Talk Title:

EL3XIR: Fuzzing COTS Secure Monitors

Abstract:

ARM TrustZone forms the security backbone of mobile devices. TrustZone-based Trusted Execution Environments (TEEs) facilitate security-sensitive tasks like user authentication and disk encryption. As such, bugs in the TEE software stack may compromise the entire system’s integrity.

EL3XIR introduces a framework to effectively rehost and fuzz the secure monitor firmware layer of proprietary TrustZone-based TEEs. While other approaches have focused on naively rehosting or fuzzing Trusted Applications or the TEE OS, EL3XIR targets the highly-privileged but underexplored secure monitor and its unique challenges.

Secure monitors expose complex functionality through diverse secure monitor calls that may depend on multiple peripherals. We followed responsible disclosure procedures and reported a total of 34 bugs, out of which 17 were classified as security critical. Affected vendors confirmed 14 of these bugs, and as a result, EL3XIR was assigned six CVEs.

Speaker Bio:

Marcel Busch is a PostDoc at EPFL with the HexHive group. His current research focus is mobile security with a special interest in Android TEEs and fuzzing. Outside of work, Marcel enjoys solving CTF challenges and captured flags with FAUST, Shellphish, p0lygl0ts, and the 0rganizers.

Christian Lindenmeier is a third-year PhD student at the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) with the IT Security Infrastructures Lab. His research is centered on fuzzing the firmware of ARM-based devices, with a particular focus on targeting ARM TrustZone. He is also involved in various aspects of digital forensics for Android smartphones.