DTA is a pluggable framework for OP-TEE TAs (Trusted Applications) that enables them to run outside the secure world. This allows for the rapid launch of TA fuzzing with state-of-the-art fuzzers during the development phase.
DTA is designed to run trusted user-land code outside the secure world. Its main targets are:
DTA is currently based on OP-TEE, an open-source reference implementation of TrustZone technology. To run our demo TAs, follow these instructions:
- Build the complete OP-TEE project deployed for QEMU v8. (For detailed instructions, check the OP-TEE documentation)
mkdir optee && cd optee
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml
repo sync
cd build
make toolchains && make run
-
Move the demo TA source codes from
optee_examples/
to the same path in the OP-TEE project directory. -
Move the AFL++ buildroot package from
build/br-ext/package/
to the same path in the OP-TEE project directory. -
Add the following line to
build/common.mk
.
# add this below BR2_PACKAGE_KEYUTILS ?= y (near line 314)
BR2_PACKAGE_AFLPLUSPLUS_EXT ?= y
- Append the following line to the bottom of
build/br-ext/Config.in
source "$BR2_EXTERNAL_OPTEE_PATH/package/aflplusplus_ext/Config.in"
- Make and boot the system.
make run CFG_CORE_ASLR=n CFG_TA_ASLR=n
Three demo TAs will be installed in /usr/bin/
.
dta_test
,dta_test2
for testing secure world system calls.test1
for testing fuzzers.- This TA panics when "abcd" is given as input.
All demo TAs require the "-d"
argument to run outside the secure world. Without "-d"
, they will act as normal TAs.
We use AFL++ Frida mode for test fuzzer. The afl-fuzz
binary is already in the /root
directory, and we can fuzz the test1
demo TA as follows.
mkdir in && echo aaaa > in/aaaa
./afl-fuzz -O -i in -o out -D -- test1 -d
If you want your TAs to run outside, you need to add and modify your project with our framework.
- Add files from our demo TA source code to your project.
files | destination |
---|---|
ditto.* , memory.* , setup.* , syscall.* |
host/ |
ditto_ta.c , include/ditto_ta.h , func_extended.* |
ta/ |
- Apply necessary changes to your project codes.
- Host: Call
setup()
once on init, useditto_invoke_command()
instead ofInvokeCommand()
. (check ourhost/main.c
) - TA: Replace your entrypoint function name to
__TA_InvokeCommandEntryPoint()
, and use ours as an alternative. (check ourta/*_ta.c
)
- Add our framework codes to makefiles.
host/Makefile:9
OBJS = main.o setup.o ditto.o syscall.o memory.o
ta/sub.mk:3
srcs-y += ditto_ta.c
srcs-y += func_extended.c
CMakeLists:3
set (SRC host/main.c host/setup.c host/ditto.c host/syscall.c host/memory.c)
There are a few more subtle changes required for integration, such as adding #include
s for our header files. Please also check our demo TA project codes, since they all originated from official examples of OP-TEE.
- TA initialization does not work.
- We use
CFG_CORE_ASLR=n
,CFG_TA_ASLR=n
to disable ASLR in the secure world. However, some environments may load TAs at a different address than we use. In that case, check the base address in the secure world console and manually change the value ofta_code_addr
inhost/setup.c
.
- We use