Dartmouth College

Dartmouth Digital Commons
Computer Science Technical Reports

Computer Science

5-25-2017

A Survey of Trustworthy Computing on Mobile & Wearable
Systems
Travis Peters
Dartmouth College

Follow this and additional works at: https://digitalcommons.dartmouth.edu/cs_tr
Part of the Computer Sciences Commons

Dartmouth Digital Commons Citation
Peters, Travis, "A Survey of Trustworthy Computing on Mobile & Wearable Systems" (2017). Computer
Science Technical Report TR2017-823. https://digitalcommons.dartmouth.edu/cs_tr/373

This Technical Report is brought to you for free and open access by the Computer Science at Dartmouth Digital
Commons. It has been accepted for inclusion in Computer Science Technical Reports by an authorized
administrator of Dartmouth Digital Commons. For more information, please contact
dartmouthdigitalcommons@groups.dartmouth.edu.

A Survey of Trustworthy Computing on
Mobile & Wearable Systems
Travis Peters
Dartmouth Computer Science Technical Report TR2017-823
May 25, 2017

ABSTRACT
Mobile and wearable systems have generated unprecedented interest in recent years, particularly in the domain of mobile health
(mHealth) where carried or worn devices are used to collect healthrelated information about the observed person. Much of the information – whether physiological, behavioral, or social – collected
by mHealth systems is sensitive and highly personal; it follows
that mHealth systems should, at the very least, be deployed with
mechanisms suitable for ensuring confidentiality of the data it collects. Additional properties – such as integrity of the data, source
authentication of data, and data freshness – are also desirable to
address other security, privacy, and safety issues.
Developing systems that are robust against capable adversaries
(including physical attacks) is, and has been, an active area of research. While techniques for protecting systems that handle sensitive data are well-known today, many of the solutions in use today
are not well suited for mobile and wearable systems, which are
typically limited with respect to power, memory, computation, and
other capabilities.
In this paper we look at prior research on developing trustworthy
mobile and wearable systems. To survey this topic we begin by
discussing solutions for securing computing systems that are not
subject to the type of strict constraints associated with mobile and
wearable systems. Next, we present other efforts to design and
implement trustworthy mobile and wearable systems. We end with
a discussion of future directions.

1

INTRODUCTION

As personal devices, mobile and wearable devices often handle data
that is valuable to the user of the device; this data is potentially
sensitive. As a result, many solutions have been proposed to protect
systems from compromise and to ensure the protection of user
data handled by the device. To provide meaningful protection, it
is necessary to understand users’ requirements for data protection
on these mobile devices [13]. More specifically, it is necessary to
look at types of data that users want to protect, understand current
users’ practices for protecting data, and understand how security
requirements vary for different data types.
Passwords, location data, personal messages (e.g., SMS) and documents (e.g., emails), photos and videos, audio recordings, and health
data may all be sensitive information. For example, password-based
logins play an increasingly important role on user systems. We
use passwords to authenticate ourselves to countless applications
and services. For help and convenience, users turn to applications
such as one-time password (OTP) generators, password managers,
and two-factor authentication services. Many of these applications
can be found on mobile systems today. The problem is that these

