Core Escalation: Unleashing the Power of Cross-Core Attacks on Heterogeneous System

Security

Explore the power of cross-core attacks on heterogeneous systems, uncovering vulnerabilities in Huawei smartphones and demonstrating attack vectors and potential escalations.

Key takeaways
  • Core escalation relies on cross-core attacks, where malware on one core attacks another core to gain access to higher privileges.
  • IOMCU and LPMCU are two vulnerable cores in Huawei smartphones, and exploiting them can lead to arbitrary code execution.
  • The ISP core is also vulnerable due to a lack of encryption and verification of firmware updates.
  • Shared memory is a common mechanism used by different cores, and exploiting it can lead to data breaches and privilege escalation.
  • The DMA transfer function can be used to override large amounts of data, making it a potential attack vector.
  • The CFGBus is a critical component that enables communication between cores, and exploiting its controls can lead to privilege escalation.
  • TEE OS is a proprietary operating system developed by Huawei, and its vulnerabilities can be exploited for privilege escalation and data breaches.
  • The secure world is divided into different privilege levels, and exploiting vulnerabilities in one level can compromise the entire secure world.
  • Cross-core communication can be exploited to gain access to higher privileges and compromise the secure world.
  • The ACPU and ISP cores have different privilege levels, and exploiting vulnerabilities in one core can compromise the secure world.
  • The LPMCU core has a mailbox handler that can be exploited to gain arbitrary code execution.
  • The DMSS and CFGBus are two prevalent mechanisms used for cross-core communication.
  • The IOMCU core has a proprietary firmware that is vulnerable to attacks.
  • The ISP core has a secure signal that can be exploited to gain access to higher privileges.
  • The DMA transfer function can be used to override large amounts of data, making it a potential attack vector.

More talks

Infrastructure as Code - Lessons learned from Dev to Ops | Emma Button

Reverse Engineering the Customized Pointer Authentication Hardware Implementation on Apple M1

Keynote: Guardians of the AI Era: Navigating the Cybersecurity Landscape of Tomorrow

Zen and the Art of Organizational Open Source - Paula Paul

Mike Dalessio - Rails::HTML5: the strange and remarkable three-year journey - Rails World 2023

SAINTCON 2016 - Brent White & Tim Roberts - Forging Your Identity : Credibility Beyond Words

RailsConf 2023 - Lightning Talks

The Future of TradFi: The Transformation of Traditional Finance to Crypto Investments