TEEs are specially protected storage areas and actually the ideal place for highly sensitive data or programs. Because their hardware is isolated from the rest of the system, TEEs can safely run programs on untrusted and even compromised, i.e. already hacked, machines. In the cloud area, more and more providers are using this technology to allow customers to manage sensitive data securely in the cloud. TEEs are also used on laptops and smartphones to protect data that, for example, is required for fingerprint sensors or contactless payment services such as Apple Pay. 

First Automatic Vulnerability Analysis of TEEs

However, the protection does not apply if the programs executed within a TEE contain programming errors. To counteract this, Tobias Cloosters, Michael Rodler, and Prof. Lucas Davi from The Ruhr Institute for Software Technology paluno at the University of Duisburg-Essen have developed TeeRex - the first tool for automatic vulnerability analysis of TEE applications. TeeRex automatically scans TEE applications for security issues and helps developers to correct errors in the code with warnings and programming hints.

Although TeeRex is currently still a prototype, the tool has already proven its effectiveness: In several public SGX enclaves – as Intel calls its TEEs – TeeRex has been able to uncover serious vulnerabilities, including vulnerabilities in software for fingerprint sensors used on Dell, Lenovo and HP laptops (see Message of 15. 7. 2020: “Danger to sensitive data”). The manufacturers have now closed the gaps with the help of the security researchers from paluno. Currently, the further development of TeeRex is in full swing. The tool shall support automatic analyses of safety-critical software on embedded systems and emerging architectures such as RISC-V. 

High Benefits for the Digital Society

The award ceremony of the 8th German IT Security Award of the Horst Görtz Foundation took place on February 11, 2021, following the Innovation Conference on Cyber Security which was organized jointly by Bitkom, Fraunhofer SIT, ATHENE and the Digital Hub Cybersecurity. Decisive for the jury were the high utility and novelty value of TeeRex. Laudator Prof. Michael Waidner stressed that Tobias Cloosters and his colleagues address an important and almost overlooked problem of software security. Prof. Lucas Davi can confirm this: “Software security and the use of TEEs are increasingly becoming the focus of the industry. This makes it even more important that we build confidence in this technology, because every TEE stands or falls by the security of the software used in the TEE. Our TeeRex approach makes a critical contribution to enabling developers and security analysts to perform a security review quickly, automatically, and comprehensively.”