applications cannot guarantee the confidentiality of passwords, authentication tokens or seeds when the mobile OS is compromised.
Fortunately, there exist some trusted computing technologies today
that can address some of these problems. TrustOTP [17] is a secure
one-time password (OTP) solution for mobile devices that leverages
ARM TrustZone security features to protect the confidentiality of
the OTPs against a malicious mobile OS. Also, TrustLogin [21] is a
solution for Intel platforms that uses System Management Mode to
protect user login credentials from malware (e.g., keyloggers) even
when the OS is compromised. These are useful but highly specific
instances of trusted computing technologies put to use to protect
user data. In this paper we identify past and present technologies
that can be used to protect user data in light of growing concerns
around security and privacy.
Isolating code execution is one of the fundamental approaches
to achieving security; past work has surveyed solutions towards
this end [22]. OS-based and Virtual Machine-based isolation have
dependencies on operating systems and hypervisors that may have
large Trusted Computing Bases (TCB); e.g., the Xen hypervisor
has 532K lines of source code. Also, OS-based and VM-based isolation do not address hypervisor or firmware (e.g., BIOS) rootkits.
Generally speaking, recent trends suggest that excluding large,
error-prone software such as a hypervisor and the OS from the
TCB, is an effective way to make system exploitations more difficult for adversaries, effectively requiring higher privilege levels to
compromise the system. In this paper we focus attention on trusted
computing technologies that provide isolated code execution but do
so by relying on hardware assistance, as these solutions generally
exclude these error-prone hypervisors and operating systems from
the TCB.
Regardless of the security mechanism, we observe that any
trusted-computing solution needs to meet the following non-security
requirements: the system should (1) perform well – especially with
respect to mobile and wearable devices – in terms of energy usage, usability, latency, and computation; and the solution should (2)
work with popular operating systems that are in use by the majority
of mobile device users (e.g., iOS, Android). Failure to meet either of
these requirements will likely mean that the technology will not
be used by most people, thus defeating the purpose of designing a
technology to protect their data.
In the remainder of this paper, we present relevant background in
computer architecture, trusted computing, and the general threats
that are considered in trusted computing; we then provide a summary of past and current developments in trustworthy computing
technologies for unconstrained systems—it is our belief that a proper
understanding of past works, even if they are not directly applicable
to constrained systems, is important for informing designs for more
constrained execution environments such as smartphones, tablets,

and other IoT devices; next, we provide a summary of past and
current developments in trustworthy computing technologies for
the constrained systems in which we are primarily interested; and
last, we conclude by discussing some open problems or problems
for which there are only limited solutions.

2

BACKGROUND

In this section we provide background information on computer
architecture and terminology used in this paper. We also review
concepts from trusted computing as well as attacker and threat
models relevant to the motivation for this paper.

2.1

Computer architecture background

In this paper we use nomenclature that is common in computer architecture, though a deep knowledge in this area is not required for
the level at which we discuss trusted-computing solutions. While
our interest is primarily in mobile-computing architectures, many
concepts from desktop computing platforms carry over; mobile
platforms, however, have less physical space for hardware components and a much more limited energy budget. As a result, mobile
and wearable platforms often include a subset of the hardware of
traditional computing platforms or they use miniaturized designs
that are more suitable for mobile and wearable platforms.
We acknowledge that many computer architecture terms are
used interchangeably or ambiguously which, more often than not,
leads to confusion. To this end, we include Figure 1 which illustrates
the major components of a computer. In the most basic sense, a
computer can be viewed as a device consisting of three fundamental
pieces: processors to interpret and execute instructions (Figure 1,
top right), different types of storage (fast/slow) to store data and
instructions (Figure 1, upper and lower left), and I/O modules for
transferring data to and from the outside world (Figure 1, lower
right), all connected via various buses. Furthermore, we define terms
that we use throughout this paper below. Figure 1 and the provided
definitions should provide a sufficient mental model of relevant
architectural components and relationships between components,
with the understanding that modern designs combine various components into fewer dies and/or packages (defined in Section 2.1.1)
for reasons described below.
2.1.1 Foundations. If we use the CPU as an example, the term
die refers to a single, continuous piece of semiconductor material
(usually silicon) that contains the transistors that make up the CPU.
The CPU is an example of an integrated circuit (IC), where an
IC in general is nothing more than a set of electronic circuits on
(integrated onto) a single chip. For our purposes, the words “chip"
and “die" can be used interchangeably.
The term package refers to the smallest physical parts sold to
consumers. The package contains one or more dies, is made up of
plastic or ceramic housing for the dies, and has gold-plated contacts
on its exterior that match those on a motherboard. The package is
the actual unit that is plugged into a CPU socket on a motherboard.
In the literature we review below we have noticed that the terms
“die" and “chip" are used interchangeably; similarly, “chip" and "package" are used interchangeably. This is unfortunate since the terms
“die" and “package" are not used interchangeably, leading to ambiguity when using the term “chip" in writing. It is usually possible

