Welcome to the research page of TASZK Security Labs!

Here you can find a collection of advisories from coordinated disclosures, publications of our original research work, and the occasional infosec war stories and musings.

Recent Articles

[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver

Introduction Last summer I have discovered several vulnerabilities in the implementation of Samsung’s NPU device driver. While I was working on completing my proof of concept exploit, Ben Hawkes from Google’s Project Zero reported the same vulnerabilities to Samsung. Later that year Brandon Azad released an article documenting his approach of turning these bugs into an arbitrary kernel code execution exploit. At the same time, the team of aSiagaming, yeonnic, and say2 also found the same bugs and published a writeup, focusing on their method of exploitation and the post exploitation steps required to obtain root. What makes the initial bugs interesting, besides the triple collision, is that they provide two very distinct avenues for exploitation.

Unbox Your Phone - Part III.

Summary This is the third part of a blog series covering my security research into Samsung’s TrustZone. This post covers the following vulnerabilities that I have found: SVE-2017–8888: Authentication Bypass + Buffer overflow in tlc_server SVE-2017–8889: Stack buffer overflow in ESECOMM Trustlet SVE-2017–8890: Out-of-bounds memory read in ESECOMM Trustlet SVE-2017–8891: Stack buffer overflow in ESECOMM Trustlet SVE-2017–8892: Stack buffer overflow in ESECOMM Trustlet SVE-2017–8893: Arbitrary write in ESECOMM Trustlet You can find all the PoCs on github. Target Selection The first thing for me was deciding on Trustlets to focus on. I can not emphasize enough: if you build on some other way of getting to system level privileges, tons of new Trustlet-level attack surface opens up.

Recent Advisories

SVE-2017-8975: TOCTOU Race Condition in Samsung TrustZone SCrypto Driver

Summary Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow. The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers. The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA). The race condition vulnerability is in the ciphering command implementation of RSA decryption.

SVE-2017-8974: TOCTOU Race Condition in Samsung TrustZone SCrypto Driver

Summary Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow. The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers. The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA). The race condition vulnerability is in the ciphering command implementation of RSA encryption.