TEEzz: Fuzzing Trusted Applications on COTS Android Devices
8
Citation
45
Reference
10
Related Paper
Citation Trend
Abstract:
Security and privacy-sensitive smartphone applications use trusted execution environments (TEEs) to protect sensitive operations from malicious code. By design, TEEs have privileged access to the entire system but expose little to no insight into their inner workings. Moreover, real-world TEEs enforce strict format and protocol interactions when communicating with trusted applications (TAs), which prohibits effective automated testing.TEEzz is the first TEE-aware fuzzing framework capable of effectively fuzzing TAs in situ on production smartphones, i.e., the TA runs in the encrypted and protected TEE and the fuzzer may only observe interactions with the TA but has no control over the TA's code or data. Unlike traditional fuzzing techniques, which monitor the execution of a program being fuzzed and view its memory after a crash, TEEzz only requires a limited view of the target. TEEzz overcomes key limitations of TEE fuzzing (e.g., lack of visibility into the executed TAs, proprietary exchange formats, and value dependencies of interactions) by automatically attempting to infer the field types and message dependencies of the TA API through its interactions, designing state- and type-aware fuzzing mutators, and creating an in situ, on-device fuzzer.Due to the limited availability of systematic fuzzing research for TAs on commercial-off-the-shelf (COTS) Android devices, we extensively examine existing solutions, explore their limitations, and demonstrate how TEEzz improves the state-of-the-art. First, we show that general-purpose kernel driver fuzzers are ineffective for fuzzing TAs. Then, we establish a baseline for fuzzing TAs using a ground-truth experiment. We show that TEEzz outperforms other blackbox fuzzers, can improve greybox approaches (if TAs source code is available), and even outperforms greybox approaches for stateful targets. We found 13 previously unknown bugs in the latest versions of OPTEE TAs in total, out of which TEEzz is the only fuzzer to trigger three. We also ran TEEzz on popular phones and found 40 unique bugs for which one CVE was assigned so far.Keywords:
Fuzz testing
Fuzzing has now developed into an efficient method of vulnerability mining. Symbolic execution is also a popular software vulnerability mining technology. Both are research hotspots in the field of network and information security. Hybrid fuzzing is the addition of symbolic execution technology on the basis of traditional fuzzing, and has now developed into a new branch of fuzzing. This article studies the existing hybrid fuzzing methods, reviews the development and evolution process and technical core of hybrid fuzzing, and compares the performance of currently well-known hybrid fuzzing through an experimental method based on symbolic execution. Finally, it discusses the existing problems in the field of hybrid fuzzing testing, and tries to look forward to its future development trend.
Fuzz testing
Vulnerability
Software bug
Cite
Citations (2)
As an improvement on traditional random fuzzing, directed fuzzing utilizes dynamic taint analysis to locate regions of seed inputs which can influence security-sensitive program points, and focuses on mutating these identified regions to generate error-revealing test cases. The seed inputs are of great importance to directed fuzzing, because they essentially determine the number of security-sensitive program points we can test. In this paper, we present a seed selection method complementing with a seed generation method for directed fuzzing. Using static analysis, dynamic monitoring and symbolic execution, our approach can provide directed fuzzing with seeds that can cover more security-sensitive program points in a cost-effective way. We implemented a prototype called Seeded-Fuzz, and applied it to five real-world applications. Experimental results show that starting directed fuzzing with our carefully selected and generated seeds, Seeded-Fuzz can test more critical program sites and detect more bugs.
Fuzz testing
Taint checking
Cite
Citations (20)
Android is a kind of operating system which interacts with the hardware and software. Android which provides platform and operating system for mobile devices mainly deals with Linux flavor which was developed by Google and the Open Handset Alliance. Android mainly support developers to write managed code in a Java, but does not support programs developed in native. Keywords: linux,playstore; java; ARM; Dalvik VM
Embedded Java
Android Beam
Cite
Citations (0)
ZigBee defines several security services on the MAC layer, including sequential freshness, frame integrity, data encryption and access control. Unfortunately, there are still security vulnerabilities that could result in network meltdown. Therefore, it is necessary to detect these defects by using a fuzzing test. However, fuzzing tests have usually been inefficient because test cases are either too numerous or invalid. In this paper, a novel comprehensive fuzzing test algorithm, CG-Fuzzing (comprehensive genetic-based-fuzzing) is proposed. The CG-Fuzzing algorithm contains three parts: structure-based, boundary-based and genetic algorithms. This paper establishes an evolutionary model that helps achieve high rates of passing filtering rules and vulnerability triggering. Compared with the traditional fuzzing methods, the number of test cases is reduced and they are more efficient. Experimental results prove that the synthesised performance of CG-Fuzzing is outstanding. The fuzzing test with the algorithm takes only 4 min to exploit a previously known vulnerability of ZigBee.