Figure 1: Traditional multi-chip computer architecture. The
block labeled “CPU" depicts the CPU package which contains the processor cores. The CPU is physically connected
to the other system components via buses which carry data;
the actual interactions between the CPU and the rest of the
system are handled by the northbridge and the southbridge.
The northbridge (as rendered here) is an IC dedicated to
managing the CPU’s access to high-speed devices (e.g., RAM,
video and network cards), whereas the southbridge is an IC
that exists to manage the CPU’s access to lower-speed devices (e.g., hard drives, human interface devices such as keyboards and mice) – the southbridge indirectly interacts with
the CPU via the northbridge. Here, the CPU, northbridge,
southbridge, RAM, and so forth, exist as separate chips that
are all connected and work together to make up what we
know as a modern computer. Figure from a description of a
multi-chip system in response to a post on StackExchange
(“What is a single-chip microcomputer?") [15].

to determine what an author means given more context around
how they use the above mentioned terms. Thus, the context of use
will determine the meaning of the term.
Note that none of these terms are exclusive to CPUs; dies, chips,
and packages are meaningful terms with respect to the composition
of other computer components as well.
2.1.2 Processors. Recent developments in computer architecture can especially lead to confusion concerning terms such as
“CPU," “processor," “cores," “microprocessor," and “multi-core processor." We use the following definitions.
A central processing unit (CPU) is the electronic circuitry
within a computer that carries out the instructions of a computer
program by performing the basic arithmetic, logical, control, and
input/output (I/O) operations specified by some instruction; in the
2

most basic sense, a CPU is a processor, capable of performing a
single task or running a single program at one time. Most modern
CPUs are microprocessors, meaning they are contained on a single
integrated circuit (IC) chip.
Over the past couple of decades, CPU designs have changed in
order to achieve better performance, lower power consumption, and
so forth. Among those changes we’ve seen cache memory added to
the CPU to improve execution speeds. Further, the parts of the CPU
responsible for executing instructions were duplicated; components
such as ALUs, fetch and decode hardware, the instruction pipeline,
and cache memory were combined into what we now call cores.
Thus, CPUs in general can be thought of as being made up of
one or more cores. Since the terms “CPU" and “processor" can
be used interchangeably, a CPU with more than one core has led
to the nomenclature multi-core processor. Since the advent of
multi-core technology, such as dual-cores and quad-cores, the term
processor has become context-sensitive, and is largely ambiguous
when describing multi-core systems. A processor could describe
either a single execution core (i.e., a single core within CPU) or a
single physical multi-core chip (i.e., a CPU with multiple cores).
The context of use will determine the meaning of the term.
2.1.3 Integrated Circuit (IC) designs. The term chipset broadly
refers to any group of ICs that are designed to work together, and
are usually marketed as a single product. This can lead to confusion, however, since the term chipset is most often used to refer to
a specific pair of chips on the motherboard: the northbridge and
the southbridge. It is increasingly common in modern systems for
the northbridge, which links the CPU to high-speed devices such
as RAM, graphics, and network controllers, to be integrated into
the main processor’s die (i.e., the northbridge physically resides
within the same chip as the CPU). There is also a southbridge,
which is generally responsible for managing access to lower-speed
peripherals, 1 which may or may not be integrated into the processor package as well. In many modern chipsets, the southbridge
contains integrated peripherals such as Ethernet, USB, and audio
devices.
Variations in design are most often simply a reorganization of
components in a multi-chip computer with several advantages. For
instance, by integrating the memory controller that resides within
the northbridge in a multi-chip architecture, the physical distance
between the CPU and the memory controller is decreased, making
memory access faster. Furthermore, if reasonable measures are
made by the CPU manufacturer to protect the physical package
in which the CPU resides, then any other components integrated
into that package also benefit from increased security because their
connections are hidden inside the package.
A System-on-Chip (SoC) is a design where all of the system
components are packed into a single silicon chip. Along with a
CPU, an SoC usually contains a graphics processor, memory and
memory controller, USB controller, power management circuits,
and wireless radios (e.g., Wi-Fi, 3G, 4G LTE). This integration is
performed in a single manufacturing process; the die is then put
into a package. Whereas a CPU cannot function without dozens
of other chips, it’s possible to build complete computers with just
1 Most peripherals are “lower-speed peripherals" when compared to the speeds at
which, for example, memory access happens.

