Learn how it is possible to prove low-level software component and TEE security, as well as the Goodix driver example demoed in the webinar. Check out the webinar replay here: https://www.youtube.com/watch?v=nG3DlejBd3k Visit our website trust-in-soft.com for more information!

1. 1
Proving the Security of Low-Level
Software Components & TEEs
Mathematically Guaranteed
Quality, Security and Safety on C and C++ Code

2. 2
You will get the slides via
email
You will get the recording in the coming
days
Please ask questions in the Q&A
section
Vic Sharma
US executive
Jakub Zwolakowski
R&D engineer
Welcome !

3. 3
Game
Consoles
Phones
Airplanes
Space
probes
Autonomous
Cars
Smart
Meters

4. 4
Over the last 5 years alone firmware
vulnerabilities have gone up by over 573%
More than 80% of the enterprises have
experienced at least one firmware attack in the
past two years
4 in 10 companies breached through a mobile device.
Semiconductor TEE component vulnerability
exposes millions of mobile devices to security
threats.
Preventing device-level attacks targeting low-level
software is the next frontier in cybersecurity.
Cyberattacks on critical infrastructure are on the
rise.

5. 5
Hybrid code Analyzer combining advanced
static and dynamic analysis techniques together
with formal methods to mathematically
guarantee C/C++ code quality & maximize code
security and safety
TrustInSoft Analyzer

6. 6
Resolving the
Achilles’ heel of C and
C++:
Detecting all
Undefined Behaviors
• Memory access
• Buffer overflow
• Access out of bounds
• Invalid pointers usage
• Non-initialized variables
• etc…
• Arithmetic operations
• Division by zero
• Integer signed overflows
• Overflow in float-to-int conversion
• NaN in float computation
• etc…
• Race conditions
Unpredictable outputs or program execution
Code execution by an attacker & program intrusion
Software misbehavior or crash
Undefined behaviors are complex to detect
and can lead to disastrous consequences:

7. 7
7
6012269011901013063071144571567
1850162787960150597983632424299
4413590530419161514337036842790
287400677240995840
Math can grasp all possible behavior of software
This is the number of tests that
we can perform in a single run in
a few seconds
Our secret sauce

8. 8
The best-of benefits of security testing
TrustInSoft Analyzer Traditional static analyzers
Analysis type Semantic Syntactic
What it does
Applies formal methods to look for issues that cause undefined
behaviors and checks execution for all possible input values
Looks for suspicious code constructs / coding rules
compliance
Sound Yes No
False positives / False negatives Some/ No Many / Yes
Input Tests Coding rules
Output All undefined behaviors detected / confidence on code quality List of potential bugs

9. 9
Low-Level Software
(Open-Source Examples)
Secure Communication
(ARM Mbed TLS)
Linux Kernel Driver Security
(Goodix)
Device Driver Security
(AIS2DW12 Sensor Driver -
STMicroelectronics)

10. 10
Secure Communication
ARM Mbed TLS
SSL/TLS Without Undefined Behavior
A unique, first-of-its-kind result from the analysis
performed using TrustInSoft Analyzer demonstrated,
how the ARM Mbed TLS stack, in a described
configuration, is immune to popular vulnerabilities
including buffer overflows. The verification report
details how to compile, configure and deploy the
Mbed TLS in a given perimeter in order to be
immune from all attacks caused by CWE 119 to 127,
369, 415, 416, 457, 476, 562, 690. All bugs of those
kind were found and removed.
Link to the full verification report: http://trust-in-
soft.com/polarssl-verification-kit

11. 11
2016: NIST report
to the white
house
NIST underlines in a report to the White House a result
unique in the world performed by TrustInSoft: a
mathematical assessment of absence of buffer overflow or
memory error in the ARM Mbed TLS, which is at the core of
ARM’s mbed environment.

12. 12
Device Driver Security
AIS2DW12 Driver Analysis
(STMicroelectronics)
The platform-independent sensor driver stack for
the AIS2DW12 digital output motion sensor for
Automotive applications from STMicroelectronics
was analyzed using TrustInSoft Analyzer to verify
absence of undefined behaviors in the source code
of the driver. Within the perimeter of the defined
tests, through exhaustive analysis, our tool was able
to mathematically guarantee that for any given
authorized input and any execution path, there were
no undefined behaviors in the driver.

