A Stateaware Fuzzing Method for Trusted Execution Environment Kernel

Abstract

Abstract: Trusted execution environment (TEE) is widely used, and its kernel security has become a significant area of focus. Fuzzing, a powerful technique for detecting vulnerabilities in operating system, has increasingly been applied to the security analysis of TEE. However, conventional fuzzing tools cannot be directly used for TEE kernels due to their isolation. Coverageguided fuzzers often discard test cases that trigger new states but cover the same code, which limits their effectiveness in discovering vulnerabilities. To address these challenges, a stateaware fuzzing method tailored for TEE kernels is proposed. Initially, a modeling and tracing approach is developed to represent the program state through statevariable values and retaining the test cases that trigger new states, overcoming the limitations of coverageguided fuzzers. Subsequently, we introduce an innovative communication scheme to tackle issues arising from TEE isolation. New seed retention and selection algorithms are proposed to better guide the fuzzer in exploring vulnerabilities. Finally, the NGram model is employed to enhance test case generation and optimize the framework’s performance. A prototype, named TrustyStatefuzz, has been implemented and evaluated on fuchsia, the selfdeveloped microkernel operating system Nebula, and OPTEE. The evaluation results show that TrustyStatefuzz is effective at detecting both new code and vulnerabilities. TrustyStatefuzz discovers 9 unknown vulnerabilities and 23 known vulnerabilities. Additionally, it achieves 13% higher code coverage and 27% higher state coverage than the stateoftheart fuzzer Syzkaller.

Key words: fuzzing, trusted execution environment, program state, kernel, NGram model

摘要： 可信执行环境(trusted execution environment, TEE)被广泛使用，其内核安全已成为一个重要的关注领域.模糊测试作为识别操作系统内核漏洞的有效方法，已广泛应用于TEE安全研究.然而，传统的模糊测试工具由于TEE的隔离性而不能直接用于TEE内核.覆盖引导的模糊器通常会丢弃触发新状态而覆盖相同代码的测试用例，限制了它们在发现漏洞方面的有效性.针对以上问题，提出了一种状态感知的TEE内核模糊测试方法.首先，设计了一种建模和跟踪方法，通过状态变量的值表示程序状态，保留触发新状态的测试用例，克服了覆盖引导的模糊器的局限性.其次，提出了新的通信方案以解决TEE的隔离性引发的问题.并提出了新的种子保存和选择算法，以更好地引导模糊器探索漏洞.最后，结合NGram模型指导测试用例生成过程，优化测试框架性能.目前已经实现了一个TrustyStatefuzz原型，并在fuchsia、自主开发的微内核操作系统nebula以及OPTEE上进行了模糊测试并评估.结果表明，TrustyStatefuzz在发现新代码和漏洞方面是有效的.它发现了9个未知漏洞和23个已知漏洞，比现有模糊测试工具Syzkaller提升13%的代码覆盖率和27%的状态覆盖率.

关键词: 模糊测试, 可信执行环境, 程序状态, 内核, NGram模型

CLC Number:

TP309

邱云飞, 郭梦鋆, 张强, . 状态感知的可信执行环境内核模糊测试方法[J]. 信息安全研究, 2026, 12(3): 198-.

