Security and privacy-sensitive smartphone applications use trusted execution environments (TEEs) to protect sensitive operations from malicious code. By design, TEEs have privileged access to the entire system but expose little to no insight into their inner workings. Moreover, real-world TEEs enforce strict format and protocol interactions when communicating with trusted applications (TAs), which prohibits effective automated testing.
TEEzz is the first TEE-aware fuzzing framework capable of effectively fuzzing TAs in situ on production smartphones, i.e., the TA runs in the encrypted and protected TEE and the fuzzer may only observe interactions with the TA but has no control over the TA’s code or data. Unlike traditional fuzzing techniques, which monitor the execution of a program being fuzzed and view its memory after a crash, TEEzz only requires a limited view of the target. TEEzz overcomes key limitations of TEE fuzzing (e.g., lack of visibility into the executed TAs, proprietary exchange formats, and value dependencies of interactions) by automatically attempting to infer the field types and message dependencies of the TA API through its interactions, designing state- and type-aware fuzzing mutators, and creating an in situ, on-device fuzzer.
We found 13 previously unknown bugs in the latest versions of OPTEE TAs. We also ran TEEzz on popular phones and found 40 unique bugs for which one CVE was assigned so far.
Marcel Busch is a PostDoc at EPFL with the HexHive group. His current research focus is mobile security with a special interest in Android TEEs and fuzzing. Outside of work, Marcel enjoys solving CTF challenges and capturing flags with FAUST, Shellphish, p0lygl0ts, or the 0rganizers.