LUP Student Papers

Fuzzing of PKCS#11 Trusted Application

• Mark

Abstract

The main goal of this thesis is to find an effective way to fuzz trusted applications (TAs) with source code residing in trusted execution environment (TEE). While fuzzing TAs has been previously done, no work has been found to utilize the source code of TAs to improve the fuzzing. Utilizing the source code in fuzzing can lead to an increase in code coverage compared to black-box fuzzing, and therefore could be more effective in testing critical parts of the software. This might inspire people to develop similar fuzzing techniques on TAs running on OP-TEE or other TEEs.

The fuzzing target will be the TA implementation of the Public-Key Cryptography Standard 11 (PKCS#11) currently developed by STMicroelectronics and Linaro. The TA is... (More)

The main goal of this thesis is to find an effective way to fuzz trusted applications (TAs) with source code residing in trusted execution environment (TEE). While fuzzing TAs has been previously done, no work has been found to utilize the source code of TAs to improve the fuzzing. Utilizing the source code in fuzzing can lead to an increase in code coverage compared to black-box fuzzing, and therefore could be more effective in testing critical parts of the software. This might inspire people to develop similar fuzzing techniques on TAs running on OP-TEE or other TEEs.

The fuzzing target will be the TA implementation of the Public-Key Cryptography Standard 11 (PKCS#11) currently developed by STMicroelectronics and Linaro. The TA is complex, and no previous documents on any extensive security testing on the PKCS#11 TA has been found. The TA source code is also available to the public, which can be utilized by certain fuzzing techniques to empower the fuzzing process. The focus of the project will not solely be to fuzz the PKCS#11 TA specifically, but also a method to fuzz TAs in general.

The following list summarizes the goals of the project:

• Implement a proof of concept on how to fuzz a TA running on OP-TEE using fuzzing technique that takes advantage of available source code.
• Explore how to build an effective fuzzing harness which bridges the gap between the fuzzer and target expected input. The harness will also setup the necessary state of the target.

The solution provided in this thesis uses various external tools and projects to host, perform fuzz testing and provide insight on the target TA. The fuzzing process is able to explore deeper into the target and provide information related to bugs, code coverage and other fuzzing relevant information. However, in order to have a better fuzzing experience, certain highlighted problems of the project still needs attention. While the current state of the solution is not perfect, it is enough to serve as a proof of concept. (Less)

Popular Abstract

Highly secure and sensitive tasks of applications in devices such as phones are often performed in a secure environment separated from normal tasks. This will provide additional protection making it harder for adversaries to manipulate or extract information. However, despite running in a protected environment, the applications are still vulnerable to attacks introduced by bugs. Therefore, this work will provide a method to security test these applications inside of such environments to increase the security making it more difficult for adversaries to abuse the system.

An application is set of instructions and data used to tell a computer to perform various tasks. However, can an application be trusted to perform the user-intended... (More)

Highly secure and sensitive tasks of applications in devices such as phones are often performed in a secure environment separated from normal tasks. This will provide additional protection making it harder for adversaries to manipulate or extract information. However, despite running in a protected environment, the applications are still vulnerable to attacks introduced by bugs. Therefore, this work will provide a method to security test these applications inside of such environments to increase the security making it more difficult for adversaries to abuse the system.

An application is set of instructions and data used to tell a computer to perform various tasks. However, can an application be trusted to perform the user-intended tasks? And in safe manner? For example, how can a user know that the password provided to a login prompt does not get forwarded to another person? Or if the password stored in the login authenticator can be leaked? To provide a higher trust- and protection-level, sensitive operations and data in normal applications can be moved to a trusted execution environment. This technique is commonly used in the mobile industry. Features such as mobile payments and fingerprint authentication offers higher security with the usage of trusted execution environments.

However, despite that the computer is executing the correct application in a protected environment, it might still be possible for an adversary to abuse. Gaps and flaws known as bugs can be introduced by the developers when creating the application, leaving security vulnerabilities that can be manipulated by an adversary to perform unintended or even harmful activities such as bypassing security features, leaking sensitive information and more.

This thesis focuses on finding bugs of applications designed for trusted execution environments in an automated way by using a concept called fuzzing. This is done by running the application in different test cases and monitoring its behaviours to find bugs. This can allow application vendors and security researchers to detect faults and patch them up to protect users from attacks. Certain industries might also require extensive security testing of application to provide a higher assurance in the products. The idea of the work is to inspire others to use similar methods to security test applications and contribute to a safer digital world. (Less)