Android runs sensitive applications in the so-called "secure world". These trusted applications (TAs) handle sensitive operations such as authentication, key management, or DRM. As they interact with regular Android applications from the normal world, vulnerabilities in these applications compromise the secure world and give adversaries access to privileged data. Our goal is to fuzz test these TAs at the exposed layer from the normal world.
The Global Platform standard is becoming the main API to access TAs. It provides a standardized communication/RPC API to enable interaction between the normal world and the secure world and a standardized API to provide key services to TAs to enable portability across vendors.
In previous work we already targeted the Global Platform API interface through several works. In TEEzz we extracted API sequences by analysing how regular apps interacted with TAs through the Global Platform layer. The main limitation is the lack of instrumentation of the apps when running on-device as the execution environment is protected through the secure world. Later we explored rollback attacks in Spill the TeA that allowed an adversary to run old versions of TAs to exploit n-day vulnerabilities. Finally we resorted to a static binary analysis which discovered Global Platform API misusage where a missing type check allows attackers trivial arbitrary read/write access to the TA address space. To bring attention to this attack vector between the normal world and the secure world, we presented Not To Be Trusted, a Fiasco in Android TEEs where we demonstrated an end-to-end attack that escalated from the normal world to an TA in the secure world and then escalated to the TEE and secure monitor for a full system compromise.
Until now, we haven't rehosted or emulated TAs because of the large underlying complexity and diversity of the different TEE operating systems. While rehosting would enable introspection and faster iteration on TAs, we do not have access to the different proprietary TEE operating systems. In TÄMU, we had a key revelation that the Global Platform API does not just provide a standardized API between the normal world and the secure world but also provides an API for TAs to interface with the operating system. If we emulate at the level of this API instead of the syscall level, we "only" need to implement the Global Platform API and not every single TEE OS.
Still, there are several hundred API calls that would have to be emulated which would require substantial human effort. We therefore wondered if some APIs are used more frequently than others, so that we can focus on those first. Any missing API implementation blocks fuzzing efforts when executed. We therefore developed a static analysis that estimates how much additional code is unlocked if a given API is implemented and then ranked the API calls, giving us a priority list on what we need to implement to unlock most code for our fuzzing efforts. As it turns out, by implementing only 10 functions, we improve reachable blocks from roughly 39% to 90%, whereas to achieve 100% we would need to implement 398 API functions in our set of evaluated TAs.
Tying these two contributions together, we introduce TÄMU (or TA-EMU), an emulator that rehosts TAs at the application level by abstracting and interposing the global platform API instead of the full TEE operating system. Our emulator provides high-level implementations of the Global Platform API (along frequently used libc and other APIs) together with a loader for trusted applications.
We then fuzzed 67 TAs across several vendors on TÄMU, targeting the interface between the normal world and the trusted applications. We discovered 17 0-days that were responsibly disclosed to the vendors. The paper and source code are openly available.
Philipp Mao and Marcel Busch from the HexHive group are the main drivers of this research work and deserve the primary credit.