TEEFuzzer: A fuzzing framework for trusted execution environments with heuristic seed mutation

With the rapid development of the Internet, data security faces new challenges. As a bridge between the underlying hardware and upper layer applications, the operating system plays a critical role in securing sensitive data. The trusted execution environments (TEEs) are special operating systems aiming at preventing the illegal access and tampering of sensitive data. Thus, TEEs have much stricter security requirements than normal operating systems. Fuzzing is a promising technique that is widely used to identify vulnerabilities in operating systems and applications. However, existing fuzzing frameworks are not directly applicable to TEE-enabled devices due to the specific architecture of TEE-based systems. In this paper, we present the design and implementation of a coverage-guided fuzzing framework for trusted execution environments. Specifically, we build TEEFuzzer, a system that can perform fuzz testing for the open portable trusted executive environment (OP-TEE), which is a widespread TrustZone operating system. Our system contains several purpose-build components, which include a seed generation module and a heuristic seed mutation module to achieve higher coverage, a coverage collection module, and an automatic bug-reproducing module to improve efficiency. With extensive evaluations, 38 crashes have been triggered in OP-TEE. In terms of performance, the average execution speed of TEEFuzzer is 79.4 test cases per second. In summary, we show that fuzzing is a feasible and effective approach to testing trusted execution environments.(c) 2023 Elsevier B.V. All rights reserved.