References

［1］Li J, Zhao B, Zhang C. Fuzzing: A survey［J］. Cybersecurity, 2018, 1: 113［2］Zhao B, Li Z, Qin S, et al.StateFuzz: System callbased stateaware linux driver fuzzing［C］ Proc of the 31st USENIX Security Symposium. Berkeley, CA: USENIX Association, 2022: 32733289［3］Bellard F. QEMU, a fast and portable dynamic translator［C］ Proc of the USENIX Annual Technical Conference, FREENIX Track. Berkeley, CA: USENIX Association, 2005: 4146［4］Kivity A, Kamay Y, Laor D. KVM: The Linux virtual machine monitor［C］ Proc of the Linux Symposium. Ottawa: Linux Symposium Organization, 2007: 225230［5］Lemieux C, Sen K.Fairfuzz: A targeted mutation strategy for increasing greyboxfuzz testing coverage［C］Proc of the 33rd ACMIEEE Int Confe on Automated Software Engineering. New York: ACM, 2018: 475485［6］Fioraldi A, Maier D, Eifeldt H. AFL++: Combining incremental steps of fuzzing research［C］ Proc of the 14th USENIX Workshop on Offensive Technologies (WOOT 20). Berkeley, CA: USENIX Association, 2020: 112［7］Vyukov D. Syzkaller: An unsupervised coverageguided kernel fuzzer［CPOL］. 2016［20241219］. https:github.comgooglesyzkaller［8］Schumilo S, Aschermann C, Gawlik R. kAFL: Hardwareassisted feedback fuzzing for OS kernels［C］ Proc of the 26th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2017: 167182［9］Kim K, Jeong D R, Kim C H, et al. HFL: Hybrid fuzzing on the Linux kernel［C］ Proc of the 27th Annual Network and Distributed System Security Symposium. San Diego: The Internet Society, 2020: 117［10］Busch M, Machiry A, Spensky C, et al. Teezz: Fuzzing trusted applications on cots android devices［C］ Proc of the 2023 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2023: 12041219［11］Wang Q, Chang B, Ji S, et al. Syztrust: Stateaware fuzzing on trusted os designed for iot devices［C］ Proc of the 2024 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2024: 23102387［12］Song J, Jo E, Kim J. DTA: RunTrustZone TAs outside the secure world for security testing［J］. IEEE Access, 2024, 12: 1671516727［13］Ghaniyoun M, Barber K, Xiao Y, et al. TEESec: Presilicon vulnerability discovery for trusted execution environments［C］ Proc of the 50th Annual Int Symp on Computer Architecture. New York: ACM, 2023: 115［14］Pham V T, Bhme M, Roychoudhury A. Aflnet: A greybox fuzzer for network protocols［C］ Proc of the 13th IEEE Int Conf on Software Testing, Validation and Verification. Piscataway, NJ: IEEE, 2020: 460465［15］Natella R. Stateafl: Greybox fuzzing for stateful network servers［J］. Empirical Software Engineering, 2022, 27(7): 112［16］Wang S, Chollak D, MovshovitzAttias D, et al. Bugram: Bug detection with NGram language models［C］ Proc of the 31st IEEEACM Int Conf on Automated Software Engineering. New York: ACM, 2016: 708719［17］Google. Fuchsia: An open source operating system［EBOL］. ［20241219］. https:fuchsia.dev［18］Li D, Chen H. FastSyzkaller: Improving fuzz efficiency for linux kernel fuzzing［C］ Proc of the Journal of Physics: Conference Series. Bristol: IOP Publishing, 2019

[1]	. Smart Contract Vulnerabilities Based on Differential Evolutionary Algorithms and Solution Time Prediction Detection#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 24-.
[2]	. A Spectre Vulnerability Detection Method Integrating Fuzzing and #br# Taint Analysis#br# [J]. Journal of Information Security Reserach, 2025, 11(9): 822-.
[3]	. A Buildin Fuzzing Framework for Opensource BMC Firmware [J]. Journal of Information Security Reserach, 2025, 11(7): 611-.
[4]	. Constructing Lightweight Trusted Execution Environment on RISCV Dualcore Processor [J]. Journal of Information Security Reserach, 2025, 11(6): 500-.
[5]	. Research on a Fuzzing Method for JavaScript Engines Based on Dynamic Semantic Feedback#br# [J]. Journal of Information Security Reserach, 2025, 11(11): 1031-.
[6]	. Router Vulnerability Detection Method Based on Static Analysis and Fuzzing [J]. Journal of Information Security Reserach, 2024, 10(1): 40-.
[7]	. Key Technologies and Research Prospects of Privacy Computing [J]. Journal of Information Security Reserach, 2023, 9(8): 714-.
[8]	. Core Isolation Method of ARM Processor for OutofOrder Execution Vulnerability Test [J]. Journal of Information Security Reserach, 2023, 9(4): 347-.
[9]	. Research on 5G Edge Computing Security Based on the Trusted Execution Environment [J]. Journal of Information Security Reserach, 2023, 9(1): 38-.
[10]	. Survey of Coverage-guided Grey-box Fuzzing [J]. Journal of Information Security Reserach, 2022, 8(7): 643-.
[11]	. Research on Acceleration Method of Searchable Encryption of Private Data Based on Trusted Hardware [J]. Journal of Information Security Reserach, 2021, 7(4): 319-327.
[12]	. Research on Technologies of Kernel Rootkit Detecting and Protecting in KVM Environment [J]. Journal of Information Security Research, 2019, 5(7): 616-622.
[13]	. An Image and Video Protection Scheme Based on Android Kernel Extension [J]. Journal of Information Security Research, 2018, 4(4): 342-351.
[14]	. Linux Kernel mmap Protection Mechanism Research [J]. Journal of Information Security Research, 2018, 4(12): 1135-1141.
[15]	. A High Code Coverage Static and Dyamic Combined Fuzzing Method [J]. Journal of Information Security Research, 2016, 2(8): 699-705.