Getting arbitrary code execution in TrustZone's kernel from any context

(All the vulnerabilities have been responsibly disclosed and fixed. I will post the CVE IDs and timelines in the following posts.)


What's the Goal?

Transcendence. From Android, that is.

This is going to be a series of blog posts detailing a chain of vulnerabilities that I've discovered which will enable us to escalate our privileges from any user up to the highest privilege of all - executing our code within TrustZone itself.

Since I only have my personal Android device, a Nexus 5 powered by a Snapdragon 800 SoC, I will focus on the TrustZone platform present on my device - Qualcomm's TrustZone implementation.

It should be noted that Qualcomm's TrustZone platform is present on all devices powered by Qualcomm SoCs, however, they also allow OEMs to make modifications and additions to this platform, which I will go into in more detail in later blog posts.

Also, I believe objectively Qualcomm's TrustZone implementation is a good target since the Snapdragon SoCs are quite ubiquitous and can be found in a very wide range of devices (which isn't surprising, considering Qualcomm has a very large market share in the smartphone chipset market).