a single SoC. SoCs – which are common in mobile and wearable
devices – are generally lower cost, lower energy, and have huge
potential for improving security relative to multi-package designs.
A System-in-Package (SiP) is a further level of integration
where multiple dies are integrated inside a single package. The
system components (subsystems) are individual dies and they can
be manufactured independently. They are assembled inside a single
package by various techniques, e.g., vertical stacking or horizontal stacking. The SiP approach helps surpass the limits of the SoC
designs. Benefits to SiP include user intellectual property (IP) integration, IP reuse, low design risk, reduced process complexity,
low developmental cost, and shorter time-to-market. In short, SiP
brings together ICs including SoCs and discrete components using
lateral or vertical integration technologies.
2.1.4 Software privilege levels. Commodity CPUs implement
several mechanisms to protect data and functionality from faults
and malicious behavior; one mechanism of particular interest to
us in this paper is software privilege levels. Commodity CPUs run
software at different privilege levels. Each privilege level is strictly
more powerful than the ones below it, so a piece of software can
freely read and modify the code and data running at less privileged
levels. Therefore, a software module can be compromised by any
piece of software running at a higher privilege level. It follows that
a software module implicitly trusts all the software running at more
privileged levels, and a system’s security analysis must take into
account the software at all privilege levels.
In practice these sorts of hierarchical privilege levels are often
called protection rings (or simply rings), and they exist as mechanisms to protect data and functionality from faults and malicious
behavior. A protection ring is one of two or more hierarchical levels
or layers of privilege within the architecture of a computer system.
This is generally hardware-enforced by some CPU architectures
that provide different CPU modes at the hardware or microcode
level. Rings are arranged in a hierarchy from most privileged (most
trusted, usually numbered zero or with a negative number) to least
privileged (least trusted, usually with the highest ring number, e.g.,
3). On most operating systems, ring 0 is the level with the most
privileges and interacts most directly with the physical hardware
such as the CPU and memory. Programs such as web browsers
running in higher numbered rings – usually ring 3 – and must request access to system resources such as the network – a resource
restricted to lower-numbered rings.

2.2

Trusted Computing

Trusted Computing is by no means a new concept. “In the security
engineering subspecialty of computer science, a trusted system
is a system that is relied upon to a specified extent to enforce a
specified security policy. As such, a trusted system is one whose
failure may break a specified security policy" [20].
Some Trusted Computing designs (Figure 2) aim to enforce security policies by leveraging trusted hardware. The trusted hardware
establishes a secure container, and a local or remote computation
service can provision desirable computation and data into the secure
container. The trusted hardware protects the data’s confidentiality
and integrity while the computation is being performed.
3

