Trusted Execution Environment Kernel Fuzzing And Its Seed Generation Method

With the increasingly complicated functionalities of modern operating systems and the gradual opening of the computing environment to more software applications,it is more difficult for traditional security technologies to protect users’ sensitive data and information.A Trusted Execution Environment(TEE)is proposed to solve this problem,which is a special operating system designed to prevent illegal access and tampering with sensitive data.Furthermore,it contributes to realizing the security,privacy,and data protection of system computing.Nevertheless,as the TEE is widely used in many fields,potential security risks of its kernel also appear.Fuzzing,as a classic technique to detect vulnerabilities in operating systems and applications,has been introduced to the security analysis of TEEs.Although there have been many effective fuzzing frameworks for operating system kernels,they cannot be directly adopted by TEE kernels due to the isolation of the TEE,that is,the problem of application.Meanwhile,due to little available work on the security of TEE kernels,normal fuzzing frameworks do not have enough input seeds,that is,the problem of seed scarcity.In order to solve the above two problems,this paper designs a framework for TEE kernel fuzzing and its seed generation method.Firstly,with respect to the problem of application,this paper designs a fuzzing testing framework that adapts to the TEE kernel.The framework includes a seed generation module,a fuzzer module,a client application module,a trusted application module,and a module of coverage collection in the kernel and feedback.Afterward,to solve the problem of seed scarcity,this paper focuses on designing a seed generation method for the seed generation module in the framework.The seed generation method includes five steps: collecting system call sequences,identifying system call dependencies,generating system call constraints,generating seeds,and selecting seeds.The main contributions of this paper are listing as below:(1)Design the framework of TEE kernel fuzzing,which solves the problem of applying fuzzing techniques to TEE kernels.(2)For the seed generation module in the above framework,a seed generation method is designed.The seed generation method increases the OPTEE code execution paths found by 3457,and finds one more crush.(3)Using the above method to conduct security research on the TEE OPTEE kernel,tested 3694 code execution paths,and found 3 vulnerabilities in the OPTEE kernel.(4)Design experiments to analyze the effects and bottlenecks of the above framework and seed generation method,and provide directions for future research.