Trusted Execution Environments (TEEs) embedded in IoT devices provide a deployable solution to secure IoT applications at the hardware level. By design, in TEEs, the Trusted Operating System (Trusted OS) is the primary component. It enables the TEE to use security-based design techniques, such as data encryption and identity authentication. Once a Trusted OS has been exploited, the TEE can no longer ensure security. However, Trusted OSes for IoT devices have received little security analysis, which is challenging from several perspectives: (1) Trusted OSes are closed-source and have an unfavorable environment for sending test cases and collecting feedback. (2) Trusted OSes have complex data structures and require a stateful workflow, which limits existing vulnerability detection tools. To address the challenges, we present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices as well as tracking state and code coverage non-invasively. SyzTrust utilizes composite feedback to guide the fuzzer to effectively explore more states as well as to increase the code coverage. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud. These systems run on Cortex M23/33 MCUs, which provide the necessary abstraction for embedded TEEs. We discovered 70 previously unknown vulnerabilities in their Trusted OSes, receiving 10 new CVEs so far. Furthermore, compared to the baseline, SyzTrust has demonstrated significant improvements, including 66% higher code coverage, 651% higher state coverage, and 31% improved vulnerability-finding capability. We report all discovered new vulnerabilities to vendors and open source SyzTrust.

翻译：物联网设备中嵌入的可信执行环境（TEE）提供了一种可在硬件层面保护物联网应用的可部署方案。在TEE设计中，可信操作系统（Trusted OS）作为核心组件，使TEE能够采用数据加密与身份认证等安全设计技术。一旦可信操作系统被攻破，TEE将无法保障安全性。然而，针对物联网设备的可信操作系统鲜有安全分析，这面临三重挑战：（1）可信操作系统闭源且缺乏发送测试用例与收集反馈的适宜环境；（2）可信操作系统数据结构复杂且需维持有状态工作流，限制了现有漏洞检测工具的应用。为应对这些挑战，我们提出SyzTrust——首个用于检测资源受限可信操作系统安全性的状态感知模糊测试框架。SyzTrust采用硬件辅助框架，支持直接在物联网设备上对可信操作系统进行模糊测试，并以非侵入方式追踪状态与代码覆盖率。该框架利用复合反馈机制引导模糊器高效探索更多状态并提升代码覆盖率。我们在三星、中移物联（Tsinglink Cloud）和阿里云三家主流厂商的可信操作系统上评估了SyzTrust。这些系统运行于Cortex M23/33 MCU之上，为嵌入式TEE提供了必要的抽象层。我们在其可信操作系统中发现了70个此前未知的漏洞，目前已获得10个新CVE编号。与基线相比，SyzTrust展现出显著提升：代码覆盖率提高66%，状态覆盖率提高651%，漏洞发现能力提升31%。我们已向厂商报告所有新发现的漏洞，并开源了SyzTrust。