TEEzz is the first TEE-aware fuzzing framework capable of effectively fuzzing TAs in situ on production smartphones, i.e., the TA runs in the encrypted and protected TEE and the fuzzer may only observe interactions with the TA but has no control over the TA’s code or data. Unlike traditional fuzzing techniques, which monitor the execution of a program being fuzzed and view its memory after a crash, TEEzz only requires a limited view of the target. TEEzz overcomes key limitations of TEE fuzzing (e.g., lack of visibility into the executed TAs, proprietary exchange formats, and value dependencies of interactions) by automatically attempting to infer the field types and message dependencies of the TA API through its interactions, designing state- and type-aware fuzzing mutators, and creating an in situ, on-device fuzzer.
We found 13 previously unknown bugs in the latest versions of OPTEE TAs. We also ran TEEzz on popular phones and found 40 unique bugs for which one CVE was assigned so far.
#hw_ioNL2023 #fuzzing #android #TEE
-------------------------------------------------------------------------------------------------------------------------------------------------------
Website: hardwear.io
X : / hardwear_io
LinkedIn: / hardwear.io-hardwarese...
Facebook: / hardwear.io