{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T16:32:10Z","timestamp":1783009930163,"version":"3.54.5"},"reference-count":22,"publisher":"Springer Science and Business Media LLC","issue":"2-3","license":[{"start":{"date-parts":[[2023,6,15]],"date-time":"2023-06-15T00:00:00Z","timestamp":1686787200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,6,15]],"date-time":"2023-06-15T00:00:00Z","timestamp":1686787200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"publisher","award":["DE-SC0018430"],"award-info":[{"award-number":["DE-SC0018430"]}],"id":[{"id":"10.13039\/100000015","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"publisher","award":["DE-SC0018430"],"award-info":[{"award-number":["DE-SC0018430"]}],"id":[{"id":"10.13039\/100000015","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"publisher","award":["DE-SC0018430"],"award-info":[{"award-number":["DE-SC0018430"]}],"id":[{"id":"10.13039\/100000015","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Hardw Syst Secur"],"published-print":{"date-parts":[[2023,9]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Trusted execution environments (TEE) are deployed on many platforms to provide both confidentiality and integrity, and their extensive use offers a secure environment for privacy-sensitive operations. Despite TEE prevalence in the smartphone and tablet market, vulnerability research into TEE security is relatively rare. This is, in part, due to the strong isolation guarantees provided by its implementation. In this paper, we propose a hardware assisted fuzzing framework, CROWBAR, that bypasses TEE isolation to natively evaluate trusted applications (TAs) on mobile devices by leveraging ARM CoreSight components. CROWBAR performs feedback-driven fuzzing on commercial, closed source TAs while running in a TEE protected environment. We implement CROWBAR on 2 prototype commercial-off-the-shelf (COTS) smartphones and one development board, finding 3 unique crashes in 5 closed source TAs that are previously unreported in the TrustZone fuzzing literature.<\/jats:p>","DOI":"10.1007\/s41635-023-00133-3","type":"journal-article","created":{"date-parts":[[2023,6,15]],"date-time":"2023-06-15T22:01:22Z","timestamp":1686866482000},"page":"44-54","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["CROWBAR: Natively Fuzzing Trusted Applications Using ARM CoreSight"],"prefix":"10.1007","volume":"7","author":[{"given":"Haoqi","family":"Shan","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Moyao","family":"Huang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yujia","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sravani","family":"Nissankararao","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yier","family":"Jin","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shuo","family":"Wang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Dean","family":"Sullivan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2023,6,15]]},"reference":[{"key":"133_CR1","unstructured":"Ltd A. System IP. https:\/\/www.arm.com\/products\/silicon-ip-system. (Date last Access 28 July 2022)"},{"key":"133_CR2","doi-asserted-by":"crossref","unstructured":"Fasano A, Ballo T, Muench M, Leek T, Bulekov A, Dolan-Gavitt B, Egele M, Francillon A, Lu L, Gregory N et al (2021) Sok: Enabling security analyses of embedded systems via rehosting. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 687\u2013701","DOI":"10.1145\/3433210.3453093"},{"issue":"3","key":"133_CR3","doi-asserted-by":"publisher","first-page":"1199","DOI":"10.1109\/TR.2018.2834476","volume":"67","author":"H Liang","year":"2018","unstructured":"Liang H, Pei X, Jia X, Shen W, Zhang J (2018) Fuzzing: State of the art. IEEE Trans Reliab 67(3):1199\u20131218","journal-title":"IEEE Trans Reliab"},{"key":"133_CR4","unstructured":"Harrison L, Vijayakumar H, Padhye R, Sen K, Grace M (2020) Partemu: Enabling dynamic analysis of real-world trustzone software using emulation. In: Proceedings of the 29th USENIX Conference on Security Symposium. SEC\u201920. USENIX Association, USA"},{"key":"133_CR5","doi-asserted-by":"publisher","unstructured":"Busch M, Machiry A, Spensky C, Vigna G, Kruegel C, Payer M (2023) Teezz: Fuzzing trusted applications on cots android devices. In: 2023 2023 IEEE Symposium on Security and Privacy (SP) (SP), pp. 220\u2013235. IEEE Computer Society, Los Alamitos, CA, USA. https:\/\/doi.org\/10.1109\/SP46215.2023.00013. https:\/\/doi.ieeecomputersociety.org\/10.1109\/SP46215.2023.00013","DOI":"10.1109\/SP46215.2023.00013"},{"key":"133_CR6","unstructured":"ARM (2018) ARM\u00ae Embedded Trace Macrocell Architecture Specification: ETMv4.0 to ETMv4.6. ARM"},{"key":"133_CR7","unstructured":"Fioraldi A, Maier D, Ei\u00dffeldt H, Heuse M (2020) {AFL++}: Combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20)"},{"key":"133_CR8","unstructured":"ARM (2015) CoreSight SoC-400. ARM. (Date last Access 28 July 2022)"},{"issue":"6","key":"133_CR9","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3291047","volume":"51","author":"S Pinto","year":"2019","unstructured":"Pinto S, Santos N (2019) Demystifying arm trustzone: A comprehensive survey. ACM Comput Surv (CSUR) 51(6):1\u201336","journal-title":"ACM Comput Surv (CSUR)"},{"key":"133_CR10","doi-asserted-by":"publisher","unstructured":"Ning Z, Zhang F (2019) Understanding the security of arm debugging features. