Trusted Execution Environments (TEEs) are deployed in many CPU designs because of the confidentiality and integrity guarantees they provide. ARM TrustZone is a TEE extensively deployed on smart phones, IoT devices, and notebooks. Specifically, TrustZone is used to separate code execution and data into two worlds, normal world and secure world. However, this separation inherently prevents traditional fuzzing approaches which rely upon coverage-guided feedback and existing fuzzing research is, therefore, extremely limited. In this paper, we present a native and generic method to perform efficient and scalable feedback-driven fuzzing on Trusted Applications (TAs) using ARM CoreSight. We propose LightEMU, a novel fuzzing framework that allows us to fuzz TAs by decoupling them from relied TEE. We argue that LightEMU is a promising first-stage approach for rapidly discovering TA vulnerabilities prior to investing effort in whole system TEE evaluation precisely because the majority of publicly disclosed TrustZone bugs reside in the TA code itself. We implement LightEMU and adapt it to Teegris, Trusty, OP-TEE and QSEE and evaluate 8 real-world TAs while triggering 3 unique crashes and achieving x10 time speedup when fuzzing TAs using the state-of-the-art TrustZone fuzzing framework.

翻译：可信执行环境（TEE）因其提供的机密性和完整性保证，已被部署于众多CPU设计中。ARM TrustZone是一种广泛部署于智能手机、物联网设备及笔记本电脑上的TEE技术。具体而言，TrustZone将代码执行与数据分离为普通世界和安全世界两个域。然而，这种分离机制天然阻碍了依赖覆盖引导反馈的传统模糊测试方法，导致现有模糊测试研究极为有限。本文提出一种原生且通用的方法，利用ARM CoreSight对可信应用（TA）进行高效且可扩展的反馈驱动模糊测试。我们设计了LightEMU这一创新模糊测试框架，通过将TA与其所依赖的TEE解耦来实现模糊测试。我们认为LightEMU是一种有前景的首阶段方法，能够在投入精力进行完整TEE系统评估之前快速发现TA漏洞，其根本原因在于绝大多数公开披露的TrustZone漏洞均存在于TA代码本身。我们实现了LightEMU并将其适配至Teegris、Trusty、OP-TEE及QSEE系统中，对8个真实世界TA进行了评估，成功触发3次独特崩溃，并在使用当前最先进的TrustZone模糊测试框架进行TA模糊测试时实现了10倍的时间加速。