CROWBAR: Natively Fuzzing Trusted Applications Using ARM CoreSight

Trusted execution environments (TEE) are deployed on many platforms to provide both confidentiality and integrity, and their extensive use offers a secure environment for privacy-sensitive operations. Despite TEE prevalence in the smartphone and tablet market, vulnerability research into TEE security is relatively rare. This is, in part, due to the strong isolation guarantees provided by its implementation. In this paper, we propose a hardware assisted fuzzing framework, CROWBAR, that bypasses TEE isolation to natively evaluate trusted applications (TAs) on mobile devices by leveraging ARM CoreSight components. CROWBAR performs feedback-driven fuzzing on commercial, closed source TAs while running in a TEE protected environment. We implement CROWBAR on 2 prototype commercial-off-the-shelf (COTS) smartphones and one development board, finding 3 unique crashes in 5 closed source TAs that are previously unreported in the TrustZone fuzzing literature.