The Titan M chip was introduced by Google in their Pixel 3 devices, to reduce attack surface and protect against hardware-level vulnerabilities. Our team at Quarkslab has been studying it for quite some time now, and in this talk we will share our takeaways on how we performed vulnerability research on such a constrained target. From plain static analysis, to fuzzing and dynamic symbolic execution, we will compare the different results we obtained, as well as the limitations of each approach. Finally, we will dive into CVE-2022-20233, a vulnerability that was only allowing to set a single byte to 1. We will show how we managed to obtain code execution from it and leak secrets from the secure chip, practically defeating its protection.
Speaker: Damiano Melotti
Damiano Melotti is a security researcher at Quarkslab. He is mostly interested in systems security, especially in mobile platforms (Android) and automated vulnerability research.