFGBus are two prevalent mechanisms used for cross-core communication.
  • The IOMCU core has a proprietary firmware that is vulnerable to attacks.
  • The ISP core has a secure signal that can be exploited to gain access to higher privileges.
  • The DMA transfer function can be used to override large amounts of data, making it a potential attack vector.

More talks

37C3 - Finding Vulnerabilities in Internet-Connected Devices

Exploring Spring Boot Clients: A Comprehensive Overview by Patrick Baumgartner

DevOps isn't just about developing - Michelle "MishManners" Duke - NDC Oslo 2024

Did Microservices Break DORA? • Dave Farley • GOTO 2024

MRMCD2024 we know perimeter security is dead - how to get over it and where to?

Keynote: My Lessons from the Uber Case

Keynote: Hack Your Way to the Top - Troy Hunt - NDC Oslo 2024

Configuration and Authentication: Michael Paquier - PGCon 2023