Exploring the Galaxy. Building emulators to find vulnerabilities in modern phones
In this talk, I will talk about vulnerabilities in the Secure Bootloader (S-Boot), Hypervisor (RKP) and TrustZone apps (TEEGRIS) on Samsung Galaxy phones with Exynos SoCs. We’ll cover approaches to finding bugs and their impact on the end-user security. The focus will be on building custom emulators based on QEMU to facilitate debugging proprietary components, and how such emulators help in developing an exploit. I will also discuss what developers/the industry could have done better to try to avoid such issues, as well as the limits of security engineering which unfortunately mean it’s impossible to prevent vulnerabilities entirely. All of the issues have been responsibly disclosed to the vendor and have been patched by Samsung in 2019-2020. This talk does not present unpatched zero-days and I hope most end-users are well protected by the updates.