ARM TrustZone is now utilized in all modern ARM-driven smartphones. This technology provides hardware isolation for secure processing of sensitive data. The idea of the technology is to divide digital world into two: Normal World and Secure World. While Normal World is normally a traditional Android or Linux with all its userspace and kernelspace, the Secure World is something mythical, not widely known and often without any public accessible documentation and source code.

Even Android kernel doesn’t have access to the data processed in TrustZone. And besides this sensitive data, breach to TrustZone can lead to other amazing things like compromising Root Of Trust and achieving rootkit persistence.

We will focus on getting into TrustZone from Android userspace in smartphones of Samsung Galaxy series and its Trustonic implementation of Trusted Execution Environment (TEE). Trusted applications, or trustlets, executed there, is one of the windows to TEE, and they turned out to expose vast attack surface. While they are custom format binaries, designed to run in a special environment, it is still possible to run AFL on them. We will show you our approach to automatically discover vulnerabilities in Trustonic trustlets with such a cool way as having proved itself feedback-driven fuzzing.