TEEzz: Fuzzing Trusted Applications on COTS Android Devices

2023 IEEE Symposium on Security and Privacy (SP) Pub Date : 2023-05-01 DOI:10.1109/SP46215.2023.10179302

Marcel Busch, Aravind Machiry, Chad Spensky, G. Vigna, Christopher Kruegel, Mathias Payer

{"title":"TEEzz: Fuzzing Trusted Applications on COTS Android Devices","authors":"Marcel Busch, Aravind Machiry, Chad Spensky, G. Vigna, Christopher Kruegel, Mathias Payer","doi":"10.1109/SP46215.2023.10179302","DOIUrl":null,"url":null,"abstract":"Security and privacy-sensitive smartphone applications use trusted execution environments (TEEs) to protect sensitive operations from malicious code. By design, TEEs have privileged access to the entire system but expose little to no insight into their inner workings. Moreover, real-world TEEs enforce strict format and protocol interactions when communicating with trusted applications (TAs), which prohibits effective automated testing.TEEzz is the first TEE-aware fuzzing framework capable of effectively fuzzing TAs in situ on production smartphones, i.e., the TA runs in the encrypted and protected TEE and the fuzzer may only observe interactions with the TA but has no control over the TA’s code or data. Unlike traditional fuzzing techniques, which monitor the execution of a program being fuzzed and view its memory after a crash, TEEzz only requires a limited view of the target. TEEzz overcomes key limitations of TEE fuzzing (e.g., lack of visibility into the executed TAs, proprietary exchange formats, and value dependencies of interactions) by automatically attempting to infer the field types and message dependencies of the TA API through its interactions, designing state- and type-aware fuzzing mutators, and creating an in situ, on-device fuzzer.Due to the limited availability of systematic fuzzing research for TAs on commercial-off-the-shelf (COTS) Android devices, we extensively examine existing solutions, explore their limitations, and demonstrate how TEEzz improves the state-of-the-art. First, we show that general-purpose kernel driver fuzzers are ineffective for fuzzing TAs. Then, we establish a baseline for fuzzing TAs using a ground-truth experiment. We show that TEEzz outperforms other blackbox fuzzers, can improve greybox approaches (if TAs source code is available), and even outperforms greybox approaches for stateful targets. We found 13 previously unknown bugs in the latest versions of OPTEE TAs in total, out of which TEEzz is the only fuzzer to trigger three. We also ran TEEzz on popular phones and found 40 unique bugs for which one CVE was assigned so far.","PeriodicalId":439989,"journal":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","volume":"48 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP46215.2023.10179302","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Security and privacy-sensitive smartphone applications use trusted execution environments (TEEs) to protect sensitive operations from malicious code. By design, TEEs have privileged access to the entire system but expose little to no insight into their inner workings. Moreover, real-world TEEs enforce strict format and protocol interactions when communicating with trusted applications (TAs), which prohibits effective automated testing.TEEzz is the first TEE-aware fuzzing framework capable of effectively fuzzing TAs in situ on production smartphones, i.e., the TA runs in the encrypted and protected TEE and the fuzzer may only observe interactions with the TA but has no control over the TA’s code or data. Unlike traditional fuzzing techniques, which monitor the execution of a program being fuzzed and view its memory after a crash, TEEzz only requires a limited view of the target. TEEzz overcomes key limitations of TEE fuzzing (e.g., lack of visibility into the executed TAs, proprietary exchange formats, and value dependencies of interactions) by automatically attempting to infer the field types and message dependencies of the TA API through its interactions, designing state- and type-aware fuzzing mutators, and creating an in situ, on-device fuzzer.Due to the limited availability of systematic fuzzing research for TAs on commercial-off-the-shelf (COTS) Android devices, we extensively examine existing solutions, explore their limitations, and demonstrate how TEEzz improves the state-of-the-art. First, we show that general-purpose kernel driver fuzzers are ineffective for fuzzing TAs. Then, we establish a baseline for fuzzing TAs using a ground-truth experiment. We show that TEEzz outperforms other blackbox fuzzers, can improve greybox approaches (if TAs source code is available), and even outperforms greybox approaches for stateful targets. We found 13 previously unknown bugs in the latest versions of OPTEE TAs in total, out of which TEEzz is the only fuzzer to trigger three. We also ran TEEzz on popular phones and found 40 unique bugs for which one CVE was assigned so far.

查看原文本刊更多论文

TEEzz:对COTS Android设备上的可信应用进行模糊测试

安全和隐私敏感的智能手机应用程序使用可信执行环境(tee)来保护敏感操作免受恶意代码的攻击。按照设计，tee有权访问整个系统，但对其内部工作原理几乎一无所知。此外，现实世界的tee在与可信应用程序(ta)通信时强制执行严格的格式和协议交互，这妨碍了有效的自动化测试。TEEzz是第一个能够在生产智能手机上有效地对TA进行现场模糊测试的TEE感知模糊测试框架，也就是说，TA在加密和保护的TEE中运行，模糊测试器只能观察与TA的交互，但无法控制TA的代码或数据。与传统的模糊测试技术不同，传统的模糊测试技术监视被模糊程序的执行并在崩溃后查看其内存，TEEzz只需要对目标进行有限的观察。TEEzz通过自动尝试推断TA API的字段类型和消息依赖关系，通过TA API的交互，设计状态和类型感知的模糊变量，并创建一个原位的、设备上的模糊器，克服了TEE模糊测试的关键限制(例如，缺乏对已执行的TA的可见性、专有的交换格式和交互的值依赖关系)。由于在商用现货(COTS) Android设备上对TAs进行系统模糊测试研究的可用性有限，我们广泛地研究了现有的解决方案，探索了它们的局限性，并展示了TEEzz如何提高了最先进的技术。首先，我们证明了通用内核驱动模糊器对于模糊ta是无效的。然后，我们使用一个基础真值实验建立了模糊化TAs的基线。我们展示了TEEzz优于其他黑盒模糊器，可以改进灰盒方法(如果TAs源代码可用)，甚至优于有状态目标的灰盒方法。我们在最新版本的OPTEE TAs中总共发现了13个以前未知的错误，其中TEEzz是唯一一个触发三个错误的fuzzer。我们还在流行的手机上运行TEEzz，发现了40个独特的漏洞，目前为止分配了一个CVE。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量