Mobile Security Gets a Boost As New Tool Unlocks Testing of Vital Code

Researchers are increasingly focused on securing mobile devices, which depend on Trusted Execution Environments (TEEs) to protect sensitive data and code. Philipp Mao from EPFL, Li Shi from DarkNavy, Marcel Busch from EPFL, and Mathias Payer from EPFL demonstrate a significant advance in this field with TÄMU, a rehosting platform that enables dynamic analysis of TEE Applications (TAs) by intercepting their calls at the API layer. This work is particularly important because the closed-source nature of most TEEs currently limits security testing to static analysis, hindering comprehensive vulnerability discovery. By leveraging GlobalPlatform API standardisation and a novel ‘greedy high-level emulation’ technique, TÄMU successfully emulates 67 TAs across four TEEs, uncovering 17 previously unknown zero-day vulnerabilities and highlighting a critical need for improved dynamic analysis within the mobile TEE ecosystem.

This breakthrough addresses a significant gap in mobile security testing, as closed-source TEEs and their fragmented implementations have historically limited analysis to static methods.

TÄMU facilitates fuzzing and debugging of TAs by intercepting their execution at the Application Programming Interface (API) layer, offering a practical solution for identifying vulnerabilities. The platform’s design leverages the increasing standardization of TEE APIs, driven by the GlobalPlatform specifications, to scale across diverse TEEs and reduce emulation complexity.
To overcome challenges posed by TEE-specific APIs not covered by GlobalPlatform standards, TÄMU introduces a novel technique called greedy high-level emulation. This prioritises manual rehosting efforts based on the potential coverage gain achieved during fuzzing, maximising the effectiveness of limited resources.

Implementation of TÄMU involved emulating 67 TAs across four distinct TEEs, demonstrating its versatility and scalability. Fuzzing campaigns utilising the platform uncovered 17 previously unknown zero-day vulnerabilities across 11 TAs, highlighting the critical need for dynamic analysis capabilities within the TEE ecosystem.

The study reveals a substantial deficit in dynamic analysis tools for TEEs, even among vendors with access to source code. TÄMU promises to bridge this gap by providing an effective and practical means of performing dynamic analysis on mobile TEEs, enhancing the security of sensitive data and critical functions.

Initial results show that leveraging GlobalPlatform and standard libc APIs allows execution of 39% of TA code, with the addition of a limited number of TEE-specific APIs increasing basic block execution to up to 90%. This platform facilitates fuzzing and debugging by intercepting TA calls at the Application Programming Interface (API) layer.

To achieve scalability across numerous TAs and diverse TEEs, TÄMU capitalizes on the increasing standardization of TEE APIs, driven by GlobalPlatform specifications. The study meticulously identifies and leverages the adoption of GlobalPlatform APIs to enable cost-effective high-level emulation (HLE) within the TA ecosystem.

Empirical validation confirms a growing industry trend towards these APIs, unlocking economies of scale previously hindered by fragmented hardware abstraction layers. For TEE-specific APIs not universally shared, TÄMU introduces a novel technique termed greedy high-level emulation, prioritizing manual rehosting efforts based on potential fuzzing coverage gains.

TÄMU was implemented to emulate 67 TAs across four distinct TEEs, demonstrating its broad compatibility and adaptability. The methodology contrasts sharply with prior art in HLE, which struggled with fragmented hardware abstraction layers and limited scalability.

Unlike previous approaches requiring extensive manual effort to infer and maintain HAL shims, TÄMU benefits from the unified abstraction offered by GlobalPlatform, enabling a more portable and efficient rehosting solution. Fuzzing campaigns utilising TÄMU identified 17 zero-day vulnerabilities present within 11 TAs. These vulnerabilities were responsibly disclosed to the respective vendors, highlighting a significant gap in dynamic analysis capabilities within the TEE ecosystem.

The study quantified API standardisation across TEEs, revealing that 94% of analysed TAs utilise at least one TEE-specific API alongside standard libc APIs and GlobalPlatform APIs. Implementing support for GlobalPlatform and libc APIs initially enabled execution reaching 39% of the code within the tested TAs.

Further implementation of TEE-specific APIs, prioritised using a greedy high-level emulation technique, increased basic block execution to up to 90%. This greedy HLE approach demonstrated that 70% of the most impactful TEE-specific APIs could be realistically replaced with either GlobalPlatform or libc APIs, reducing the overall implementation effort.

Static analysis revealed that implementing a focused set of TEE-specific APIs yielded substantial gains in code coverage. The research demonstrates that TÄMU’s API interception approach is feasible, correctly executing the 67 TAs and reproducing known vulnerabilities. TÄMU leverages the standardization driven by GlobalPlatform specifications to scale to numerous TAs across diverse TEEs.

The platform’s greedy high-level emulation technique prioritises manual rehosting efforts based on potential coverage gains during fuzzing, optimising the emulation process. This platform enables techniques like fuzzing and debugging, addressing a significant gap in security testing capabilities for these sensitive components.

TÄMU achieves this by intercepting application calls at the API layer, allowing for analysis outside of the typically closed-source and fragmented TEE ecosystems. The system leverages the increasing standardisation of TEE APIs, guided by GlobalPlatform specifications, to scale across multiple applications and TEEs.

Where TEE-specific APIs deviate from these standards, TÄMU employs a technique called greedy high-level emulation, prioritising manual rehosting efforts based on potential coverage gains during fuzzing. Implementation of TÄMU successfully emulated 67 Trusted Applications across four distinct TEEs, revealing 17 previously unknown vulnerabilities across 11 applications.

The authors acknowledge that complete emulation remains a challenge, with initial implementation reaching coverage of 39% of potentially reachable basic blocks. However, combining support for standard APIs with greedy high-level emulation extended this reach to 90%. Future work could focus on expanding support for additional TEE-specific APIs and refining the emulation techniques to improve coverage and efficiency.

The availability of TÄMU’s source code and associated materials should facilitate further research and development in this critical area of mobile security. These findings demonstrate the feasibility of effective dynamic analysis within the mobile TEE domain, offering a valuable tool for identifying and mitigating security vulnerabilities.