Fuzz testing
Vulnerability
Cite
Citations (0)
Vulnerabilities in OS kernel are more severe than those in user space because they allow attackers to access a system with full privileges. Fuzzing is an efficient technique to detect vulnerabilities though little fuzzing efforts aim to kernels. On one hand, by hooking the kernel, passive fuzzing can satisfy the dependencies among system calls but get no feedback, and thus fails to generate test cases for a resulted crash. On the other hand, guided with run-time feedback, active fuzzing can easily reproduce the crash with generated test cases, but cannot find bugs in deeper code path due to lacking of data dependency or control dependency. In this paper, we propose a novel approach for fuzzing kernel which combines passive fuzzing and active fuzzing and therefore gain their advantages. We implement the approach in a prototype called X-AFL which currently aims to test the Android kernel. Preliminary evaluation results show that X-AFL is an effective kernel fuzzer and can indeed find kernel vulnerabilities.
Fuzz testing
Kernel (algebra)
Software bug
Code coverage
Cite
Citations (3)
Fuzzing is an effective technology in software testing and security vulnerability detection. Unfortunately, fuzzing is an extremely compute-intensive job, which may cause thousands of computing hours to find a bug. Current novel works generally improve fuzzing efficiency by developing delicate algorithms. In this paper, we propose another direction of improvement in this field, i.e., leveraging parallel computing to improve fuzzing efficiency. In this way, we develop P-fuzz, a parallel fuzzing framework that can utilize massive, distributed computing resources to fuzz. P-fuzz uses a database to share the fuzzing status such as seeds, the coverage information, etc. All fuzzing nodes get tasks from the database and update their fuzzing status to the database. Also, P-fuzz handles some data races and exceptions in parallel fuzzing. We compare P-fuzz with AFL and a parallel fuzzing framework Roving in our experiment. The result shows that P-fuzz can easily speed up AFL about 2.59× and Roving about 1.66× on average by using 4 nodes.
Fuzz testing
Vulnerability
Cite
Citations (16)
В статье приводятся определение фаззинг тестирования, основные этапы фаззинга, рассматривается классификация фаззеров. The article describes the definition of fuzzing testing, the main stages of fuzzing, and discusses the classification of fuzzers.
Fuzz testing
Software testing
Cite
Citations (1)
While fuzzing can be very costly, it has proven to be a fundamental technique in uncovering bugs (often security related) in many applications. A recent study on bug reports from OSS-Fuzz observed that recent code changes are responsible for 77% of all reported bugs, stressing the importance of continuous testing. With the increased adoption of CI/CD practices in software development, it is only natural to look for effective ways of incorporating fuzzing into continuous security testing. In this paper, we study the effectiveness of fuzz testing in CI/CD pipelines with a focus on security related bugs and seek optimization opportunities to triage commits that do not require fuzzing. Through experimental analysis, we found that the fuzzing effort can be reduced by 63% in three of the nine libraries we analyzed (55% on average). Additionally, we investigate the correlation between fuzzing campaign duration and the effectiveness of fuzzers in vulnerability discovery: a significantly shorter fuzzing campaign facilitates a faster pipeline for developers, while it can still uncover important bugs. Our findings suggest that continuous fuzzing is indeed beneficial for secure software development processes, and that there are many opportunities to improve its effectiveness.
Fuzz testing
Software bug
Vulnerability
Cite
Citations (10)
Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this article, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.
Fuzz testing
Cite
Citations (147)
Fuzzing is a software testing technique that finds bugs by repeatedly injecting mutated inputs to a target program. Known to be a highly practical approach, fuzzing is gaining more popularity than ever before. Current research on fuzzing has focused on producing an input that is more likely to trigger a vulnerability.
Fuzz testing
Software testing
Software bug
Popularity
Vulnerability
Taint checking
Cite
Citations (106)