Trusted Execution Environments (TEEs) have an increasing role in the security of embedded systems and one of the leading open-source solutions is OP-TEE by Linaro. As more and more security-critical tasks are moved to the TEE, the complexity and thus risk of vulnerabilities increases as well. By now it are small operating systems running trusted applications and having a system call interface exposing drivers and other services.
In this talk we present a fuzzing framework for OP-TEE using an unmodified version of AFL with coverage tracking integrated in the TEE kernel using compile-time injected hooks. This framework can be used to test any code running in the kernel such as the interface exposed to the non-secure the world, as well as trusted applications embedded in the kernel and the system call interface by providing the coverage data to the non-secure world.
We discuss the challenges of fuzzing a (trusted) operating system running nonvirtualized on an actual device as well as our approach that allows using an unmodified version of AFL running as Linux application in the non-secure world. Additionally, we discuss how we created a useful set of initial inputs to seed AFL. The approach discussed in this talk is not limited to OP-TEE but could be used for any (trusted) operating system.
Last, we discuss some of the latest improvements to the framework, making it more efficient and some of the issues found by fuzzing OP-TEE.
Senior Security Analyst at Riscure (Riscure)
Martijn Bogaard is a Senior Security Analyst at Riscure where he focuses most of his time on analyzing the security of low-level embedded software (bootloaders, operating systems) and is slowly expanding into embedded hardware security. Recent research interests include the effects of fault injection on software, TEE (in-)security and levering the hardware to attack software.