引用本文: |
-
王丽娜,谢辉华,余荣威,张桐,赵敬昌.基于全系统模拟的OP-TEE内核模糊测试方法[J].信息安全学报,2023,8(4):85-98 [点击复制]
- WANG Lina,XIE Huihua,YU Rongwei,ZHANG Tong,ZHAO Jingchang.OP-TEE Kernel Fuzzy Testing Method Based on Whole System Emulation[J].Journal of Cyber Security,2023,8(4):85-98 [点击复制]
|
|
|
|
本文已被:浏览 8265次 下载 6044次 |
码上扫一扫! |
基于全系统模拟的OP-TEE内核模糊测试方法 |
王丽娜1,2, 谢辉华1,2, 余荣威1,2, 张桐1,2, 赵敬昌1,2
|
|
(1.武汉大学空天信息安全与可信计算教育部重点实验室, 武汉大学国家网络安全学院 武汉 中国 430072;2.武汉大学国家网络安全学院 武汉 中国 430072) |
|
摘要: |
OP-TEE (Open Portable Trusted Execution Environment)是运行于基于TrustZone的可信执行环境(Trusted Execution Environment,TEE)中的开源可信操作系统。OP-TEE虽然运行于TEE侧,但仍存在漏洞从而遭受来自于富执行环境(Rich ExecutionEnvironment,REE)的攻击。模糊测试是一种常用的漏洞发现方法,但由于TEE与REE的高度隔离,REE侧的模糊测试工具难以直接测试OP-TEE,且现有基于OP-TEE源码插桩的模糊测试方法存在依赖源码和专业领域知识且崩溃容忍度低的问题。本文基于全系统模拟,模拟OP-TEE依赖的环境,提出了对OP-TEE内核模糊测试的方法。该方法将OP-TEE托管在模拟环境中并追踪其执行过程,模糊测试工具在模拟环境外观测执行过程并以此生成测试用例。该方法通过设计实现模拟环境内外通信组件,将模拟环境内OP-TEE的系统调用暴露给模拟环境外的模糊测试工具,使得模糊测试工具能够对OP-TEE内核进行模糊测试。同时针对模糊测试过程中单个用例测试耗时较长的问题,设计实现了预翻译优化机制以减少测试过程中的耗时。实验验证了方案可行性,评测了预翻译优化的效果,并评估了方案的漏洞发现能力,同时对比现有方案OP-TEE Fuzzer进行了性能测试。实验结果表明,本文方案具有检出崩溃以及发现潜在漏洞的能力,预翻译优化机制能平均减少19.05%执行耗时,且实际性能优于OP-TEE Fuzzer,其中吞吐量与OP-TEE Fuzzer相比提高了104%。 |
关键词: 可信执行环境|OP-TEE|全系统模拟|模糊测试 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.07.06 |
投稿时间:2021-12-22修订日期:2022-02-22 |
基金项目:本课题得到国家自然科学基金项目(No. U1836112); 国家重点研发计划(No. 2020YFB1805400); 国家自然科学基金项目(No. 61876134)资助。 |
|
OP-TEE Kernel Fuzzy Testing Method Based on Whole System Emulation |
WANG Lina1,2, XIE Huihua1,2, YU Rongwei1,2, ZHANG Tong1,2, ZHAO Jingchang1,2
|
(1.Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China;2.School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China) |
Abstract: |
OP-TEE (Open Portable Trusted Execution Environment) is an open-source trusted operating system running in Trusted Execution Environment (Trusted Execution Environment, TEE) based on TrustZone. Although OP-TEE runs on the TEE side, it remains hidden vulnerabilities and suffers from attacks from the Rich Execution Environment (REE). Fuzzing is a commonly used method of vulnerability discovery, but due to the high isolation between TEE and REE, it is difficult for a fuzzing tool on the REE side to directly fuzz OP-TEE. Besides the state-of-art fuzzing method based on OP-TEE source code instrumentation has problems that rely on source code and professional domain knowledge and have low crash tolerance. Based on the whole system emulation to emulate the environment that OP-TEE relies upon, this paper proposes a method of fuzzing the OP-TEE kernel. This method hosts the OP-TEE in an emulated environment and tracks its execution process. The fuzzing tool observes the execution process outside the emulated environment and generates test cases based on the execution process. This method is designed to realize the communication components inside and outside the emulation environment, exposing the OP-TEE system calls in the emulation environment to the fuzzing tool outside the emulation environment so that the fuzzing tool can fuzz the OP-TEE core. Simultaneously, aiming at the problem that single case testing takes a long time in the fuzzing process, a pre-translation optimization mechanism is designed and implemented to reduce time consumption in the fuzzing process. Experiments are designed to verify the feasibility of the method, evaluate the effect of pre-translation optimization, and evaluate the vulnerability discovery ability of the method. Besides, an experiment is designed to compare the efficiency with the existing method OP-TEE Fuzzer. Results of the experiments show that the proposed method has the ability to find potential vulnerabilities and the pre-translation optimization mechanism can reduce the fuzzing time by 19.05% on average. Besides the actual efficiency of our method is better than OP-TEE Fuzzer. Especially, the throughput of our method is increased by 104% compared with OP-TEE Fuzzer. |
Key words: trusted execution environment|OP-TEE|whole system emulation|fuzzy test |
|
|
|
|
|