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 602\u2013619. https:\/\/doi.org\/10.1109\/SP.2019.00061","DOI":"10.1109\/SP.2019.00061"},{"key":"133_CR11","unstructured":"Bicchierai L (2019) The prototype iPhones that hackers use to research Apple\u2019s most sensitive code. https:\/\/www.vice.com\/en\/article\/gyakgw\/the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days"},{"key":"133_CR12","unstructured":"https:\/\/github.com\/ARM-software\/CSAL. (Date last Access 2 Dec 2022)"},{"key":"133_CR13","unstructured":"ARM. Embedded Trace Macrocell Architecture Specification. https:\/\/developer.arm.com\/documentation\/ihi0014\/q\/preface\/Additional-reading\/The-ETM-documentation-suite. (Date last Access 14 July 2022)"},{"key":"133_CR14","unstructured":"Wikipedia: MurmurHash (2022)\u00a0https:\/\/en.wikipedia.org\/wiki\/MurmurHash"},{"key":"133_CR15","unstructured":"Google. Google Pixel 7 Tech Specs. https:\/\/store.google.com\/us\/product\/pixel_7_specs?hl=en-GB. (Date last Access 1 July 2022)"},{"issue":"8","key":"133_CR16","first-page":"398","volume":"11","author":"S-G Yoo","year":"2012","unstructured":"Yoo S-G, Park K-Y, Kim J (2012) Software architecture of jtag security system. WSEAS Transactions on Systems 11(8):398\u2013408","journal-title":"WSEAS Transactions on Systems"},{"key":"133_CR17","unstructured":"Fedewa J (2018) Huawei will stop providing bootloader unlocking for all new devices. https:\/\/www.xda-developers.com\/huawei-stop-providing-bootloader-unlock-codes\/"},{"key":"133_CR18","doi-asserted-by":"crossref","unstructured":"Costin A, Zarras A, Francillon A (2016) Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 437\u2013448","DOI":"10.1145\/2897845.2897900"},{"key":"133_CR19","unstructured":"Talebi SMS, Tavakoli H, Zhang H, Zhang Z, Sani AA, Qian Z (2018) Charm: Facilitating dynamic analysis of device drivers of mobile systems. In: USENIX Security Symposium, pp. 291\u2013307"},{"key":"133_CR20","unstructured":"Linaro (2018) Pseudo Trusted Applications. https:\/\/optee.readthedocs.io\/en\/latest\/architecture\/trusted_applications.html#pseudo-trusted-applications. (Date last Access 10 Oct 2022)"},{"key":"133_CR21","unstructured":"Feng B, Mera A, Lu L (2020) P2im: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In: Proceedings of the 29th USENIX Conference on Security Symposium, pp. 1237\u20131254"},{"key":"133_CR22","unstructured":"Gustafson E (2019) Toward the analysis of embedded firmware through automated re-hosting. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses"}],"container-title":["Journal of Hardware and Systems Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s41635-023-00133-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s41635-023-00133-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s41635-023-00133-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,23]],"date-time":"2023-11-23T06:15:56Z","timestamp":1700720156000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s41635-023-00133-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,15]]},"references-count":22,"journal-issue":{"issue":"2-3","published-print":{"date-parts":[[2023,9]]}},"alternative-id":["133"],"URL":"https:\/\/doi.org\/10.1007\/s41635-023-00133-3","relation":{},"ISSN":["2509-3428","2509-3436"],"issn-type":[{"value":"2509-3428","type":"print"},{"value":"2509-3436","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,15]]},"assertion":[{"value":"31 January 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 May 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"15 June 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Statements and Declarations"}},{"value":"U.S. Department of Energy award number DE-SC0018430","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Funding"}},{"value":"There are no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing Interests"}},{"value":"H.S, M.H., S.N, Y.L., and D.S wrote the main manuscript text. H.S and S.N prepared the figures. All authors reviews the manuscript.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Author Contributions"}},{"value":"Data and materials are available upon request.","order":5,"name":"Ethics","group":{"name":"EthicsHeading","label":"Data Availability"}},{"value":"Not applicable.","order":6,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical Approval"}}]}}