Automated Detection of Cryptographic Inconsistencies in Android's Keymaster Implementations.

Android smartphones use a dedicated component, Keymaster, to perform all their cryptographic, security-sensitive operations (e.g., storing cryptographic material and performing signing operations). While all Android Keymaster implementations need to expose a specific interface, their internals are hard to analyze, since their source code is generally not available. Moreover, Android Keymasters' code normally runs in a Trusted Execution Environment (TEE), where typical debugging functionality is not available. For these reasons, Keymaster implementations cannot be analyzed using white-box or gray-box automated approaches. To address this issue, in this paper, we design, implement, and evaluate AKF (Android Keymaster Fuzzer), a device-agnostic, differential, black-box fuzzer. AKF uses a dynamic grammar to test, in parallel, multiple Keymaster implementations, comparing their behavior, looking for inconsistencies. AKF can operate on different Keymaster implementations at the same time, including Keymaster implementations running on different devices and in different TEEs (e.g., ARM TrustZone and Google's Titan-M). We evaluated AKF by running it on 6 different Android devices, where it correctly detected 87 implementation inconsistencies that are a cause for concern in terms of both security and usability of cryptographic operations, including a previously-known encryption bug affecting the Titan-M chip (CVE-2019-9465).