Martijn Bogaard

Talk Title

Fuzzing embedded (trusted) operating systems using AFL

Abstract:

Trusted Execution Environments (TEEs) have an increasing role in the security of embedded systems. As more and more security-critical tasks are moved to the TEE, the complexity and thus risk of vulnerabilities increases as well. By now it is small operating systems running trusted applications and having a system call interface exposing drivers and other services.

In this talk we present a syzkaller inspired fuzzing framework for OP-TEE using an unmodified version of AFL with coverage tracking integrated in the TEE kernel using compile-time injected hooks. This framework can be used to test any code running in the kernel such as the interface exposed to the non-secure the world, as well as trusted applications embedded in the kernel and the system call interface by providing the coverage data to the non-secure world. We discuss the challenges of fuzzing a (trusted) operating system running nonvirtualized on an actual device as well as our approach that allows using an unmodified version of AFL running as Linux application in the non-secure world. Additionally, we discuss how we created a useful set of initial inputs to seed AFL. The approach discussed in this talk is not limited to OP-TEE but could be used for any (trusted) operating system.

Bio:

Martijn Bogaard is a Senior Security Analyst at Riscure where he focuses most of his time on analyzing the security of low-level embedded software (bootloaders, operating systems) and is slowly expanding into embedded hardware security. Recent research interests include the effects of fault injection on software, TEE (in-)security and levering the hardware to attack software.