Home Publications Research Grants Inventions & Patents Awards Additional Research Activities Faculties & Institutions Research Areas

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution

Busch M, Dirsch K (2020)

---

Publication Type: Conference contribution

Publication year: 2020

Event location: San Diego, CA

ISBN: 1891562622

DOI: 10.14722/bar.2020.23014

Abstract

Trusted Execution Environments (TEEs) constitute a major building block for modern mobile devices’ security architectures. Yet, the analysis tools available to researchers seeking to examine these critical components are rudimentary compared to the vast range of sophisticated tools available for other execution contexts (i.e., Linux or Windows userland). We see the primary reason for the lack of tools is originating from  the closed-source nature of TEEs. Specifically, the analysis of Trusted Applications (i.e., userland applications executed in a TEE) is of vital importance, since they account for the largest attack surface. However, hardware primitives (i.e., ARM TrustZone) prevent access to this high-privileged context and thwart any form of dynamic analysis. In this paper, we present our approach to investigate 1-day vulnerabilities using selective symbolic execution of real-world Trusted Applications (TAs). Our system, SimTA, is based on angr and emulates the TA’s execution environment. We build SimTA based on insights gained from manual static analysis of a commercially and widely deployed closed-source TEE by using an exploit on a physical device. In our evaluation, we elaborate on how SimTA facilitates the binary-diff-guided analysis by replicating the analysis of a known critical vulnerability. Additionally, we reveal two further issues, an authentication bypass and a heapbased buffer overflow, that have quietly been introduced by the vendor.

Authors with CRIS profile

How to cite

APA:

Busch, M., & Dirsch, K. (2020). Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution. In Proceedings of the Workshop on Binary Analysis Research (BAR) 2020. San Diego, CA, US.

MLA:

Busch, Marcel, and Kalle Dirsch. "Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution." Proceedings of the Workshop on Binary Analysis Research (BAR) 2020, San Diego, CA 2020.

BibTeX: Download