Auditing Closed Source Trusted Applications for Qualcomm Secure Execution Environment (QSEE)

Smartphones have become essential devices for carrying out many daily activities, including security-sensitive tasks such as authentication and payments. The security of sensitive data in modern mobile devices rely on hardware-enabled Trusted Execution Environments, amongst which ARM TrustZone is one of the most widely used. Qualcomm Secure Execution Environment (QSEE) is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

In order to audit the QSEE environment, security researchers have to face different challenges. On the one hand, the software components of QSEE (i.e., trusted operating system and trusted applications) are not open sourced and can be quite complex, which requires a considerable extent of reverse engineering efforts to conduct analysis and to assess their security. On the other hand, to the best of our knowledge there are no publicly available emulators for QSEE Trusted Applications that assist in debugging and auditing their code.

In this talk, we share the knowledge we obtained from a careful reverse engineering examination of different QSEE Trusted Applications and operating systems (QSEE-OS), showing the different versions of QSEE-OS and the differences with regard to how trusted applications are loaded in each of the QSEE-OS versions. Besides, we will present the different tools we have developed throughout our research to assist in the security evaluation of QSEE, including a debugger for QSEE Trusted Applications fully integrated with GDB and Ghidra and a coverage-based fuzzer for QSEE Trusted Applications. Such tools are essential for us to better understand the internals and behaviour of the trusted applications, to find attack surfaces and to identify vulnerable code for further analyzing and fuzzing.