Talk Title:

EL3XIR: Fuzzing COTS Secure Monitors

Abstract:

ARM TrustZone forms the security backbone of mobile devices. TrustZone-based Trusted Execution Environments (TEEs) facilitate security-sensitive tasks like user authentication and disk encryption. As such, bugs in the TEE software stack may compromise the entire system’s integrity.

EL3XIR introduces a framework to effectively rehost and fuzz the secure monitor firmware layer of proprietary TrustZone-based TEEs. While other approaches have focused on naively rehosting or fuzzing Trusted Applications or the TEE OS, EL3XIR targets the highly-privileged but underexplored secure monitor and its unique challenges.

Secure monitors expose complex functionality through diverse secure monitor calls that may depend on multiple peripherals. We followed responsible disclosure procedures and reported a total of 34 bugs, out of which 17 were classified as security critical. Affected vendors confirmed 14 of these bugs, and as a result, EL3XIR was assigned six CVEs.