Martijn Bogaard

Senior Security Analyst, Riscure


Talk Title

Fuzzing embedded (trusted) operating systems using AFL


Trusted Execution Environments (TEEs) have an increasing role in the security of embedded systems. As more and more security-critical tasks are moved to the TEE, the complexity and thus risk of vulnerabilities increases as well. By now it is small operating systems running trusted applications and having a system call interface exposing drivers and other services.

In this talk we present a syzkaller inspired fuzzing framework for OP-TEE using an unmodified version of AFL with coverage tracking integrated in the TEE kernel using compile-time injected hooks. This framework can be used to test any code running in the kernel such as the interface exposed to the non-secure the world, as well as trusted applications embedded in the kernel and the system call interface by providing the coverage data to the non-secure world. We discuss the challenges of fuzzing a (trusted) operating system running nonvirtualized on an actual device as well as our approach that allows using an unmodified version of AFL running as Linux application in the non-secure world. Additionally, we discuss how we created a useful set of initial inputs to seed AFL. The approach discussed in this talk is not limited to OP-TEE but could be used for any (trusted) operating system.


Martijn Bogaard is a Senior Security Analyst at Riscure where he focuses most of his time on analyzing the security of low-level embedded software (bootloaders, operating systems) and is slowly expanding into embedded hardware security. Recent research interests include the effects of fault injection on software, TEE (in-)security and levering the hardware to attack software.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved