SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices
Qinying Wang∗† , Boyu Chang∗ , Shouling Ji∗( ), , Yuan Tian‡ , Xuhong Zhang∗ , Binbin Zhao§ , Gaoning Pan∗ ,
Chenyang Lyu∗ , Mathias Payer† , Wenhai Wang∗ , Raheem Beyah§
∗ Zhejiang
University, † EPFL, ‡ University of California, Los Angelos, § Georgia Institute of Technology
E-mails: {wangqinying, bychang, sji}@zju.edu.cn, [email protected], [email protected], [email protected],
{pgn, puppet}@zju.edu.cn, [email protected], [email protected], [email protected]
arXiv:2309.14742v1 [cs.CR] 26 Sep 2023
Abstract—Trusted Execution Environments (TEEs) embedded
in IoT devices provide a deployable solution to secure IoT
applications at the hardware level. By design, in TEEs, the
Trusted Operating System (Trusted OS) is the primary com-
ponent. It enables the TEE to use security-based design tech-
niques, such as data encryption and identity authentication.
Once a Trusted OS has been exploited, the TEE can no
longer ensure security. However, Trusted OSes for IoT devices
have received little security analysis, which is challenging
from several perspectives: (1) Trusted OSes are closed-source
and have an unfavorable environment for sending test cases
and collecting feedback. (2) Trusted OSes have complex data
structures and require a stateful workflow, which limits existing
vulnerability detection tools.
To address the challenges, we present S YZ T RUST, the
first state-aware fuzzing framework for vetting the security of
resource-limited Trusted OSes. S YZ T RUST adopts a hardware-
assisted framework to enable fuzzing Trusted OSes directly
on IoT devices as well as tracking state and code coverage
non-invasively. S YZ T RUST utilizes composite feedback to guide
the fuzzer to effectively explore more states as well as to
increase the code coverage. We evaluate S YZ T RUST on Trusted
OSes from three major vendors: Samsung, Tsinglink Cloud,
and Ali Cloud. These systems run on Cortex M23/33 MCUs,
which provide the necessary abstraction for embedded TEEs.
We discovered 70 previously unknown vulnerabilities in their
Trusted OSes, receiving 10 new CVEs so far. Furthermore,
compared to the baseline, S YZ T RUST has demonstrated sig-
nificant improvements, including 66% higher code coverage,
651% higher state coverage, and 31% improved vulnerability-
finding capability. We report all discovered new vulnerabilities
to vendors and open source S YZ T RUST.
1. Introduction
Trusted Execution Environments (TEEs) are essential
to securing important data and operations in IoT devices.
GlobalPlatform, the leading technical standards organiza-
tion, has reported a 25-percent increase in the number
of TEE-enabled IoT processors being shipped quarterly,
year-over-year [29]. Recently, major IoT vendors such as
Shouling Ji is the corresponding author.
1
Samsung have designed TEEs for low-end Microcontroller
Units (MCUs) [20], [57], [61] and device manufacturers
have embedded the TEE in IoT devices such as unmanned
aerial vehicles and smart locks, to protect sensitive data and
to provide key management services. A TEE is composed of
Client Applications (CAs), Trusted Applications (TAs), and
a Trusted Operating System (Trusted OS). Among them, the
Trusted OS is the primary component to enable the TEE
using security-based design techniques, and its security is
the underlying premise of a reliable TEE where the code and
data are protected in terms of confidentiality and integrity.
Unfortunately, implementation flaws in Trusted OSes violate
the protection guarantees, bypassing confidentiality and in-
tegrity guarantees. These flaws lead to critical consequences,
including sensitive information leakage (CVE-2019-25052)
and code execution within the Trusted OS context [13],
[42]. Once attackers gain control of Trusted OSes, they can
launch critical attacks, such as creating a backdoor to the
Linux kernel [12], and extracting full disk encryption keys
of Android’s KeyMaster service [11].
While TEEs are increasingly embedded in IoT devices,
the security of Trusted OS for IoT devices remains under
studied. Considering the emerging amount of diversified
MCUs and IoT devices, manual analysis, such as reverse
engineering, requires significant expert efforts and is there-
fore infeasible at scale. Recent academic works use fuzzing
to automate TEE testing. However, unlike Trusted OSes
for Android devices, Trusted OSes for IoT devices are
built on TrustZone-M with low-power and cost-sensitive
MCUs, including NuMicro M23. Thus, Trusted OSes for
IoT devices are more hardware-dependent and resource-
constrained, complicating the development of scalable and
usable testing approaches with different challenges. In the
following, we conclude two challenges for fuzzing IoT
Trusted OSes.
Challenge I: The inability of instrumentation and re-
stricted environment. Most Trusted OSes are closed-
source. Additionally, TEE implementations, especially the
Trusted OSes are often encrypted by IoT vendors, which
implies the inability to instrument and monitor the code ex-
ecution in the secure world. Accordingly, classic feedback-
driven fuzzing cannot be directly applied to the scenario
of testing TEEs including TAs and Trusted OSes. Existing
works either rely on on-device binary instrumentations [15]
or require professional domain knowledge and rehosting
through proprietary firmware emulation [32] to enable test-
ing and coverage tracking. However, as for the Trusted OSes
designed for IoT devices, the situation is more challenging
due to the following two reasons. First, IoT devices are
severely resource-limited, while existing binary instrumen-
tations are heavy-weight for them and considerably limit
their execution speed. Second, as for rehosting, IoT devices
are mostly hardware-dependent, rendering the reverse en-
gineering and implementation effort for emulated software
and hardware components unacceptable. In addition, rehost-
ing faces the limitation of the inaccuracy of modeling the
behavior of hardware components. To our best knowledge,
the only existing TEE rehosting solution PartEmu [32] is
not publicly available and does not support the mainstream
TEE based on Cortex-M MCUs designed for IoT devices.
Challenge II: Complex structure and stateful work-
flow. Trusted OSes for IoT devices are surprisingly com-
plex. Specifically, Trusted OSes implement multiple cryp-
tographic algorithms, such as AES and MAC, without un-
derlying hardware support for these algorithms as would
be present on Cortex-A processors. To implement these
algorithms in a secure way, Trusted OSes maintain several
state diagrams to store the execution contexts and guide the
execution workflow. To explore more states of a Trusted
OS, a fuzzer needs to feed syscall sequences in several
specific orders with different specific state-related argument
values. Without considering such statefulness of Trusted
OSes, coverage-based fuzzers are unlikely to explore further
states, causing the executions to miss the vulnerabilities
hidden in a deep state. Unfortunately, existing fuzzing tech-
niques lack state-awareness for Trusted OSes. Specifically,
they have trouble understanding which state a Trusted OS
reaches since there are no rich-semantics response codes to
indicate it. In addition, due to the lack of source code and
the inability of instrumentation, it is hard to infer and extract
the state variables by program analysis.
Our solution. To address the above key challenges, we pro-
pose and implement S YZ T RUST, the first fuzzing framework
targeting Trusted OSes for IoT devices, supporting state and
coverage-guided fuzzing. Specifically, we propose an on-
device fuzzing framework and leverage a hardware-in-the-
loop approach. To support in-depth vulnerability detection,
we propose a composite feedback mechanism that guides the
fuzzer to explore more states and increase code coverage.
S YZ T RUST necessitates diverse contributions. First, to
tackle Challenge I, we propose a hardware-assisted fuzzing
framework to execute test cases as well as collect code
coverage feedback. Specifically, we decouple the execution
engine from the rest of the fuzzer to enable directly exe-
cuting test cases in the protective TEE secure world on the
resource-limited MCU. To support coverage tracking, we
present a selective trace collection approach instead of costly
code instrumentation to enable tracing instructions on a
target MCU. In particular, we leverage the ARM Embedded
Trace Macrocell (ETM) feature to collect raw trace packets
by monitoring instruction and data buses on MCU with
a low-performance impact. However, the Trusted OS for
2
IoT devices is resource constrained, which makes storing
ETM traces on board difficult and limits the fuzzing speed.
Additionally, the TEE internals are complicated and have
multiple components, which generate noisy trace packets.
Therefore, we offload heavy-weight tasks to a PC and care-
fully scheduled the fuzzing subprocesses in a more parallel
way. We also present an event- and address-based trace filter
to handle the noisy trace packets that are not executed by
the Trusted OS. Additionally, we adopt an efficient code
coverage calculation algorithm directly on the raw packets.
Second, as for the Challenge II, the vulnerability detec-
tion capability of coverage-based fuzzers is limited, and a
more effective fuzzing strategy is required. Therefore, we
propose a composite feedback mechanism, which enhances
code coverage with state feedback. To be specific, we utilize
state variables that control the execution contexts to present
the states of a Trusted OS. However, such state variables are
usually stored in closed-source and customized data struc-
tures within Trusted OSes. Existing state variable inference
methods either use explicit protocol packet sequences [45]
or require source codes of target software [35], [68], which
are unavailable for Trusted OSes. Therefore, to identify the
state-related members from those complex data structures,
S YZ T RUST collects some heuristics for Trusted OS and
utilizes them to perform an active state variable inference
algorithm. After that, S YZ T RUST monitors the state variable
values during the fuzzing procedure as the state feedback.
Finally, S YZ T RUST is the first end-to-end solution ca-
pable of fuzzing Trusted OSes for IoT devices. Moreover,
the design of the on-device fuzzing framework and modular
implementation make S YZ T RUST more extensible. With
several MCU-specific configurations, S YZ T RUST scales to
Trusted OSes on different MCUs from different vendors.
Evaluation. We evaluate S YZ T RUST on real-world Trusted
OSes from three leading IoT vendors Samsung, Tsinglink
Cloud, and Ali Cloud. The evaluation result shows that
S YZ T RUST is effective at discovering new vulnerabilities
and exploring new states and codes. As a result, S YZ T RUST
has discovered 70 new vulnerabilities. Among them, vendors
confirmed 28, and assigned 10 CVE IDs. The vendors
are still investigating others. Compared to state-of-the-art
approaches, S YZ T RUST finds more vulnerabilities, hits 66%
higher code branches, and 651% higher state coverage.
Summary and contributions.
• We propose S YZ T RUST, the first fuzzing framework
targeting Trusted OSes for IoT devices, supporting effective
state and code coverage guided fuzzing. With a carefully
designed hardware-assisted fuzzing framework and a com-
posite feedback mechanism, S YZ T RUST is extensible and
configurable to different IoT devices.
• With S YZ T RUST, we evaluate three popular Trusted
OSes on three leading IoT vendors and detect several
previously unknown bugs. We have responsibly reported
these vulnerabilities to the vendors and got acknowledged
from vendors such as Samsung. We release S YZ T RUST
as an open-source tool for facilitating further studies at
https://github.com/SyzTrust.
 Normal World Secure World
Client Applications (CAs) Trusted Applications (TAs)
CA CA CA TA TA TA
TEE Client API TEE Internal API
Rich OS Switch
Trusted OS
(e.g., FreeRTOS) Instructions
Figure 1: Structure of TrustZone-M based TEE.
2. Background
2.1. TEE and Trusted OS
A TEE is a secure enclave on a device’s main processor
that is separated from the main OS. It ensures the confiden-
tiality and integrity of code and data loaded inside it [64].
For standardizing the TEE implementations, GlobalPlatform
(GP) has developed a number of specifications. For instance,
it specifies the TEE Internal Core API implemented in the
Trusted OS to enable a TA to perform its security functions
[30]. However, it is difficult for vendors to implement a
Trusted OS correctly since there are lots of APIs with
complex and stateful functions defined in the GP TEE spec-
ifications. For instance, the TEE Internal Core API defines
six types of APIs, including cryptographic operations APIs
supporting more than 20 complex cryptographic algorithms.
In addition, the TEE Internal Core API also requires that a
Trusted OS shall implement state diagrams to manage the
operation. The two aforementioned factors make it challeng-
ing for device vendors to develop a secure Trusted OS.
ARM TrustZone has become the de-facto hardware tech-
nology to implement TEEs in mobile environments [17] and
has been deployed in servers [33], low-end IoT devices [8],
[53], and industrial control systems [27]. For IoT devices,
the Cortex-M23/33 MCUs, introduced by the ARM Commu-
nity in 2016, are built on new TrustZone for ARMv8-M as
security foundations for billions of devices [22]. TrustZone
for ARMv8-M Cortex-M has been optimized for faster con-
text switch and low-power applications and is designed from
the ground up instead of being reused from Cortex-A [54].
As Figure 1 shows, instead of utilizing a secure monitor
in TrustZone for Cortex-A, the division of the secure and
normal world is memory-based, and transitions take place
automatically in the exception handle mode. Based on the
TrustZone-M, IoT vendors provide Trusted OS binaries to
the device manufacturers and then the device manufacturers
produce devices with device-specific TAs for the end users.
This paper focuses on the Trusted OSes from different IoT
vendors and provides security insights for device manufac-
turers and end users.
3
2.2. Debug Probe
A debug probe is a special hardware device for low-
level control of ARM-based MCUs, using DAP (Debug
Access Port) provided by the ARM CoreSight Architecture
[25]. It bridges the connection between a computer and an
MCU and provides full debugging functionality, including
watchpoints, flash memory breakpoints, memory, as well as
register examination or editing. In addition, a debug probe
can record data and instruction accesses at runtime through
the ARM ETM feature. ETM is a subsystem of ARM
Coresight Architecture and allows for traceability, whose
function is similar to Intel PT. The ETM generates trace
elements for executed signpost instructions that enable
reconstruction of all the executed instructions. Utilizing the
above features, the debug probe has shown its effectiveness
in tracing and debugging malware [49], unpacking Android
apps [65], or fuzzing Linux peripheral drivers [37].
3. Threat Model
Our attacker tries to achieve multiple goals: gaining
control over, extracting confidential information from, and
causing crashes in other Trusted Applications (TAs) hosted
on the same Trusted OS or the Trusted OS itself. We
consider two practical attack scenarios. First, an attacker can
exploit our discovered vulnerabilities by providing carefully
crafted data to a TA. They can utilize a malicious Client
Application (CA) to pass the crafted data to a TA. For
instance, in mTower, CVE-2022-38511 (ID 1 in Table 1)
can be triggered by passing a large key size value from a
CA to a TA. Second, an attacker can exploit our discovered
vulnerabilities by injecting a malicious TA into the secure
world. They can do this through rollback attacks or electro-
magnetic fault injections (CVE-2022-47549).
4. Design
Figure 2 gives an overview of S YZ T RUST’s design.
S YZ T RUST includes two modules: the fuzzing engine on the
Personal Computer (PC) and the execution engine on the
MCU. The fuzzing engine generates and sends test cases
to the MCU via the debug probe. The execution engine
executes the received test case on the target Trusted OS.
At a high level, we propose a hardware-assisted fuzzing
framework and a composite feedback mechanism to guide
the fuzzer. Given the inaccessible environment of Trusted
OSes, we design a TA and CA pair as a proxy to the
Trusted OS and utilize a debug probe to access the MCU for
feedback collection. To handle the challenge of limited re-
sources, we decouple the execution engine from S YZ T RUST
and only run it on the MCU. This allows S YZ T RUST,
with its resource-demanding core components, to run more
effectively on a PC. To handle the statefulness of Trusted
OSes, we include state feedback with code coverage in the
composite feedback. State variables represent internal states,
and our inference method identifies them in closed-source
Trusted OSes.
 State Variable
Trusted OS
Inference
Fuzzing Engine (on PC)
Test cases
Manager
Initial Seeds Hardware-assisted Controller
Code coverage
A Collector
Syscall composite
State coverage
feedback
Templates
Figure 2: Overview of S YZ T RUST. S YZ T RUST consists of a fuzzing engine running on a PC, an execution engine running
on an MCU, and a debug probe to bridge the fuzzing engine and the execution engine.
The main workflow is as follows. First, S YZ T RUST
accepts two inputs, including initial seeds and syscall tem-
plates. Second, the manager generates test cases through
two fuzzing tasks, including generating a new test case from
scratch based on syscall templates or by mutating a selected
seed. Then, the generated test cases are delivered to the
execution engine on MCU through the debug probe. The
execution engine executes these test cases to test the Trusted
OS. Meanwhile, the debug probe selectively records the
executed instruction trace, which is processed by our trace
collector as an alternative to code coverage. Additionally,
the state variable monitor tracks the values of a set of target
state variables to calculate state coverage via the debug
probe. Finally, the code and state coverage is fed to the
manager as composite feedback to guide the fuzzer. The
above procedures are iteratively executed and we denote the
iterative workflow as the fuzzing loop.
4.1. Inputs
Syscall templates and initial seeds are fed to S YZ T RUST.
Syscall templates. Provided syscall templates,
S YZ T RUST is more likely to generate valid test cases
by following the format defined by the templates. Syscall
templates define the syscalls with their argument types
as well as special types that provide the semantics of an
argument. For instance, resources represent the values
that need to be passed from an output of one syscall
to an input of another syscall, which refers to the data
dependency between syscalls. We manually write syscall
templates for the Internal Core API for the GP TEE in
Syzlang (S YZKALLER’s syscall description language [31]).
However, a value with a complex structure type, which is
common in Trusted OSes, cannot be used as a resource
value due to the design limitation of Syzlang. To handle
this limitation, we extend the syscall templates with helper
syscalls, which accept values of complex structures and
output their point addresses as resource values. In
total, we have 37 syscall templates and 8 helper syscalls,
covering all the standard cryptographic APIs.
Initial seeds. Since syscall templates are used to gen-
erate syntactically valid inputs, S YZ T RUST requires initial
seeds to collect some valid syscall sequences and argu-
ments and speed up the fuzzing procedure. Provided initial
seeds, S YZ T RUST continuously generates test cases to test
Fuzzing Loop
State Variables
Execution Engine
(on MCU)
Test cases
Debug Probe
Test cases
Proxy CA & TA
Trace
Feedback Feedback
State Variables Trusted OS
Monitor
a target Trusted OS by mutating them. However, there is
no off-the-shelf seed corpus for testing Trusted OSes, and
constructing one is not trivial, as the syscall sequences
with arguments should follow critical crypto constraints,
and manually constructing valid sequences will need much
effort. For example, a valid seed includes a certain order
of syscall sequences to initiate an encryption operation, and
the key and the encryption mode should be consistent with
supporting encryption. Fortunately, OP-TEE [39], an open-
source TEE implementation for Cortex-A, offers a test suite,
which can be utilized to construct seeds for most Trusted
OSes. Specifically, we automatically inject codes in TAs
provided by the test suite to log the syscall names and
their arguments. Then we automatically convert those logs
into seeds following the format required by S YZ T RUST. In
addition, we automatically add data dependencies between
syscalls in the seed corpus. Accordingly, we identify the
return values from syscalls that are input arguments of other
syscalls and add helper syscalls for the identified values.
Although the syscall template and seed corpus construc-
tion require extra work, it is a one-shot effort and can be
used in the further study of Trusted OS security.
4.2. A Hardware-assisted Framework
Now our hardware-assisted fuzzing framework enables
the generated test cases to be executed in protective and
resource-constrained trusted environments on IoT devices.
To handle the constrained resources in Challenge I, we
decouple the execution engine from the other components
of S YZ T RUST to ease the execution overhead of the MCU.
As shown in Figure 2, the fuzzing engine, which includes
most core components of S YZ T RUST and requires more
computing resources and memory space, runs on a PC,
while only the execution engine runs on the MCU. Thus,
S YZ T RUST does the heavy tasks, including seed preserva-
tion, seed selection, type-aware generation, and mutation.
As for the protected execution environment in Challenge
I, we design a pair of CA and TA as the execution engine
that executes the test cases to test the Trusted OSes. We
utilize a debug probe to bridge the connection between the
fuzzing engine and the execution engine. In the following,
we introduce the design of delivering test cases and the pair
of CA and TA. First, as shown in Figure 2, the debug probe
transfers test cases and feedback between the fuzzing engine
4
and the execution engine. Specifically, a debug probe can
directly access the memory of the target MCU. Thus, the
debug probe accepts generated test cases from the manager
engine and writes them to a specific memory of the target
MCU. As for test case transportation, we design a serializer
to encode the test cases into minimum binary data denoted
as payloads before sending them to the MCU. A payload
includes a sequence of syscalls with their syscall names,
syscall argument types, and syscall argument values. In ad-
dition, S YZ T RUST denotes syscall names as ordinal numbers
to minimize the transportation overhead. Second, the pair of
CA and TA plays the role of a proxy to handle the test cases.
Accordingly, the CA monitors the specific memory in the
MCU. If a payload is written, the CA reads the binary data
from the specific memory and delivers them to the TA. Then
the TA deserializes the received binary data and executes
them one by one to test a Trusted OS implementation.
Accordingly, the TA invokes specific syscalls according
to the ordinal numbers and fills them in with arguments
extracted from the payload. To this end, the TA hardcodes
the syscalls declaration codes that are manually prepared.
The manual work to prepare the declaration codes is a one-
shot effort that can be easily done by referring to the GP
TEE Internal Core API specification.
4.3. Selective Instruction Trace Tracking
This section introduces how to obtain the code coverage
feedback in S YZ T RUST when testing the Trusted OSes.
To handle the inability of instrumentation in Challenge
I, we present a selective instruction trace track, which is
implemented in the trace collector in the fuzzing engine.
The trace collector controls the debug probe to collect traces
synchronously when the test cases are being executed. After
completing a test case, it calculates the code coverage and
delivers it to the manager as feedback.
In the selective instruction trace track, we utilize the
ETM component to enable non-invasive monitoring of the
execution context of target Trusted OSes. The overall work-
flow is as follows. (1) Before each payload is sent to
the MCU, the hardware-assisted controller resets the target
MCU via the debug probe. (2) Once the execution engine
reads a valid payload from the specific memory space and
starts to execute it, the hardware-assisted controller starts
the ETM component to record the instruction trace for each
syscall from the payload. Specifically, in the meanwhile
of executing the syscalls, the generated instruction trace is
synchronously recorded and delivered to the fuzzing engine
via the debug probe. (3) After completing a payload, the
hardware-assisted controller computes the coverage based
on the instruction traces for the manager.
1 extern int32 t start event ;
2 extern int32 t stop event ;
3 void TA ProcessEachPayload ( ) {
4 RecvPayloadFromCA ( ) ;
5 DecodePayload ( ) ;
6 / / S t a r t i n v o k i n g s y s c a l l s one by one
7 do {
8 / / Data a c c e s s e v e n t i s t r i g g e r e d , s t a r t t r a c i n g
9 s t a r t e v e n t ++;
5
10 InvokeOneSyscall ( ) ;
11 / / Data a c c e s s e v e n t i s t r i g g e r e d , s t o p t r a c i n g
12 s t o p e v e n t ++;
13 i f ( AllSyscallsExecuted () ){
14 break ;
15 }
16 } while (1) ;
17 }
18
Listing 1: A code snippet containing the main execution
logic from our designed TA.
However, the IoT Trusted OSes are highly resource-
constrained, making locally storing ETM traces infeasi-
ble and limiting the speed of local fuzzing. Therefore,
S YZ T RUST utilizes the debug probe (see Section 4.2) to
stream all ETM trace data to the host PC in real time while
the target system is running. Moreover, S YZ T RUST enables
parallel execution of test case generation, transmission, and
execution, as well as coverage calculation, thereby boosting
the speed of fuzzing.
For code coverage, we cannot directly use the raw
instruction trace packets generated by the ETM as a re-
placement for branch coverage due to two issues. First,
there is a gap between the raw ETM trace packets and
the instruction traces generated by the Trusted OS. The
TEE internals are complicated and the ETM component
records instruction traces generated by the software running
on the MCU, including the CA, rich OS, the TA, and the
Trusted OS. Thus, we design a selective instruction trace
collection strategy to generate fine-grained traces. ARM
ETM allows enabling/disabling trace collection when cor-
responding events occur. We configure the different events
via the Data Watchpoint and Trace Unit (DWT) hardware
feature to filter out noisy packets. In S YZ T RUST, we aim to
calculate the code coverage triggered by every syscall in a
test case and generated by Trusted OS. Thus, as shown in
Listing 1, we configure the event-based filters by adding two
data write access event conditions. The two event conditions
start ETM tracing before invoking a syscall and stop ETM
tracing after completing the syscall, respectively. In addition,
we specify the address range of the secure world shall be
included in the trace stream to filter noisy trace packets
generated from the normal world.
Second, there is a gap between the raw ETM trace pack-
ets to the quantitive coverage results. To precisely recover
the branch coverage information, we have to decode the raw
trace packets and map them to disassembled binary instruc-
tion address. After that, we can recover the instruction traces
and construct the branch coverage information [69] [65].
However, disassembling code introduces significant run-time
overhead as it incurs high computation cost [18]. Thus, we
calculate the branch coverage directly using the raw trace
packets [37]. At a high level, this calculation mechanism
utilizes a special basic block generated with Linear Code
Sequence and Jump (LCSAJ) [66] to reflect any change in
basic block transitions. LCSAJ basic blocks consist of the
basic address of a raw ETM branch packet and a sequence of
branch conditions. The branch conditions indicate whether
the instructions followed by the basic address are executed.
This mechanism performs several hash operations on the
LCSAJ basic blocks to transform them into random IDs,
which we utilize as branch coverage feedback.
4.4. State Variable Inference and Monitoring
Here we introduce how to identify the internal state
of the Trusted OS and how to obtain the state coverage
feedback through the state variable monitor component. In
particular, the state variable inference provides the state
variable monitor with the address ranges of the inferred state
variables. Then the state variable monitor tracks the values
of these state variables synchronously when the execution
engine executes test cases. After completing a test case,
the state variable monitor calculates the state coverage and
delivers it to the manager as feedback. Below are the details
about state variable inference and monitoring.
According to the GP TEE Core API specification,
Trusted OSes have to maintain several complex state ma-
chines to achieve the cryptographic algorithm in a highly
secure way. To explore all states of Trusted OS, the
fuzzer needs to feed syscall sequences in several specific
orders with different specific state-related argument val-
ues. Coverage-based fuzzers are unlikely to explore further
states, causing the executions to miss some vulnerabilities
hidden in a deep state. For instance, a syscall sequence
achieves a new DES cryptographic operation configuration
by filling different arguments, whose code coverage may
be the same as the syscall sequence to achieve a new
AES cryptographic operation configuration. Preserving such
syscall sequences as a seed and further exploring them
will achieve new cryptographic operations and gain new
code coverages. However, a coverage-based fuzzer may
discard such syscall sequences that seem to have no code
coverage contribution but trigger new internal states. Thus,
S YZ T RUST additionally adopts state coverage as feedback
to handle the statefulness of Trusted OSes.
State variable inference. By referring to the GP
TEE Internal Core API specification and several open-
source TEE implementations from Github, we find that
Trusted OSes maintain two important structures, includ-
ing the struct named TEE_OperationHandle and
the struct named TEE_ObjectHandle, which present
the internal states and control the execution context. We
further find that several vital variables (with names such
as operationState and flags) in the two com-
plex structs determine the Trusted OS’ internal state.
Thus, we utilize the value combinations of state variables
to present the states of Trusted OS and track all state-
related variables to collect their values. Then, we con-
sider a new value of the state variable combination as a
new state. However, the TEE_OperationHandle and
TEE_ObjectHandle implementations are customized
and close source, making recognizing the state variables and
their addresses challenging.
To handle it, we come up with an active infer-
ence method to recognize the state variables in the
TEE_OperationHandle and TEE_ObjectHandle
6
Test Cases
TEE_AllocateOperation
(TEE_OperationHandle *operation,
uint32_t algorithm, uint32_t mode,
uint32_t maxKeySize)
TEE_ResetOperation(…)
…
Test Harness
Output Buffer
0000 0000 00c0 0000 0000 0008 0000
0000 0000 00a8 2d00 2000 0000 0000 Trusted OS
State Variable …
Inferer
struct __TEE_OperationHandle{
[0:3] algorithm: 0000 0000 00c0 0000 …
… Hardware-assisted State
[40:43] operationState: 0001
Variables Monitor
}
…
Figure 3: State variable inference.
implementations. This method is based on the assumption
that the state variables in the above two handles will have
different values according to different cryptographic oper-
ation configurations. For instance, in Samsung’s Trusted
OS implementation, after executing several syscalls to set
cryptographic arguments, the value of a state variable from
TEE_OperationHandle changes from 0 to 1, which
means a cryptographic operation is initialized.
Based on the assumption, S YZ T RUST uses a test har-
ness to generate and execute test cases carefully. Then
S YZ T RUST records the buffers of the two handles and ap-
plies state variable inference to detect the address ranges of
state variables in the recorded buffers, as shown in Figure 3.
S YZ T RUST first filters randomly changeable byte sequences
that store pointers, encryption keys, and cipher text. Specif-
ically, S YZ T RUST conducts a 24-hour basic fuzzing proce-
dure on the initial seeds from Section 4.1 and collects the
buffers of the two handles. S YZ T RUST then parses the buffer
into four-byte sequences to recognize changeable values. Af-
ter that, S YZ T RUST collects all different values for each byte
sequence in the fuzzing procedure and calculates the number
of times that these different values occur. S YZ T RUST con-
siders the byte sequences that occur over 80 times as buffers
and excludes them from the state variables. For the remain-
ing byte sequences, S YZ T RUST applies the following infer-
ence to identify state variables. In our observations, the cryp-
tographic operation configurations are determined by the
operation-related arguments, including the operation mode
(encryption, decryption, or verification) and cryptographic
algorithm (AES, DES, or MAC). The cryptographic oper-
ation configurations are also determined by the operation-
related syscall sequences. We identify such arguments and
syscalls by referring to GP TEE Internal Core API specifica-
tion and conclude the operation-related syscalls include the
syscalls that accept the two handles as an input argument
and are specified to allocate, init, update, and finish a cryp-
tographic operation, such as TEE_AllocateOperation
and TEE_AllocateTriansientObject. S YZ T RUST
performs mutated seeds that include the operation-related
syscalls and records the buffers of the two handles. These
byte sequences that vary with certain syscall sequences with
certain arguments are considered state variables. Finally,
 Hit Times 𝐻𝑖𝑡 𝐻𝑖𝑡 ... 𝐻𝑖𝑡
preserves and prioritizes seeds that trigger new code or
HitMap
states. We design two maps as the seed corpus to preserve
seeds according to code coverage and state feedback. With
State Hashes 𝑆𝑡 𝑆𝑡 ... 𝑆𝑡
such seed corpus, S YZ T RUST then periodically selects seeds
SeedMap
from the hash table to explore new codes and new states.
𝑆𝑑 This section introduces how S YZ T RUST fine-tunes the evo-
𝑆𝑑 lution through a novel composite feedback mechanism, in-
Seed A Seed Node cluding seed preservation and seed selection strategy.
𝑆𝑑
Buckets • A Syscall Sequence
with Arguments
Seed preservation. Given the composite feedback
...

• Branch Coverage mechanism, we thus provide two maps as the seed corpus
𝑆𝑑
to store seeds that discover new state values and new code,
respectively. As shown in Figure 4, in two maps, S YZ T RUST
Figure 4: Seed corpus in S YZ T RUST. calculates the hash of combination values of state variables
as the keys. S YZ T RUST maps the state hashes to their hit
times in the HitMap and maps the state hashes to seed
S YZ T RUST outputs the address ranges of these byte se-
buckets in the SeedMap. In the SeedMap, for a certain
12/3 quences and feeds them to the hardware-assisted controller. 11
state hash, the mapping seed bucket contains one or several
State variable monitor. The identified state variables
seeds that can produce the matching state variable values. To
and their address ranges are then used as configurations
construct the SeedMap, S YZ T RUST handles the following
of the hardware-assisted controller. S YZ T RUST utilizes the
two situations. First, if a syscall from a test case triggers a
debug probe to monitor the state variables. When a new
new value combination of state variables, S YZ T RUST adds
TEE_OperationHandle or TEE_ObjectHandle is
a new state hash in the SeedMap. Then, S YZ T RUST maps
allocated, S YZ T RUST records its start address. Given the
the new state hash to a new seed bucket. To construct the
start address of the two handles and address ranges of state
seed bucket, S YZ T RUST utilizes the test case with its branch
variables, S YZ T RUST calculates the memory ranges of state
coverage to construct a seed node and appends the seed
variables and directly reads the memory via the debug probe.
bucket with the newly constructed seed node. Second, if
In the fuzzing loop, for each syscall, beside the branch cov-
a syscall from a test case triggers a new code coverage,
erage, S YZ T RUST records the hash of combination values
S YZ T RUST adds a new seed node in a seed bucket. Specifi-
of the state variables as the state coverage.
cally, S YZ T RUST calculates the hash of combination values
of state variables produced by the syscall. Then, S YZ T RUST
4.5. Fuzzing Loop looks up the seed bucket that is mapped to the state hash
and appends a new seed node that contains the test case
After collecting code and state coverage feedback, the
and its branch coverage to the seed bucket. Noted, a test
fuzzer enters the main fuzzing loop implemented in the
case could be stored in multiple seed buckets if it triggers
manager. S YZ T RUST has a similar basic fuzzing loop to
multiple feedbacks at the same time. As for the HitMap,
S YZKALLER. It schedules two tasks for test case gener-
each time after completing a test case, S YZ T RUST calculates
ation: generating a new test case from syscall templates
all the state hashes it triggers and updates the hit times for
or mutating an existing one based on selected seeds. As
these state hashes according to their hit times.
for the generation task, S YZ T RUST faithfully borrows the
Seed selection. Given the preserved seed corpus,
generation strategy from S YZKALLER. As for the muta-
S YZ T RUST applies a special seed selection strategy to
tion task, S YZ T RUST utilizes a composite feedback mech-
improve the fuzzing efficiency. Algorithm 1 shows how
anism to explore rarely visited states while increasing code
S YZ T RUST selects seeds from the corpus. First, S YZ T RUST
coverage. Notably, S YZ T RUST does not adopt the Triage
chooses a state and then chooses a seed from the map-
scheduling tasks from S YZKALLER due to two key reasons.
ping seed buckets according to the state. In state selection,
First, S YZ T RUST fuzzes directly on the MCU, enabling
S YZ T RUST is more likely to choose a rarely visited state
swift MCU resets after each test case, thus mitigating false
by a weighted random selection algorithm. The probability
positives in branch coverage. Branch coverage validation
of choosing a seed is negatively correlated with its hit
through triaging is, therefore, unnecessary. Second, exe-
times. Thus, we assign each seed a weight value, which
cuting test cases for Trusted OSes (averaging 30 syscalls)
is the reciprocal of its hit times. Finally, The probability of
is time-consuming, incurring a significant overhead for
choosing a seed is equal to the proportion of its weight in
S YZ T RUST to minimize a syscall sequence by removing
the sum of all weights. In seed selection, S YZ T RUST is more
syscalls one by one. Appendix A further experimentally
likely to choose a seed with high branch coverage. To this
demonstrates our intuition for the new scheduling tasks.
end, S YZ T RUST chooses a seed based on a weighted random
selection algorithm, and the probability of choosing a certain
4.6. Composite Feedback Mechanism seed is equal to the proportion of its branch coverage in all
S YZ T RUST adopts a novel composite feedback mecha- coverages. Notably, the probabilities of choosing a state and
nism, leveraging both code and state coverage to guide mu- seed are dynamically updated since the hit times and the sum
tation tasks within the fuzzing loop. Specifically, S YZ T RUST of coverage is updated in the fuzzing procedure.

7
 Algorithm 1: Seed Selection Algorithm
Input: C , SeedMap that maps state hashes to a set
of seeds
Input: H , HitMap that maps state hashes to hit
times
Output: s, the selected seed
1 Sum W ← 0;
2 M ap W = initMap() //maps state hashes to their
weights ;
3 for each key ∈ H do
4 t ← getValue(H, key );
5 Sum W ← Sum W + t−1 ;
6 end
7 for each key ∈ H do
8 t ← getValue(H, key );
9 M ap W ← M ap W ∪ (key, t−1 /Sum W );
10 end
11 St ← WeightedRandom StateSelection(M ap W );
12 seedSets ← getValue(C, St);
13 s ← WeightedRandom SeedSelection(seedSets);
4.7. Scope and Scalability of S YZ T RUST.
S YZ T RUST targets Trusted OSes provided by IoT ven-
dors and assumes that (i) a TA can be installed in the
Trusted OS, and (ii) target devices have ETM enabled.
These assumptions align with typical IoT Trusted OS sce-
narios. First, given that IoT device manufacturers often
need to implement device-specific TAs, Trusted OS binaries
supplied by IoT vendors generally allow TA installation.
Second, S YZ T RUST tests IoT Trusted OSes by deploying
them on development boards where ETM is enabled by
default. Moreover, S YZ T RUST can directly test the Trusted
OSes following the GP TEE Internal Core API specification
with MCU-specific configurations. It has built-in support for
testing on alternative Trusted OSes, including proprietary
ones. Appendix B extends discussion with concrete data.
S YZ T RUST can support other Trusted OSes. To test a
new Trusted OSes on a different MCU, S YZ T RUST requires
MCU configurations, including the address ranges of spe-
cific memory for storing payloads, the addresses of the data
events for the event-based filter, and the address ranges of
secure memory for the address-based filter. We developed
tooling in the CA and TA to automatically help the analyst
obtain all required addresses. In addition, by following the
development documents from IoT TEE vendors, the CA
and TA may require slight adjustments to meet the format
required by the new Trusted OSes and loaded into the Rich
OS and Trusted OS.
To extend S YZ T RUST to proprietary Trusted OSes, we
augment the syscall templates and the API declarations in
our designed TA and test harness with the new version
of these customized APIs. This can be done by referring
to the API documents provided by IoT vendors, which is
simple and requires minimum effort. To enable the state-
aware feature, we need expert analysis of the state-related
8
structures in the Trusted OS and the use of our state variable
inference to collect address ranges. These structures can
be extracted from the documents and header files. We rely
on two heuristics to help extract them. First, state-related
data structures usually have common names, e.g., related to
context or state. Second, the state structures will be the in-
puts and outputs of several crypto operation-related syscalls.
For example, on Link TEE Air, a pointer named context
is used among cryptographic syscalls such as tee aes init
and tee aes update, and can be further utilized to infer
state variables. This information can be obtained from the
crypto.h header file.
5. Implementation
We have implemented a prototype of S YZ T RUST on
top of S YZKALLER. We replaced S YZKALLER’s execution
engine with our custom CA and TA pair, integrating our
extended syscall templates, eliminating S YZKALLER’s triage
scheduling task, and implementing our own seed preserva-
tion and selection strategy. Sections 4.2, 4.5, and 4.6 detail
these adaptations.
Below are details about our implementations. (1) As for
the overall fuzzing framework, we use the SEGGER J-Trace
Pro debug probe to control the communication between
the fuzzing engine and the execution engine, as shown in
Figure 5. The pair of CA and TA is developed following
the GP TEE Internal Core API specification and is loaded
into the MCU following the instructions provided by the
IoT vendors. To control the debug probe, we developed a
hardware-assisted controller based on the SEGGER J-Link
SDK. The hardware-assisted controller receives commands
from the manager and sends feedback collected on the MCU
to the manager via socket communications. (2) For the selec-
tive instruction trace track, S YZ T RUST integrates the ETM
tracing component of the SEGGER J-Trace Pro and records
the instruction traces from Trusted OSes non-invasively. The
raw ETM packets decoder and branch coverage calculation
are accomplished in the hardware-assisted controller. (3)
For the state variable inference and monitoring, S YZ T RUST
follows the testing strategy in Section 4.4 and utilizes an
RTT component [2] from the SEGGER J-Trace Pro to
record related state variable values and deliver them to the
fuzzing engine. The RTT component accesses memory in
the background with high-speed transmission.
Several tools help us analyze the root cause of detected
crashes. We utilize CmBacktrace, a customized backtrace
tool [70], to track and locate error codes automatically. Ad-
ditionally, we develop TEEKASAN based on KASAN [34]
and MCUASAN [59] to help identify out-of-bound and use-
after-free vulnerabilities. We integrate TEEKASAN with
lightweight compiler instrumentation and develop shadow
memory checking for bug triaging on the open source
Trusted OSes. Since TEEKASAN only analyzed a small
number of vulnerabilities due to the limitation of the instru-
mentation tool and most Trusted OSes are closed-source, we
manually triage the remaining vulnerabilities.
  
Power interface

USB
interface
MCU
(connected to 
computer)



SWD/ETM
interface
Debug
probe
Figure 5: S YZ T RUST setup in fuzzing a target TEE imple-
mentation on the Nuvoton M2351 board. The debug probe
accesses memory and tracks instruction traces on the MCU
via the SWD/ETM interface. It also delivers data to the PC
and receives commands from the PC via a USB interface.
6. Evaluation
In this section, we comprehensively evaluate the
S YZ T RUST, demonstrating its effectiveness in fuzzing IoT
Trusted OSes. First, we evaluate the overhead breakdown
of S YZ T RUST. Second, we conduct experiments explor-
ing the effectiveness of our designs. Third, we examine
S YZ T RUST’s state variable inference capabilities. Finally,
we apply S YZ T RUST on fuzzing three real-world IoT
Trusted OSes and introduce their vulnerabilities. In sum-
mary, we aim to answer the following research questions:
RQ1: What is the overhead breakdown of S YZ T RUST?
(Section 6.2)
RQ2: Is S YZ T RUST effective for fuzzing IoT Trusted OSes?
(Section 6.3)
RQ3: Is the state variable inference method effective, and
are the inferred state variables expressive? (Section 6.4)
RQ4: How vulnerable are the real-world Trusted OSes
from different IoT vendors from S YZ T RUST’s results? (Sec-
tion 6.5)
6.1. Experimental Setup
Target Trusted OSes. We evaluate S YZ T RUST on three
Trusted OSes designed for IoT devices, mTower, TinyTEE,
and Link TEE Air. The reason for selecting these targets is
as follows. mTower and TinyTEE both provide the standard
APIs following the GP TEE Internal Core API specification.
In addition, they are developed by two leading IoT vendors,
Samsung and Tsinglink Cloud (which serve more than 30
downstream IoT manufacturers, including China TELECON
and Panasonic), respectively. Link TEE Air is a proprietary
Trusted OSes developed by Ali Cloud for S YZ T RUST to
evaluate its built-in support of closed-source and proprietary
Trusted OSes. Moreover, the three targets have been adopted
in a number of IoT devices and their security vulnerabilities
have a practical impact. In this paper, we evaluate mTower
v0.3.0, TinyTEE v3.0.1, Link TEE Air v2.0.0, and each of
them is the latest version during our experiments.
9
7LPHPV




5HVHW 7UDQVIHU ([HFXWLRQ &RY&DOF
Figure 6: Overhead breakdown of S YZ T RUST.
Experiment settings. We perform our evaluation under
the same experiment settings: a personal computer with
3.20GHz i7-8700 CPU, 32GB RAM, Python 3.8.2, Go
version 1.14, and Windows 10.
Evaluation metrics. We evaluate S YZ T RUST with the fol-
lowing three aspects. (1) We measure the branch coverage to
evaluate the capability of exploring codes, which is widely
used in recent research [15] [32]. The branch calculation is
introduced in Section 4.3. (2) To evaluate the capability of
exploring the deep state, we measure the state coverage and
the syscall sequence length of each fuzzer. Specifically, we
consider the value combinations of state variables as a state
and measure the number of different states. (3) We count the
number of unique vulnerabilities. S YZ T RUST relies on the
built-in exception handling mechanism to detect abnormal
behaviors of Trusted OSes. We explore the dedicated fault
status registers [5] to identify the HardFault exception in
concerns. These exceptions indicate critical system errors
and thus can be used as a crash signal [22]. For the crashes,
we reproduce them and report their stack traces by CmBack-
Trace to track and locate error codes. We filter stack traces
into unique function call sequences to collect the explored
unique bugs on target programs, which are widely used for
deduplication in the CVE dataset [1] and debugging for
vendors. Following best practices, we extract the top three
function calls in the stack traces to de-duplicate bugs [36],
[38]. We then analyze the root cause of the bugs manually.
State transition analysis. We further develop a script to
automatically construct a state transition tree, which helps
visually understand the practical meaning of the state vari-
ables. Specifically, we utilize the state hashes calculated
based on state variables to present the states of Trusted OSes
and take the syscall sequences as state transition labels.
6.2. Overhead Breakdown (RQ1)
We measure the execution time of sub-processes of
S YZ T RUST to assess its impact on the overall overhead. For
each fuzzing round, S YZ T RUST performs the following sub-
processes: (1) Reset means the time spent on the MCU re-
setting. (2) Transfer means the time spent on the manager
engine sending the test case. (3) Execution means the
time spent on the execution engine executing the test case. In
the meanwhile, the debug probe records the raw instruction TABLE 1: The unique vulnerabilities found by
trace packets and state variable values and transfers them S YZKALLER, S YZ T RUST BASIC, S YZ T RUST S TATE,
to the PC via RTT. (4) CovCalc means the time spent on and S YZ T RUST FS TATE in 48 hours. The vulnerabilities
the hardware-assisted controller decoding the collected raw whose IDs are marked with * have already received CVEs.
trace packets and calculating the branch coverage. In the Vul. ID Syzkaller-Baseline SyzTrust-Basic SyzTrust-State SyzTrust-FState
meanwhile, the hardware-assisted controller calculates the 1*
2*
state hashes based on the state variable values. We only 3
evaluate the sub-processes that are related to interacting 4
5*
with the resource-limited MCU, which mainly determines 6
the speed of S YZ T RUST. As introduced in Section 4.3, the 7*
8*
subprocesses of Transfer, Execution, and CovCalc 9*
10
are designed to run in parallel. 11
The results are shown in Figure 6, from which we 12*
13*
have the following conclusions. First, the overheads of 14*
Reset, Transfer, and CovCalc in S YZ T RUST are 15*
16
relatively low. Thus, using Reset to mitigate the false 17
18
positive coverage and vulnerabilities is acceptable. Second, 19
Execution takes the most time. Test cases for IoT Trusted 20
21
OSes include 14.4 syscalls on average and are complex. In 22
addition, for Execution, the Nuvoton M2351 board used 23
24
in our manuscript has no Embedded Trace Buffer (ETB), 25
26
S YZ T RUST utilizes the debug probe to stream all the ETM 27
trace data to the host PC in real time. We conducted a 48- 28
29
hour fuzzing and found the peak tracing speed is 168 KB/s, 30
and 92% of the trace files for single syscalls are smaller 31
32
than 2KB. In conclusion, the ETM tracing takes less time 33
34
than the syscall execution. 35
36
RQ1: It takes S YZ T RUST 6,290 ms on average to com- 37
38
plete a test case and to collect its feedback. The sub- Total 26 28 31 35
process of executing a test case on the MCU takes the
most time, while the orchestration and analysis take only
roughly 1% of the overall time. them, S YZ T RUST BASIC archives the highest code cov-
erage among the four fuzzers with 1,983 branches, which
6.3. Effectiveness of S YZ T RUST (RQ2) shows the effectiveness of our new scheduling tasks and the
extended syscall templates. When state coverage feedback
In this section, we evaluate S YZKALLER, is integrated into S YZ T RUST, the branch coverage explored
S YZ T RUST BASIC, S YZ T RUST S TATE, and by the S YZ T RUST S TATE and S YZ T RUST FS TATE is lower
S YZ T RUST FS TATE on mTower to explore the effectiveness than S YZ T RUST BASIC. It is because their adopted com-
of our designs, with each experiment running for 48 hours. posite feedback mechanisms drive them to preserve more
To measure our new scheduling tasks and composite seeds that trigger new states, which might have no con-
feedback mechanism, we construct two prototypes of tribution to the code coverage. Given the same evaluation
S YZ T RUST only with the new scheduling tasks and time, a certain percentage of time is assigned to mutating
only with the composite feedback mechanism, which and testing such seeds that trigger new states, and the code
are named S YZ T RUST BASIC and S YZ T RUST FS TATE, coverage growth will result in slower growth. Thus, we
respectively. In addition, to measure the necessity of our additionally perform a long-time fuzzing experiment, and
state variable inference, we construct a prototype that the result shows that S YZ T RUST FS TATE can achieve 1,984
considers the complete buffer values of two state handles branches in 74 hours.
as state variables named S YZ T RUST S TATE. We evaluate Among the four fuzzers, S YZ T RUST FS TATE trig-
three prototypes of S YZ T RUST against the state-of-the-art gers the most states with 2,132 states on average, and
fuzzer S YZKALLER, which has found a large number of S YZKALLER triggers the least states with 284 states on
vulnerabilities on several kernels and is actively maintained. average shown in Figure 7b. S YZ T RUST S TATE has similar
To reduce the randomness, we repeat all experiments ten performances on the state growth with S YZ T RUST BASIC.
times. The results are shown in Figure 7 and Table 1. It is because S YZ T RUST S TATE spends lots of time ex-
Branch coverage is calculated in terms of LCSAJ ba- ploring the test cases that trigger new values of non-state
sic block number introduced in Section 4.3. S YZKALLER variables since S YZ T RUST S TATE utilizes the two whole
triggers 1,191 branches on average and is exceeded by all handles’ values to present state. To further illustrate this
three versions of S YZ T RUST shown in Figure 7. Among deduction, we present Figure 7c, where we calculate the

10
 6\]7UXVWB)6WDWH 6\]7UXVWB)6WDWH
 6\]7UXVWB6WDWH  6\]7UXVWB6WDWH 

 6\]7UXVWB%DVLF  6\]7UXVWB%DVLF
 6\]NDOOHUB%DVHOLQH 6\]NDOOHUB%DVHOLQH
 


  
 
6\]7UXVWB)6WDWH  6\]7UXVWB)6WDWH
 6\]7UXVWB6WDWH  6\]7UXVWB6WDWH
 
 6\]7UXVWB%DVLF 6\]7UXVWB%DVLF
 6\]NDOOHUB%DVHOLQH    6\]NDOOHUB%DVHOLQH
                                                   
(a) Branch coverage. (b) States (based on variables). (c) States (based on handles). (d) Unique vulnerabilities.
Figure 7: The branch coverage growth, state numbers growth, and unique vulnerability growth discovered by S YZKALLER,
S YZ T RUST BASIC, S YZ T RUST S TATE, and S YZ T RUST FS TATE.

growth of the states based on the whole handle values. In TABLE 2: The number of state variables inferred by
such settings, S YZ T RUST S TATE triggers more states than S YZ T RUST. False postive is denoted as FP.
S YZ T RUST BASIC and S YZKALLER. However, these states Target Handle Number FP Precision
are not expressive and effective for guiding the fuzzer to T EE ObjectHandle 11 1
trigger more branch coverage and vulnerabilities. mTower 87.5%
T EE OperationHandle 13 2
T EE ObjectHandle 13 3
TinyTEE 82.6%
T EE OperationHandle 10 1
The exploration space of unique vulnerabilities trig-
T EE ObjectHandle 10 1
gered by S YZKALLER with 16 vulnerabilities on aver- OP-TEE 87.0%
T EE OperationHandle 13 2
age is fully covered and exceeded by the three ver-
sions of S YZ T RUST shown in Figure 7. Among them, context(AES) 6 2
Link TEE Air 71.4%
S YZ T RUST FS TATE detects 21 vulnerabilities on average, context(Hash) 8 2
which achieves the best vulnerability-finding capability.
S YZ T RUST S TATE has similar performances on vulnerabil-
ity detection with S YZ T RUST BASIC and they detect 20 RQ2: The design of S YZ T RUST is effective as the three
vulnerabilities on average. versions of S YZ T RUST outperform S YZKALLER in terms
of code and state coverage and number of detected vul-
nerabilities. New task scheduling with extended syscall
In addition, Table 1 shows the unique vulnerabili- templates significantly improves the fuzzer’s code ex-
ties detected by S YZKALLER and the three versions of ploration, and the composite feedback mechanism helps
S YZ T RUST in ten trials during 48 hours. The vulnera- trigger more states and detect more vulnerabilities.
bility ID in Table 1 is consistent with Table 6 in Ap-
pendix C. First, S YZ T RUST finds all the unique vulnerabil- 6.4. State Variable Inference (RQ3)
ities that S YZKALLER finds. Using the currently assigned
CVE as ground truth, S YZ T RUST detected more CVEs As for state variable inference evaluation, we first eval-
than S YZKALLER. Second, S YZ T RUST FS TATE finds the uate the precision of our state variable inference method.
most vulnerabilities and finds eight vulnerabilities that Second, we utilize the executed syscall sequences and their
S YZKALLER and S YZ T RUST BASIC cannot find. The eight state hashes to construct a state transition tree and present an
vulnerabilities are all triggered by syscall sequences whose example to show the expressiveness of our state variables.
lengths are more than 10, which indicates they are triggered For the precision evaluation, we manually analyze the
in a deep state. For instance, the vulnerability of ID 7 usage of the inferred state variables in the Trusted OSes.
occurs when the Trusted OS enters the key set&initialized We check if a state variable is used in condition statements
state after a MAC function is configured and the function to control the execution context. As for mTower and OP-
T EE M ACU pdate is invoked with an excessive size value TEE, we obtain their source codes and manually read the
of ”chunkSize”. S YZ T RUST FS TATE can detect more vul- state variable-related codes. As for TinyTEE and Link TEE
nerabilities, which is benefited from our composite feedback Air, we invite five experts with software reverse engineering
mechanism. Specifically, the fuzzer preserves the seeds that experiences to manually analyze their binary codes.
trigger new states and then can detect more vulnerabili- Table 2 shows the results. For Trusted OSes, including
ties by exploring these seeds. In summary, this evaluation a proprietary one, our active state variable inference method
reveals two observations. First, although coverage-based is effective and achieves 83.3% precision on average. These
fuzzer achieves high coverage effectively, their vulnerability validated state variables are expressive and meaningful,
detection capability will be limited when testing stateful including algorithm, operationClass (description
systems. Second, for stateful systems, understanding their identifier of operation types, e.g., CIPHER, MAC), mode
internal states and utilizing the state feedback to guide (description identifier of operation, e.g., ENCRYPT, SIGN),
fuzzing will be effective in finding more vulnerabilities. and handleState (describing the current state of the

11
 TEE_PopulateTransientObject
start 5 4
TEE_AllocateOperation TEE_InitRefAttribute,
TEE_ResetTransientObject
1 4
TEE_AllocateTransientObject TEE_SetOperationKey
2 3
TEE_InitRefAttribute, TEE_PopulateTransientObject
Figure 8: An example of state transition path from the
constructed state transition tree in mTower.
operation, e.g., an operation key has been set). The false
positive state variables are of two types. One is some
variables that indicate the length of several specific buffers,
e.g., digest length, and have specific values. Another type
is several buffers that do not likely have changeable values.
Both of them generate a few false positive new states and
have little impact on the fuzzing procedure.
To evaluate state variables’ expressiveness, we construct
a state transition tree to help visualize their practical
meanings. As shown in Figure 8, we present an example
state transition path from our constructed state transition
tree. We replace the state hashes with numerical values
in the node label to enhance the readability. Below is
the meaning of the example state transition tree. First,
TEE_OperationHandle and TEE_ObjectHandle
are allocated by TEE_AllocateOperation and
TEE_AllocateTriansientObject, respectively.
Once a handle is allocated, the state transition is
triggered. Second, TEE_ObjectHandle loads a dummy
key by executing TEE_InitRefAttribute and
TEE_PopulateTransientObject. The dummy
key is then loaded into the TEE_OperationHandle
by TEE_SetOperationKey. Then state node 4 is
triggered, indicating mTower is in the key_set state,
which is consistent with the GP TEE Internal Core API
specification. Third, TEE_ObjectHandle is reset and
TEE_OperationHandle loads an encryption key by
executing the same syscalls of the second procedure with
a valid key. Fourth, mTower turns to a new state after
TEE_CipherInit, which is specified as key_set &
initialized state in the specification. This state means
that mTower loads the key and the initialization vector
for encryption. When mTower is in the key_set &
initialized, mTower processes the ciphering operation
on provided buffers by TEE_CipherUpdate. Finally,
mTower turns to a new state after it frees all the encryption
configurations by TEE_FreeOperation. As a result,
our state presentation mechanism truthfully reflects the
workflow of symmetric encryption.
RQ3: On average, our active state variable inference
method is effective and achieves 83.3% precision on
average. In addition, from the state transition tree, the
inferred state variables are meaningful.
TABLE 3: The number of unique vulnerabilities, branches
and states found by S YZ T RUST in 90 hours.
TEE_ResetOperation,
TEE_SetOperationKey,
TEE_CipherInit
Target Unique bugs Branches States
6 TEE_CipherUpdate mTower 38 2,105 3,994
TinyTEE 13 1,072 2,908
TEE_FreeOperation Link TEE Air 19 10,710 182,324
7
6.5. Real World Trusted OSes (RQ4)
We apply S YZ T RUST on mTower from Samsung, Tiny-
TEE from Tsinglink Cloud, and Link TEE Air for 90
hours. The results are shown in Table 3. The branch and
state coverage explored by S YZ T RUST on Link TEE Air is
relatively low because Link TEE Air has a more complicated
and large code base. As for vulnerability detection, a total
of 70 vulnerabilities are found by S YZ T RUST, and 28 of
them are confirmed, while vendors are still investigating
the remaining bug reports. We have reported confirmed
vulnerabilities to MITRE, and 10 of them have already been
assigned CVEs.
We categorize vulnerabilities into seven types following
the Common Weakness Enumeration (CWE) List [24] and
we have the following conclusions. First, the Trusted OSes
suffer from frequent null/untrusted pointer dereference vul-
nerabilities. They lack code for validating supplied input
pointers. When a TA tries to read or write a malformed
pointer by invoking Trusted OS syscalls, a crash will be
triggered, resulting in a DoS attack. Even worse, care-
fully designed pointers provided by a TA to the syscall
can compromise the integrity of the execution context and
lead to arbitrary code execution, posing a significant risk.
The problem is severe since Trusted OSes frequently rely
on pointers to transfer complex data structures, which are
used in cryptographic operations. Second, the Trusted OSes
allocate resources without checking bounds. They allow
a TA to achieve excessive memory allocation via a large
len value. Since the IoT TEEs are resource-limited, these
vulnerabilities may easily cause denial of service. Third,
the Trusted OSes suffer from buffer overflow vulnerabilities.
They missed checks for buffer accesses with incorrect length
values and allowed a TA to trigger a memory overwriting,
DoS, and information disclosure. We discuss the mitigation
in Section 7 and list the vulnerabilities with their root cause
analysis found on mTower and TinyTEE in Table 6 in
Appendix C.
Case study 1: buffer overflow (CVE-2022-35858).
S YZ T RUST identifies a stack-based buffer overflow
vulnerability in TEE_PopulateTransientObject
syscall in mTower, which has 7.8 CVSS Score
according to CVE Details [3]. Specifically, the
TEE_PopulateTransientObject syscall
creates a local array directly using the parameter
attrCount without checking its size. Once
TEE_PopulateTransientObject is invoked with a
large number in attrCount, a memory overwrite will be
triggered, resulting in Denial-of-Service (DoS), information
leakage, and arbitrary code execution.
12
 Case study 2: null pointer dereference (CVE-2022-
40759). S YZ T RUST uncovers a null pointer dereference in
TEE_MACCompareFinal in mTower. A DoS attack can
be triggered by invoking TEE_MACCompareFinal with
a null pointer for the parameter operation. This bug is hard
to trigger by traditional fuzzing, as it requires testing on a
specific syscall sequence to enter a specific state. S YZ T RUST
can effectively identify such syscall sequences that trigger
new states and prioritize testing them. In this way, this
syscall sequence can be fuzzed to cause a null pointer
dereference vulnerability; otherwise, it will be discarded.
RQ4: mTower, TinyTEE and Link TEE Air are all
vulnerable. S YZ T RUST identifies 38 vulnerabilities on
mTower, 13 vulnerabilities on TinyTEE, and 19 vulner-
abilities on Link TEE Air, resulting in 10 CVEs.
7. Discussion
Ethic. We pay special attention to the potential ethical is-
sues in this work. First, we obtain all the tested Trusted OSes
from legitimate sources. Second, we have made responsible
disclosure to report all vulnerabilities to IoT vendors.
Lessons. Based on our evaluations, we provide several
security insights about the existing popular IoT Trusted
OSes. First, mTower and TinyTEE are similar to OP-TEE,
an open-source TEE implementation designed for Cortex-
A series MCUs, and they have several similar vulnerabili-
ties. For instance, they both implement vulnerable syscalls
TEE_Malloc and TEE_Realloc, which allow an exces-
sive memory allocation via a large value. In a resource-
constrained MCU, such implementations can cause a crash
and result in a DoS attack. Thus, the security principles
should be rethought to meet the requirements of the IoT
scenario. As a mitigation, we suggest adding checks when
allocating memory; this suggestion is adopted by Samsung
and TsingLink Cloud. Second, for the null/untrusted pointer
dereference and buffer overflow vulnerabilities, the input
pointers and critical parameters should be especially care-
fully checked. For the untrusted pointer dereferences on
handlers, in addition to checking if the pointer address is
valid, we suggested adding a handler list to mark if they are
allocated or released. Third, we found mTower and TinyTEE
implement several critical syscalls provided by Trusted OS
in non-privileged codes, which exposes a number of null/un-
trusted pointer dereference vulnerabilities. Thus, a TA can
easily reach these syscalls and damage the Trusted OSes.
Even worse, mTower and TinyTEE do not have memory
protection mechanisms, such as ASLR (Address Space Lay-
out Randomization). Trusted OSes and TAs are all loaded
into the same fixed address in the virtual address space. The
above two problems make the exploitation of Trusted OSes
easier. However, implementing privileged codes and mem-
ory protection mechanisms requires additional overhead,
which may be unacceptable for IoT devices. We suggest that
the downstream TA developers should be aware of it and
carefully design their TAs to mitigate this security risk, or
13
lightweight Trusted OS implementations should be designed
to minimize the overhead brought by security mechanisms.
Limitations and future work. While S YZ T RUST pro-
vides an effective way to fuzz IoT Trusted OSes, it also
exposes some opportunities for future research. First, our
current prototype of S YZ T RUST primarily targets Trusted
OSes following GP TEE Internal Core API specification. It
has built-in support for alternative Trusted OSes, including
proprietary ones, requiring certain modifications and con-
figurations. We demonstrated this flexibility by extending
to a proprietary Trusted OS and plan to extend SyzTrust
for broader applicability. Second, S YZ T RUST assumes that
a TA can be installed in the Trusted OS for assisting fuzzing
and ARM ETM is enabled for collecting the traces. In the
case of certain Trusted OSes, such as ISEE-M, which are
developed and used within a relatively tight supply chain,
we will need to engage with the providers of these Trusted
OSes to help assess the security of their respective Trusted
OSes. Finally, S YZ T RUST targets the Trusted OS of TEE,
leaving several security aspects of TEEs to be studied, e.g.,
TAs and the interaction mechanism between peripherals and
the Trusted OSes.
8. Related Work
TEE vulnerability detection. Several researchers have
studied and exploited vulnerabilities in TrustZone-based
TEEs. Marcel et al. reverse-engineer HUAWEI’s TEE com-
ponents and present a critical security review [16]. Some
researchers studied the design vulnerabilities of TEE com-
ponents [56], [67], such as Samsung’s TrustZone keymaster
[58] and the interaction between the secure world and the
normal world [43]. Recently, Cerdeira et al. analyzed more
than 200 bugs in TrustZone-assisted TEEs and presented a
systematic view [17]. Since those works require manual ef-
forts for vulnerability detection or only provide an automatic
tool to target a specific vulnerability, some literature works
on automatically testing the TEEs. Some works try to apply
other analysis tools, e.g., utilizing concolic execution [14]
and fuzzing. A number of TA fuzzing tools are developed,
such as TEEzz [15], PartEmu [32], Andrey’s work [4] and
Slava’s work [44]. On the contrary, Trusted OS fuzzing
receives little attention. To the best of our knowledge, the
only tool OP-TEE Fuzzer [55] is for open-source TEEs,
which is not applicable to closed-source IoT TEEs.
ETM-based fuzzing. Firmware analysis primarily
adopts two approaches: on-device testing [40], [41] and
rehosting [19], [51]. For on-device testing, a few ETM-
assisted analysis methods have been proposed for ARM
platforms [48], [50]. For instance, Ninjia [49] utilizes ETM
to analyze malware transparently. HApper [65] and NScope
[69] utilize ETM to unpack Android applications and ana-
lyze the Android native code. Recently, two studies have in-
tegrated ETM features into fuzzing projects. One is AFL++
CoreSight mode [46], which targets the applications running
on ARM Cortex-A platforms. Another is µAFL [37] to
fuzz Linux peripheral drivers. However, these works have
different purposes. AFL++ CoreSight mode and µAFL focus
on the application, whereas S YZ T RUST focuses on Trusted
OSes for IoT devices and incurs many challenges due to
the constrained resource and inability to instrumentation.
Moreover, S YZ T RUST proposes a novel fuzzing framework
and the state-aware feature to effectively test the state-
ful Trusted OSes. Consequently, S YZ T RUST is a novel
hardware-assisted fuzzing approach proposed in this paper.
State-aware fuzzing. Recently, state-aware fuzzing has
emerged and gained the attention of the research community.
To understand the internal states of target systems, existing
studies utilize the response code of protocol servers [28],
[52] or apply model learning [23], [63] to identify the
server’s states. StateInspector [45] utilizes explicit proto-
col packet sequences and run-time memory to infer the
server’s state machine. However, they are not applicable to
software and OSes since software and OSes do not have
such response codes or packet sequences. IJON [7] proposes
an annotation mechanism that allows the user to infer the
states during the fuzzing procedure manually. After that,
numbers of studies work on automatically inferring the state
of software and OSes [26], [47], [62], such as StateFuzz
[68], SGFUZZ [9], and FUZZUSB [35]. However, these
studies either require the source codes of targets or precise
dynamic instrumentation tools. Even worse, their targets are
Linux kernels, protocols, and drivers, and their intuitions and
observations are not suitable for IoT Trusted OSes.
9. Conclusion
We present S YZ T RUST, the first automated and practical
fuzzing system to fuzz Trusted OSes for IoT devices. We
evaluate the effectiveness of the S YZ T RUST on the Nuvoton
M2351 board with a Cortex M23, and the results show
S YZ T RUST outperforms the baseline fuzzer S YZKALLER
with 66% higher code coverage, 651% higher state cover-
age, and 31% improved vulnerability-finding capability. Fur-
thermore, we apply S YZ T RUST to evaluate real-world IoT
Trusted OSes from three leading IoT vendors and detect 70
previously unknown vulnerabilities with security impacts.
In addition, we present the understanding of Trusted OS
vulnerabilities and discuss the limitation and future work.
We believe S YZ T RUST provides developers with a powerful
tool to thwart TEE-related vulnerabilities within modern IoT
devices and complete the current TEE fuzzing scope.
Acknowledgments
We sincerely appreciate our shepherd and all the anony-
mous reviewers for their insightful comments. This work
was partly supported by NSFC under No. U1936215, the
State Key Laboratory of Computer Architecture (ICT, CAS)
under Grant No. CARCHA202001, the Fundamental Re-
search Funds for the Central Universities (Zhejiang Univer-
sity NGICS Platform), SNSF PCEGP2 186974, ERC StG
850868, Google Scholar Award, Meta Faculty Award, and
China Scholarship Council.
14
References
[1] “CVE details,” https://www.cvedetails.com.
[2] “J-Link RTT - real time transfer,” https://www.segger.com/products/
debug-probes/j-link/technology/about-real-time-transfer.
[3] “NVD, CVE: Common vulnerabilities and exposures,” https://cve.
mitre.org/.
[4] A. Andrey, “Launching feedback-driven fuzzing on trustzone tee,”
https://zeronights.ru/wp-content/themes/zeronights-2019/public/mat
erials/5 ZN2019 andrej akimovLaunching feedbackdriven fuzzing
on TrustZone TEE.pdf.
[5] ARM, “Arm Cortex-M23 Devices Generic User Guide r1p0 -
Fault Handling,” https://developer.arm.com/documentation/dui1095/
a/The-Cortex-M23-Processor/Fault-handling.
[6] ——, “TF-M platforms,” https://tf-m-user-guide.trustedfirmware.or
g/platform/index.html.
[7] C. Aschermann, S. Schumilo, A. Abbasi, and T. Holz, “Ijon: Explor-
ing deep state spaces via fuzzing,” in Proceedings of IEEE Symposium
on Security and Privacy (S&P), 2020.
[8] N. Asokan, T. Nyman, N. Rattanavipanon, A.-R. Sadeghi, and
G. Tsudik, “ASSURED: Architecture for secure software update of
realistic embedded devices,” IEEE Transactions on Computer-Aided
Design of Integrated Circuits and Systems, vol. 37, no. 11, pp. 2290–
2300, 2018.
[9] J. Ba, M. Böhme, Z. Mirzamomen, and A. Roychoudhury, “Stateful
greybox fuzzing,” in Proceedings of USENIX Security Symposium
(SEC), 2022.
[10] Beanpod, “ISEE trusted execution environment platform (Secure
OS),” https://www.beanpodtech.com/en/products/.
[11] G. Beniamini, “Extracting Qualcomm’s keymaster keys - breaking
android full disk encryption,” https://bits-please.blogspot.com/2016/
06/extracting-qualcomms-keymaster-keys.html.
[12] ——, “Hijacking the linux kernel from QSEE,” https://bits-please.bl
ogspot.com/2016/05/war-of-worlds-hijacking-linux-kernel.html.
[13] ——, “TrustZone kernel privilege escalation,” http://bits-please.blog
spot.com/2016/06/trustzone-kernel-privilege-escalation.html.
[14] M. Busch and K. Dirsch, “Finding 1-day vulnerabilities in trusted
applications using selective symbolic execution,” in Proceedings of
the 27th Annual Network and Distributed System Security Symposium
(NDSS), San Diego, CA, USA, 2020.
[15] M. Busch, A. Machiry, C. Spensky, G. Vigna, C. Kruegel, and
M. Payer, “TEEzz: Fuzzing Trusted Applications on COTS Android
devices,” in Proceedings of IEEE Symposium on Security and Privacy
(S&P), 2023.
[16] M. Busch, J. Westphal, and T. Mueller, “Unearthing the TrustedCore:
A critical review on Huawei’s trusted execution environment,” in
Proceedings of 14th USENIX Workshop on Offensive Technologies
(WOOT 20), 2020.
[17] D. Cerdeira, N. Santos, P. Fonseca, and S. Pinto, “Sok: Understanding
the prevailing security vulnerabilities in trustzone-assisted tee sys-
tems,” in Proceedings of IEEE Symposium on Security and Privacy
(S&P), 2020.
[18] Y. Chen, D. Mu, J. Xu, Z. Sun, W. Shen, X. Xing, L. Lu, and
B. Mao, “Ptrix: Efficient hardware-assisted fuzzing for cots binary,”
in Proceedings of the 2019 ACM Asia Conference on Computer and
Communications Security, 2019, pp. 633–645.
[19] A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz,
C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “{HALucinator}:
Firmware re-hosting through abstraction layer emulation,” in 29th
USENIX Security Symposium (USENIX Security 20), 2020, pp. 1201–
1218.
[20] A. Cloud, “About Alibaba Cloud Link TEE,” https://iot.aliyun.com
/products/tee.
[21] P. Cohen, “Winbond partners with Nuvoton, Qinglianyun to release [41] P. Liu, S. Ji, X. Zhang, Q. Dai, K. Lu, L. Fu, W. Chen, P. Cheng,
fully integrated reference design for OTA firmware updating),” W. Wang, and R. Beyah, “IFIZZ: Deep-state and efficient fault-
https://embeddedcomputing.com/technology/iot/winbond-partners-w scenario generation to test IoT firmware,” in 2021 36th IEEE/ACM
ith-nuvoton-qinglianyun-to-release-fully-integrated-reference-desig International Conference on Automated Software Engineering (ASE).
n-for-ota-firmware-updating. IEEE, 2021, pp. 805–816.
[22] A. Community, “Cortex-M23 and Cortex-M33 - security foundation [42] L. Luo, Y. Zhang, C. Zou, X. Shao, Z. Ling, and X. Fu, “On runtime
for billions of devices,” https://community.arm.com/arm-communi software security of trustzone-m based iot devices,” in Proceedings of
ty-blogs/b/architectures-and-processors-blog/posts/cortex-m23-and-c GLOBECOM 2020-2020 IEEE Global Communications Conference,
ortex-m33---security-foundation-for-billions-of-devices. 2020.
[23] P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda, “Prospex: [43] A. Machiry, E. Gustafson, C. Spensky, C. Salls, N. Stephens,
Protocol specification extraction,” in Proceedings of IEEE Symposium R. Wang, A. Bianchi, Y. R. Choe, C. Kruegel, and G. Vigna,
on Security and Privacy (S&P), 2009. “BOOMERANG: Exploiting the semantic gap in trusted execution
[24] CWE, “CWE list version 4.9,” https://cwe.mitre.org/data/index.html. environments.” in Proceedings of Network and Distributed System
Security Symposium (NDSS), 2017.
[25] A. Developer, “ARM coresight architecture specification version 3.0,”
https://developer.arm.com/documentation/ihi0029/e. [44] S. Makkaveev, “The road to Qualcomm TrustZone apps fuzzing,”
https://research.checkpoint.com/2019/the-road-to-qualcomm-trustzo
[26] A. Fioraldi, D. C. D’Elia, and D. Balzarotti, “The use of likely in- ne-apps-fuzzing.
variants as feedback for fuzzers,” in Proceedings of USENIX Security
Symposium (SEC), 2021. [45] C. McMahon Stone, S. L. Thomas, M. Vanhoef, J. Henderson,
N. Bailluet, and T. Chothia, “The closer you look, the more you
[27] A. Fitzek, F. Achleitner, J. Winter, and D. Hein, “The ANDIX learn: A grey-box approach to protocol state machine learning,” in
research OS—ARM TrustZone meets industrial control systems se- Proceedings of the 2022 ACM SIGSAC Conference on Computer and
curity,” in Proceedings of IEEE 13th International Conference on Communications Security, 2022, pp. 2265–2278.
Industrial Informatics (INDIN), 2015.
[46] A. Moroo and S. Yuichi, “ARMored core-
[28] H. Gascon, C. Wressnegger, F. Yamaguchi, D. Arp, and K. Rieck,
sight: Towards efficient binary-only fuzzing,”
“Pulsar: Stateful black-box fuzzing of proprietary network protocols,”
https://ricercasecurity.blogspot.com/2021/11/armored-coresight-
in International Conference on Security and Privacy in Communica-
towards-efficient.html, November 2021.
tion Systems, 2015.
[47] R. Natella, “Stateafl: Greybox fuzzing for stateful network servers,”
[29] GlobalPlatform, “GlobalPlatform TEE spec adoption to reach 10
Empirical Software Engineering, vol. 27, no. 7, pp. 1–31, 2022.
billion,” https://globalplatform.org/latest-news/globalplatform-tee-s
pec-adoption-to-reach-10-billion. [48] Z. Ning, C. Wang, Y. Chen, F. Zhang, and J. Cao, “Revisiting arm
[30] ——, “TEE Internal Core API Specification v1.3.1,” https://globalpl debugging features: Nailgun and its defense,” IEEE Transactions on
atform.org/specs-library/tee-internal-core-api-specification. Dependable and Secure Computing, 2021.

[31] Google, “syzkaller - kernel fuzzer,” https://github.com/google/syzk
aller.
[32] L. Harrison, H. Vijayakumar, R. Padhye, K. Sen, and M. Grace,
“PARTEMU: Enabling dynamic analysis of real-world TrustZone
software using emulation,” in Proceedings of USENIX Security Sym-
posium (SEC), 2020.
[33] Z. Hua, J. Gu, Y. Xia, H. Chen, B. Zang, and H. Guan, “vTZ:
Virtualizing ARM TrustZone,” in Proceedings of USENIX Security
Symposium (SEC), 2017.
[34] T. L. Kernel, “The kernel address sanitizer (KASAN),” https://www.
kernel.org/doc/html/v5.0/dev-tools/kasan.html.
[35] K. Kim, T. Kim, E. Warraich, B. Lee, K. R. Butler, A. Bianchi,
and D. J. Tian, “FUZZUSB: Hybrid stateful fuzzing of USB gadget
stacks,” in Proceedings of IEEE Symposium on Security and Privacy
(S&P), 2022.
[36] G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating
fuzz testing,” in Proceedings of the 2018 ACM SIGSAC conference
on computer and communications security, 2018, pp. 2123–2138.
[37] W. Li, J. Shi, F. Li, J. Lin, W. Wang, and L. Guan, “µAFL: Non-
intrusive feedback-driven fuzzing for microcontroller firmware,” in
2022 IEEE/ACM 44th International Conference on Software Engi-
neering (ICSE), 2022.
[38] Y. Li, S. Ji, Y. Chen, S. Liang, W.-H. Lee, Y. Chen, C. Lyu, C. Wu,
R. Beyah, P. Cheng et al., “UNIFUZZ: A holistic and pragmatic
metrics-driven platform for evaluating fuzzers.” in USENIX Security
Symposium, 2021, pp. 2777–2794.
[39] Linaro, “Open portable trusted execution environment,” https://ww
w.op-tee.org.
[40] P. Liu, S. Ji, L. Fu, K. Lu, X. Zhang, J. Qin, W. Wang, and W. Chen,
“How iot re-using threatens your sensitive data: Exploring the user-
data disposal in used IoT devices,” in 2023 IEEE Symposium on
Security and Privacy (SP). IEEE, 2023, pp. 3365–3381.
[49] Z. Ning and F. Zhang, “Ninja: Towards transparent tracing and
debugging on ARM,” in Proceedings of USENIX Security Symposium
(SEC), 2017.
[50] ——, “Understanding the security of arm debugging features,” in
Proceedings of IEEE Symposium on Security and Privacy (S&P),
2019.
[51] H. Peng and M. Payer, “{USBFuzz}: A framework for fuzzing
{USB} drivers by device emulation,” in 29th USENIX Security Sym-
posium (USENIX Security 20), 2020, pp. 2559–2575.
[52] V.-T. Pham, M. Böhme, and A. Roychoudhury, “AFLNet: a greybox
fuzzer for network protocols,” in 2020 IEEE 13th International
Conference on Software Testing, Validation and Verification (ICST).
IEEE, 2020, pp. 460–465.
[53] S. Pinto, T. Gomes, J. Pereira, J. Cabral, and A. Tavares, “IIoTEED:
An enhanced, trusted execution environment for industrial IoT edge
devices,” IEEE Internet Computing, vol. 21, no. 1, pp. 40–47, 2017.
[54] S. Pinto and N. Santos, “Demystifying arm trustzone: A comprehen-
sive survey,” ACM computing surveys (CSUR), vol. 51, no. 6, pp.
1–36, 2019.
[55] Riscure, “OP-TEE fuzzer,” https://github.com/Riscure/optee fuzzer.
[56] K. Ryan, “Hardware-backed heist: Extracting ECDSA keys from
qualcomm’s trustzone,” in Proceedings of the ACM SIGSAC Con-
ference on Computer and Communications Security, 2019.
[57] Samsung, “mTower,” https://github.com/Samsung/mTower.
[58] A. Shakevsky, E. Ronen, and A. Wool, “Trust dies in darkness: Shed-
ding light on samsung’s TrustZone keymaster design,” in Proceedings
of USENIX Security Symposium (SEC), 2022.
[59] E. Styger, “Finding memory bugs with Google address sanitizer
(ASAN) on microcontrollers,” https://mcuoneclipse.com/2021/05/
31/finding-memory-bugs-with-google-address-sanitizer-asan-on-mic
rocontrollers.

15
[60] Trustonic, “Mircochip first to use Turstonic revolutionary Kinibi-M

platform for microcontrollers,” https://www.sourcesecurity.com/new 7UXVWHG26
/LQX[NHUQHO
s/mircochip-turstonic-kinibi-m-microcontrollers-co-1530084457-g 
.90

a-co-1530085342-ga-npr.1530086842.html.
[61] TsinglinkCloud, “Qinglian Cloud’s TinyTEE,” https://www.qinglian

yun.com/Front/Secure/safe.
[62] H. Wang, X. Xie, Y. Li, C. Wen, Y. Li, Y. Liu, S. Qin, H. Chen,
and Y. Sui, “Typestate-guided fuzzer for discovering use-after-free
vulnerabilities,” in Proceedings of IEEE/ACM 42nd International
Conference on Software Engineering (ICSE), 2020.
[63] Q. Wang, S. Ji, Y. Tian, X. Zhang, B. Zhao, Y. Kan, Z. Lin, C. Lin,
S. Deng, A. X. Liu et al., “MPInspector: A systematic and automatic
approach for evaluating the security of IoT messaging protocols,” in
30th USENIX Security Symposium (USENIX Security 21), 2021, pp.
4205–4222.
[64] Wikipedia, “Trusted execution environment,” https://en.wikipedia.o
rg/wiki/Trusted execution environment.
[65] L. Xue, H. Zhou, X. Luo, Y. Zhou, Y. Shi, G. Gu, F. Zhang,
and M. H. Au, “Happer: Unpacking android apps via a hardware-
assisted approach,” in Proceedings of IEEE Symposium on Security
and Privacy (S&P), 2021.
[66] D. F. Yates and N. Malevris, “The effort required by LCSAJ testing:
an assessment via a new path generation strategy,” Software Quality
Journal, vol. 4, no. 3, pp. 227–242, 1995.
[67] B. Zhao, S. Ji, X. Zhang, Y. Tian, Q. Wang, Y. Pu, C. Lyv, and
R. Beyah, “UVSCAN: Detecting third-party component usage vi-
olations in IoT firmware,” in 32nd USENIX Security Symposium
(USENIX Security 23), 2023.
[68] B. Zhao, Z. Li, S. Qin, Z. Ma, M. Yuan, W. Zhu, Z. Tian, and
C. Zhang, “StateFuzz: System call-based state-aware linux driver
fuzzing,” in Proceedings of USENIX Security Symposium (SEC),
2022.
[69] H. Zhou, S. Wu, X. Luo, T. Wang, Y. Zhou, C. Zhang, and H. Cai,
“NCScope: hardware-assisted analyzer for native code in android
apps,” in Proceedings of the 31st ACM SIGSOFT International Sym-
posium on Software Testing and Analysis, 2022, pp. 629–641.
[70] T. Zhu, “CmBacktrace: ARM Cortex-M series MCU error tracking
library,” https://github.com/armink/CmBacktrace.
5DWLR






@ @ @ @ @ @ @ @ @ @ @ @ @
/HQJWKLQWHUYDO
Figure 9: The seed length ratio.
Appendix A.
The Motivation of the New Scheduling
To justify our motivation for the new scheduling tasks
design for fuzzing the IoT Trusted OS implementation,
we compare the seed length ratio when testing Trusted
OSes, Linux kernel and KVM. In the evaluation, we utilize
S YZKALLER to test mTower, Linux kernel (git checkout
356d82172), and KVM v5.19 for 24 hours, and the re-
sults are shown in Figure 9. As shown in Figure 9, the
average seed length when fuzzing Trusted OSes is 27.8
while the others are less than 7. In the triage scheduling
task, S YZKALLER removes syscalls one by one in a syscall
sequence. Then S YZKALLER tests the modified syscall se-
quences to get the smallest syscall sequence that maintains
the same code coverage. For those syscall sequences whose
length is more than 30, the triage scheduling tasks prob-
ably spend lots of time on removing syscalls and testing
the modified syscall sequences. In addition, we count the
number of minimized syscalls when fuzzing mTower. In a
48-hours fuzzing, only 56 syscall sequences are minimized,
and among them, 18 syscall sequences only are removed
with one syscall in the triaging tasks. Thus, S YZ T RUST
doesn’t have to perform triaging tasks since most test cases
will not be minimized.

Appendix B.
Scope and Scalability of S YZ T RUST
We first provide an overview of the major Trusted OSes
from leading IoT vendors and use the objective data to
validate our assumptions. Then, we justify how to extend
S YZ T RUST for Cortex-A TEE OSes.
TABLE 4: An overview of the major Trusted OS implemen-
tations provided by leading IoT vendors.
Support
Vendor Trusted OS Standards Some of supported devices
(installing TA)
Samsung mTower GP Standards NuMaker-PFM-M2351
Alibaba Link TEE Air Proprietary NuMaker-PFM-M2351
TsingLink Cloud TinyTEE GP Standards NuMaker-PFM-M2351/LPC55S69/STM32L562
Beanpod ISEE-M GP Standards LPC55S series/GD32W515/STM32L5 series
Trustonic Kinibi-M PSA Certified APIs MicroChip SAML11
ARM TF-M PSA Certified APIs NuMaker-PFM-M2351, STM32L5, ...

As shown in Table 4, there are six major Trusted OSes

for IoT devices, which are widely adopted by the major IoT
MCUs [6], [10], [20], [21], [57], [60], [61]. Three of them
follow the GP standards, and they all allow TA installation.

16
 TABLE 5: ETM feature on IoT devices. 2) Identifies an Impactful Vulnerability. Several vulnera-
Manufacturer Device
Privilige Secure Debug Debug Authentication bilities were identified, and CVEs are disclosed.
(including ETM) Managerment
Nuvoton NuMaker-PFM-M2351 Enable in default ICP programming tool
3) Provides a Valuable Step Forward in an Established
NXP Semiconductors LPC55S69 Enable in default Debug credential certificate Field. This paper leverages hardware-assisted features
STMicroelectronics STM32L562 Enable in default STM32CubeProgrammer
GigaDevice GD32W515 Enable in default Efuse such as Arm ETM to further improve the effectiveness
MicroChip SAML11 Enable in default Extern debugger
of TEE OS fuzzing on IoT devices.

In addition, as shown in Table 5, though the devices have
multiple debug authentication to disable the privilege secure
debug (debug in secure privileged modes), they enable priv-
ilege secure debug by default, thereby enabling the ETM
feature to collect execution traces. Thus, S YZ T RUST can
be directly deployed on half of the major Trusted OSes.
As for other Trusted OSes, S YZ T RUST can be applied with
modification introduced in Section 5.
Though our paper focuses on Cortex-M Trusted OS for
IoT devices, S YZ T RUST can be applied to those Trusted
OSes for Cortex-A that allows installing a TA and having
their ETM feature enabled. For instance, OP-TEE from
Linaro, Link TEE Pro from Ali Cloud, and iTrustee from
Huawei meet these assumptions. However, for the Cortex-A
Trusted OSes that are developed and employed in a rela-
tively private supply chain, such as QSEE from Qualcomm,
we can collaborate with those mobile vendors and help them
vet the security of their Trusted OSes.
Appendix C.
Vulnerabilites Found by S YZ T RUST
We present all the vulnerabilities found by S YZ T RUST
on mTower, TinyTEE and Link TEE Air with their root
cause in Table 6. We update the vulnerabilities disclosure
progress in the GitHub link https://github.com/SyzTrust.
Appendix D.
Meta-Review
D.1. Summary
This paper presents a fuzzing framework for TEEs on
IoT devices. It leverages hardware-assisted features such
as Arm ETM to collect traces. It uses the state and code
coverage as composite feedback to guide the fuzzer to
effectively explore more states.
D.4. Noteworthy Concerns
The proposed fuzzing framework targets Trusted OSes
following GP TEE internal API specification. It is assumed
that a TA can be installed in the trusted OS for assisting
fuzzing. Arm ETM needs to be enabled for collecting the
traces.
Appendix E.
Response to the Meta-Review
The meta-review notes that our proposed fuzzing frame-
work, SyzTrust, targets trusted OSes following GP TEE
Internal API specification. To clarify, SyzTrust also has
built-in support for testing alternative Trusted OSes, includ-
ing proprietary ones, as demonstrated by our extension of
SyzTrust to the proprietary ”Link TEE Air”. We are also
extending our SyzTrust prototype to other OSes.
The meta-review notes that SyzTrust assumed that a
TA can be installed in the trusted OS for assisting fuzzing
and ARM ETM needs to be enabled for collecting the
traces. We agree and note that these assumptions align with
typical IoT Trusted OS scenarios. SyzTrust focuses on the
Trusted OS binaries provided by IoT vendors, delivering
security insights for device manufacturers and end users.
First, given that IoT device manufacturers often need to im-
plement device-specific TAs, Trusted OS binaries supplied
by IoT vendors generally allow TA installation (similar to
smartphones where manufacturers can similarly install TAs
in the respective TEEs). Second, SyzTrust tests IoT Trusted
OSes by deploying them on development boards where ETM
is enabled by default. For certain Trusted OSes that are
developed and used within a relatively private supply chain,
we will need to engage with the providers of these Trusted
OSes to help assess the security of their respective Trusted
OSes. Appendix B provides a detailed discussion along with
supporting data.

D.2. Scientific Contributions

• Creates a New Tool to Enable Future Science
• Identifies an Impactful Vulnerability
• Provides a Valuable Step Forward in an Established
Field

D.3. Reasons for Acceptance

1) Creates a New Tool to Enable Future Science. This
paper presents a new fuzzing tool that targets IoT
Trusted OSes.

17
 TABLE 6: Vulnerabilities detected by S YZ T RUST.
Vul. ID Target Description Status Root Cause & Impact
Allocation of resources CVE-2022-38155
1 mTower TEE Malloc allows a TA to achieve excessive memory allocation via a large len value
without limits or throttling (7.5 HIGH)
Allocation of resources CVE-2022-40762
2 mTower TEE Realloc allows a TA to achieve excessive memory allocation via a large len value
without limits or throttling (7.5 HIGH)
Allocation of resources
3 mTower Confirmed TEE AllocateOperation allows a TA to achieve excessive memory allocation via a large len value
without limits or throttling
Allocation of resources
4 mTower Confirmed TEE AllocateTransientObject allows a TA to achieve excessive memory allocation via a large len value
without limits or throttling
CVE-2022-40761 The function tee obj free allows a TA to trigger a denial of service by invoking the function TEE AllocateOperation with a disturbed heap layout, related
5 mTower Improper input validation
(7.5 HIGH) to utee cryp obj alloc
A Buffer Access with Incorrect Length Value vulnerability in the TEE MemMove function allows a TA to trigger a denial of service by invoking the function
6 mTower Buffer overflow Reported
TEE MemMove with a ”size” parameter that exceeds the size of ”dest”.
CVE-2022-40760 A Buffer Access with Incorrect Length Value vulnerability in the TEE MACUpdate function allows a TA to trigger a denial of service by invoking the function
7 mTower Buffer overflow
(7.5 HIGH) TEE MACUpdate with an excessive size value of chunkSize.
CVE-2022-40757 A Buffer Access with Incorrect Length Value vulnerability in the TEE MACComputeFinal function allows a TA to trigger a denial of service by invoking
8 mTower Buffer overflow
(7.5 HIGH) the function TEE MACComputeFinal with an excessive size value of messageLen.
CVE-2022-40758 A Buffer Access with Incorrect Length Value vulnerability in the TEE CipherUpdate function allows a TA to trigger a denial of service by invoking the function
9 mTower Buffer overflow
(7.5 HIGH) TEE CipherUpdate with an excessive size value of srcLen.
A Buffer Access with Incorrect Length Value vulnerability in the TEE DigestDoFinal function allows a TA to trigger a denial of service by invoking the function
10 mTower Buffer overflow Reported
TEE DigestDoFinal with an excessive size value of chunkLen.
A Buffer Access with Incorrect Length Value vulnerability in the TEE DigestUpdate function allows a TA to trigger a denial of service by invoking the function
11 mTower Buffer overflow Reported
TEE DigestUpdate with an excessive size value of chunkLen.
Missing release of memory CVE-2022-35858 The TEE PopulateTransientObject and utee from attr functions allow a TA to trigger a memory overwrite, denial of service, and information disclosure
12 mTower
after effective lifetime (7.8 HIGH) by invoking the function TEE PopulateTransientObject with a large number in the parameter attrCount.
CVE-2022-40759
13 mTower NULL pointer dereference TEE MACCompareFinal contains a NULL pointer dereference on the parameter operation
(7.5 HIGH)
CVE-2022-36621
14 mTower NULL pointer dereference TEE AllocateTransientObject contains a NULL pointer dereference on the parameter object
(7.5 HIGH)
CVE-2022-36622
15 mTower NULL pointer dereference TEE GetObjectInfo1 contains a NULL pointer dereference on the parameter objectInfo
(7.5 HIGH)
16 mTower NULL pointer dereference Confirmed TEE GetObjectInfo contains a NULL pointer dereference on the parameter objectInfo
17 mTower Untrusted pointer dereference Reported Uncertain (provided the PoC to the vendor)
18 mTower Untrusted pointer dereference Reported Uncertain (provided the PoC to the vendor)
TEE GetObjectInfo and utee cryp obj get info functions allow a corruption on the link field of object handle and then a Denial of Service (DoS) will
19 mTower Untrusted pointer dereference Reported
be triggered by invoking the function tee obj get
20 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE MACComputeFinal function
21 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE SetOperationKey2 function
22 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE MACUpdate function
23 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE GetOperationInfoMultiple function
24 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE AEEncryptFinal function
25 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE MACInit function
26 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE SetOperationKey function
27 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE ResetOperation function
28 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE DigestUpdate function
29 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE AEDecryptFinal function
30 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE CipherInit function
31 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE FreeOperation function
32 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE DigestDoFinal function
33 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE AllocateOperation function
34 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE FreeTransientObject function
35 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE AEUpdate function
36 mTower Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE ResetOperation function
37 mTower Untrusted pointer dereference Reported Uncertain (provided the PoC to the vendor)
38 mTower Untrusted pointer dereference Reported Uncertain (provided the PoC to the vendor)
Allocation of resources
39 TinyTEE Confirmed TEE Malloc allows a trusted application to achieve Excessive Memory Allocation via a large len value
without limits or throttling
Allocation of resources
40 TinyTEE Confirmed TEE Realloc allows a trusted application to achieve Excessive Memory Allocation via a large len value
without limits or throttling
41 TinyTEE NULL pointer dereference Confirmed TEE AllocateTransientObject contains a NULL pointer dereference on the parameter object
42 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE DigestUpdate function
43 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE SetOperationKey function
44 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE SetOperationKey function
45 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE ResetOperation function
46 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE FreeOperation function
47 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE CipherDoFinal function
48 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE CipherInit function
49 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE AllocateOperation function
50 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE AsymmetricSignDigest function
51 TinyTEE Untrusted pointer dereference Confirmed An invalid pointer dereference can be triggered when a TA tries to read a malformed TEE OperationHandle by the TEE CipherUpdate function
52 Link TEE Air NULL pointer dereference Reported tee memcpy calls tee osa memcpy, which contains a NULL pointer dereference on the result object
53 Link TEE Air NULL pointer dereference Reported tee strcpy calls tee osa strcpy, which contains a NULL pointer dereference on the result object
54 Link TEE Air NULL pointer dereference Reported tee memset calls tee osa strcpy, which contains a NULL pointer dereference on the result object
tee hash update does not check the size of its second parameter ”size” and calls dev ioctl, which triggers an invalid memory access with large ”size” value
55 Link TEE Air Buffer overflow Reported
when consecutively copying 64 bytes in tee osa memcpy
56 Link TEE Air NULL pointer dereference Reported tee memmove calls tee osa memmove, which contains a NULL pointer dereference on the result object
57 Link TEE Air NULL pointer dereference Reported tee strcat calls tee osa strcat, which contains a NULL pointer dereference on the result object
tee hash digest does not check the size of its third parameter ”size” and calls dev ioctl, which triggers an heap overflow with large ”size” value and causes
58 Link TEE Air Buffer overflow Reported
an invalid pointer dereference in tee osa free
An invalid pointer dereference can be triggered when a trusted application tries to access an invalid address in the pool free function called
59 Link TEE Air Untrusted pointer dereference Reported
by tee osa free and tee free
60 Link TEE Air NULL pointer dereference Reported tee strncpy calls tee osa strncpy, which contains a NULL pointer dereference on the result object
61 Link TEE Air NULL pointer dereference Reported tee strcasecmp calls tee osa strcasecmp, which contains a NULL pointer dereference on the s1 and s2 object
62 Link TEE Air NULL pointer dereference Reported tee memcmp calls tee osa memcmp, which contains a NULL pointer dereference on the s1 and s2 object
63 Link TEE Air Untrusted pointer dereference Reported An invalid pointer dereference can be triggered when a trusted application tries to access an invalid address in the tee hash init function
64 Link TEE Air NULL pointer dereference Reported tee strncat calls tee osa strncat, which contains a NULL pointer dereference on the result object
65 Link TEE Air NULL pointer dereference Reported tee strnlen calls tee osa strnlen, which contains a NULL pointer dereference on the s object
tee base64 encode does not check the size of its parameters ”src len” and ”dst”, which triggers a buffer overflow if ”src len” is larger than the size
66 Link TEE Air Buffer overflow Reported
of ”dst” and ruins the metadata of the next chunk
67 Link TEE Air NULL pointer dereference Reported tee strlen calls tee osa strlen, which contains a NULL pointer dereference on the s object
68 Link TEE Air NULL pointer dereference Reported tee strcmp calls tee osa strcmp, which contains a NULL pointer dereference on the s1 and s2 object
tee hash final does not check the size of its first parameter ”dgst” and calls dev ioctl, which triggers an heap overflow if the size of ”dgst” is smaller than
69 Link TEE Air Buffer overflow Reported
48 bytes and causes an invalid pointer dereference in tee osa free
An invalid pointer dereference can be triggered when a trusted application tries to access an invalid address in the tee osa memcpy function
70 Link TEE Air Untrusted pointer dereference Reported
called by tee aes init

18