A Coverage-Guided Fuzzing Framework for Trusted Execution Environments.

With the rapid development of the Internet, data security faces new challenges. As the interface between hardware and user-level applications, operating system is a critical component to ensure the security of sensitive data. Trusted execution environment (TEE) is a special operating system aiming at preventing the illegal access and tampering of sensitive data. Thus, the security of trusted operating system is essential for the whole system. Fuzzing is a promising technique that is widely used to identify vulnerabilities in operating systems and applications. In this paper, we present the design and implementation of a coverage-guided fuzzing framework for trusted operating systems. Specifically, we build a system that can perform fuzz testing for OP-TEE, a widespread TrustZone operating system. To improve efficiency, our systems contains several purpose-build components, which include seed generation and test case mutation to achieve higher coverage, coverage collection, and automatic bug-reproducing. With extensive evaluation, we trigger 38 crashes in OP-TEE. In terms of performance, the average execution speed of our system is 79.4 test cases per second. In summary, we show that fuzzing is a feasible and effective approach to testing trusted operating systems.