SyncEmu: Enabling Dynamic Analysis of Stateful Trusted Applications

SyncEmu: Enabling Dynamic Analysis of Stateful Trusted Applications

연구 분야: Analysis

학회: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

Modern mobile devices leverage ARM TrustZone to implement a Trusted Execution Environment (TEE). The security-critical services, called Trusted Applications (TAs), deployed in these TEEs form the backbone of those devices' security architectures. Unfortunately, TAs are not free from bugs and constitute the biggest attack surface of the TEE. A vulnerability in a TA can have devastating consequences, fundamentally compromising the whole system's security. Given the locked-down nature of COTS smartphones, the analysis of closed-source TAs remains challenging for independent security researchers. In this paper, we present SyncEmu to enable dynamic analysis of proprietary TAs found on COTS Android devices. To this end, we develop a framework to execute unmodified TEE firmware in an emulated environment (so-called rehosting). Using SyncEmu, we successfully rehost TrustedCore, a closed-source TEE implementation found on older Huawei devices. Furthermore, we propose and implement a novel technique called CA-in-the-loop, that allows SyncEmu to forward realistic requests of Client Applications (CAs) running on a physical smartphone to the rehosted TAs, pushing the boundaries of state-of-the-art in TEE rehosting.