Talk

EL3XIR: Fuzzing COTS Secure Monitors

March 13, 16:00 (CLOUD)

ARM TrustZone forms the security backbone of mobile devices. TrustZone-based Trusted Execution Environments (TEEs) facilitate security-sensitive tasks like user authentication and disk encryption. As such, bugs in the TEE software stack may compromise the entire system’s integrity. Unfortunately, modern dynamic analysis techniques (like fuzzing) typically used to identify and eliminate those bugs cannot be effectively applied to TEE components.

In this talk, we introduce EL3XIR, a framework to effectively rehost and fuzz the secure monitor firmware layer of proprietary TrustZone-based TEEs. While other approaches have focused on naively rehosting or fuzzing Trusted Applications or the TEE OS, EL3XIR targets the highly-privileged but underexplored secure monitor and its unique challenges.

Secure monitors expose complex functionality through diverse secure monitor calls that may depend on multiple peripherals. In this talk, we share how we overcame these challenges regarding input injection and peripheral emulation for several targets to find a total of 34 bugs, out of which 17 were classified as security critical. Affected vendors confirmed 14 of these bugs, and as a result, EL3XIR was assigned six CVEs.

Speaker

Marcel Busch

Marcel (@0ddc0de) is a PostDoc at EPFL with the HexHive group. His current research focus is mobile and IoT security with a special interest in TEEs, rehosting, and fuzzing. Outside of work, Marcel enjoys solving CTF challenges and captured flags with FAUST, Shellphish, p0lygl0ts, /mnt/ain and the 0rganizers.

Christian Lindenmeier

Christian Lindenmeier is a PhD student at the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) with the IT Security Infrastructures Lab. His research is centered around fuzzing the firmware of ARM-based devices, with a particular focus on targeting ARM TrustZone. He is also involved in various aspects of digital forensics for Android smartphones.

Organized by

Technology partners

Partner events

Scroll to Top