13. 13
13
ST AIS2DW12 Accelerometer - Driver Analysis
The AIS2DW12 3-axis accelerometer was selected as it had the
most recent contributions on github
TIS Analyzer determined, simulated and cascaded the superset of all
possible inputs, code values and behaviors
Buffer overflow identified and fixed in less than 1,5 hour (incl. the
time to get familiar with ST datasheet and driver)
With the proposed fix and the analysis run again, TIS confirms that
for all existing tests, whatever registers the HW contains, the driver
has no undefined behavior

14. 14
Linux Kernel Driver
Linux Kernel Driver – GT9xx (Goodix)
The GT9xx is a Linux Kernel Driver for the Goodix
GT915 capacitive touch chip used in medium and
large sized mobile phones. A formal analysis was
performed on this kernel driver using TrustInSoft
Analyzer, and it was concluded that given the
perimeter of the analysis, the driver is safe from a
large number of vulnerabilities that could
compromise the complete operating system. Within
the perimeter, the TrustInSoft Analyzer was able to
guarantee the absence of undefined behavior for the
GT9xx driver.

15. 15
15
Goodix GT915 capacitive touch Driver
• We simulated and modelized the HW (Linux Kernel and the driver) for a fixed
configuration: HW contains the address of the register to be read following I2C read
request i.e. when screen is touched
• TIS Analyzer determined, simulated and cascaded the superset of all possible inputs,
code values and behaviors. What happens in case of a material defect or if a hacker
simulates a screen touch with 256 fingers at the same time? Is the driver robust
enough to cope with it?
• TIS confirms absence of undefined behavior and driver’s immunity to following
families of vulnerabilities: CWE 119 to 127, 369, 415, 416, 457, 476, 562, 690 within
the analysis’ model and perimeter

16. 16
Trusted Execution
Environment (TEE)
Security
TrustInSoft Analyzer delivers bullet-proof TEE security
to Semiconductor Manufacturers - by detecting critical
firmware vulnerabilities, early in the development cycle;
and providing a mathematical guarantee on absence of
undefined behaviors.
Exhaustive analysis to secure various TEE components
including: TEE Kernel, Secure Monitor, Bootloader,
Trusted Applications.
Address critical TEE issues: From software bugs (such as
buffer overflow or integer overflow) - to side channel
attacks or concurrency issues.
Ensure there are no inconsistencies between the expected
requirements of the TEE firmware and its implementation.

17. 17
Incremental journey to maximum security & safety
Replay existing tests Generalize inputs & static analysis Check functional implementation
• Instant productivity: find more bugs quicker
• Mathematical guarantee that Undefined
Behaviors resulting from discrete tested
values are all detected
• 0 false positives & 0 false negatives
• Mathematical guarantee that all Undefined
Behaviours are detected
• 0 false negatives
• Achieve up to 100% coverage on critical tests
• Ensure implemented SW architecture and
functions behave in line with spec
• Full mathematical guarantee for safety and
security
1. Interpreter 2. Analyzer 3. Functional proof

18. 18
Empowering SW developers & testers to…
Ensure absence of crashes and
deterministic behavior. Detect 0-days
before they are known. Platform
specific analysis without compiling.
Exhaustively find and fix all Undefined
Behaviors
incl. the most hidden ones
Determines and propagates the
superset of all possible code values in
execution paths.
Boost coverage. Perform quickly
the equivalent of billions of tests
with 1 generalized inputs test
Functional proof & absence of
Undefined Behaviors (e.g. buffer
overflow).
Get mathematical guarantees on
software security/safety
Code
safety
&
security

19. 19
How is it deployed
TrustInSoft Analyzer can be installed on a dedicated server, either
on-premises or in SaaS
Can be accessed through a
web browser or via
command line interface
Can be integrated to existing
DevOps and Continuous
Integration process via
command line

20. 20
Our customers’ primary drivers
§ Reduce SW test coverage costs
§ Bugs identification &
remediation optimization
§ Bug correction prioritization
(no false positive)
§ Perform tests as if on target
IMPROVE OPERATIONAL
EFFICIENCY
§ Position safety and/or
security as a feature to gain
market share
§ Get certification level /
smooth customer validation
as a price premium
§ Secure Time to Market
sensitive opportunities
GENERATE REVENUE
OPPORTUNITIES
CONTROL
FINANCIAL RISK
§ Reduce field support costs
post-production
§ Avoid brand/image valuation
impact
Beyond Software Security and Safety

21. Goodix GT915
large-screen 5:00
capacitive touch chip
inside the phone
Wiko Rainbow 4G
1

22. The Code
• The GTXX driver source code used for the analysis
was taken from this repository 1 :
• The commit used for the analysis is
f7d281d16eff5031b39c41e6af6c527ecec31385
• The product's official data-sheet was used to model the
hardware behavior 2 :
2
1 https://source.codeaurora.org/quic/la/kernel/msm-3.18/tree/drivers/input/touchscreen/gt9xx?h=LA.HB.1.1.1.c2
2 https://datasheetspdf.com/pdf/945606/GOODIX/GT915/1

23. 2 perimeters of analysis
• We suppose that the attacker controls the hardware
(through interrupts).
• Result:
proven IMMUNITY to a set of security weaknesses.
• We suppose that the attacker has direct access
to the device's proc file (through the OS filesystem).
• Result:
found potential VULNERABILITIES!
3