信息安全研究2026,Vol.12Issue(3):198-209,12.DOI:10.12379/j.issn.2096-1057.2026.03.01
状态感知的可信执行环境内核模糊测试方法
A State-aware Fuzzing Method for Trusted Execution Environment Kernel
摘要
Abstract
Trusted execution environment(TEE)is widely used,and its kernel security has become a significant area of focus.Fuzzing,a powerful technique for detecting vulnerabilities in operating system,has increasingly been applied to the security analysis of TEE.However,conventional fuzzing tools cannot be directly used for TEE kernels due to their isolation.Coverage-guided fuzzers often discard test cases that trigger new states but cover the same code,which limits their effectiveness in discovering vulnerabilities.To address these challenges,a state-aware fuzzing method tailored for TEE kernels is proposed.Initially,a modeling and tracing approach is developed to represent the program state through state-variable values and retaining the test cases that trigger new states,overcoming the limitations of coverage-guided fuzzers.Subsequently,we introduce an innovative communication scheme to tackle issues arising from TEE isolation.New seed retention and selection algorithms are proposed to better guide the fuzzer in exploring vulnerabilities.Finally,the N-Gram model is employed to enhance test case generation and optimize the framework's performance.A prototype,named Trusty-Statefuzz,has been implemented and evaluated on fuchsia,the self-developed microkernel operating system Nebula,and OP-TEE.The evaluation results show that Trusty-Statefuzz is effective at detecting both new code and vulnerabilities.Trusty-Statefuzz discovers 9 unknown vulnerabilities and 23 known vulnerabilities.Additionally,it achieves 13%higher code coverage and 27%higher state coverage than the state-of-the-art fuzzer Syzkaller.关键词
模糊测试/可信执行环境/程序状态/内核/N-Gram模型Key words
fuzzing/trusted execution environment/program state/kernel/N-Gram model分类
信息技术与安全科学引用本文复制引用
邱云飞,郭梦鋆,张强..状态感知的可信执行环境内核模糊测试方法[J].信息安全研究,2026,12(3):198-209,12.基金项目
辽宁省自然科学基金项目(2022-BS-330) (2022-BS-330)