(SP2) Secure Storage provides secrecy, integrity, and freshness
Platform
of a software module’s dataTrusted
at rest.
AK: Attestation Key
Trusted Hardware
(SP3) Local & Remote Attestation allows local and remote parEndorsement Certificate
Data Owner’s Computer
ties to verify that a particular
message originated from a
Untrusted Software
Secure Container
particular process – an attestation
based on factors such
Secure Container
Computation
Initial State code itself.
as
a
measurement
of
the
application
A
Dispatcher
Public Code + Data
Key exchange: A, g
Setup
Public Loader
is a mechanism to send data to a
(SP4) Secure Provisioning
gA
Computation
A
exchange:
B, g
Setup
specific process from a trustedKeyparty,
running
on a specific
Private Code
Receive
B
A B
Shared key: K = gAB
g
,
Sign
(g
,
g
,
M)
device, while protecting
the data’s secrecy and integrity.
AK
Encrypted
Verification
Private Data
Results
M = Hash(Initial State)
The trusted
party that provisions the data can be a remote
Shared key: K = gAB
Enc
(secret code/data)
party
(e.g.,
aKcontent
provider that uses secure provisioning
Builds
Secret Code + Data
3 scheme)
Owns
to
construct
a
DRM
or a local party (e.g., an
Manages
Authors
Trusts
Computation Results
application that
secure
provisioning
to migrate secrets
Encuses
(results)
K
Computation Results
Trusts
to an updated version of the application).
(SP5) Trusted Inter-process Communication (IPC) protects
Infrastructure
Software
Data Owner
Manufacturer
Figure 3: Software
attestation
proves and
to a availability
remote computer
that
authenticity,
secrecy,
of communication
Owner
Provider
it is communicating
withtrusted
a specific
secure container hosted by a
between
processes.
Trusts
trusted platform. The proof is an attestation signature produced
(SP6) Trusted Path protects authenticity, secrecy, and availabilby the platform’s secret attestation key. The signature covers the
Figure 2: Trusted computing. The user trusts the manufacturer of a
ity state,
of communication
between a trusted process and a
Figure 2: “Trusted Computing. The user trusts the manu- container’s initial
a challenge nonce produced by the remote
piece of hardware in the remote computer, and entrusts her data to a
peripheral
(e.g.,
keyboard,
touch screen, or health device).
facturer
of a piece of hardware in the remote computer, and computer, and a message produced by the container.
secure container hosted by the secure hardware.
entrusts her data to a secure container hosted by the secure
TEE technology promises to make it difficult to access code and
hardware."
FigureBase
and(TCB)
quote from
SGXusing
Explained
[2].
SGXdata
1 and
properties,
the reader
shouldeven
be in light of
thatits
is security
being executed
and stored
in a system,
Computing
for theIntel
system
hardware
capable
adversaries
who
have
control
over
all
untrusted
software
well
equipped
to
face
Intel’s
reference
documentation
protection. The attestations produced by the original
components,
including
the
operating
system
and
hypervisor.
and
learn
about
the
changes
brought
by
SGX
2.
TPMComputing
design covered
all the
software
runningason
a comTrusted
is seeing
increasing
attention
a necessary
puter,
and
TXT
attestations
covered
the
code
inside
a
technology in future computing platforms, specifically for consumer
1.1 2.3
SGXThreats
Lightning&Tour
attacker model
VMX
[179]
virtual
machine.
In
SGX,
an
enclave
(secure
devices like PCs, laptops, tablets, smartphones, and IoT devices. In
We
provide
an
overview
of common
considered in
called adversaries
the Processor
container)
only
contains
the private
data and
in a privacy
computation,
light of
prominent
modern
computer
security
threats SGX sets aside a memory region,
trustworthy
computing
work;
these
adversaries
have
varying capaand the
codethat
thatcompromise
operates onoperating
it.
(including
rootkits
systems), researchers Reserved Memory (PRM, § 5.1). The CPU protects the
bilities
and
motivations.
In
this
discussion
we
attempt
and system
explored
mechanisms
to create
Fordevelopers
example, ahave
cloud
servicevarious
that performs
image
pro- PRM from all non-enclave memory accesses, including to capture
the general assumptions that are made in the trusted computing
a Trusted
Execution
Environment
(TEE)
that
makes
it
possible
cessing on confidential medical images could be imple- kernel, hypervisor and SMM (§ 2.3) accesses, and DMA
systems and designs, as well as identify general capabilities and
to isolate
a
security
sensitive
application
or
service
from
a
regular
accesses (§ 2.9.1) from peripherals.
mented by having users upload encrypted images. The
motivations of adversaries.
operating
Also,the
a critical
goalkeys
in securing
systems
is to
TheWe
PRM
holds
Enclavecode
Page
(EPC,
userssystem.
would send
encryption
to software
running
denote
staticthe
(machine)
and Cache
associated
data and metareduce the attack surface by trusting only the system components § 5.1.1), which
consists
of
4
KB
pages
that
store
enclave
inside an enclave. The enclave would contain the code
data as an application. The Trusted Computing Base (TCB) of
and code that are absolutely necessary to implement the system’s
codeanand
data. Theissystem
which(hardware
is untrusted,
for decrypting images, the image processing algorithm,
application
the setsoftware,
of components
and software)
intended functionality; this effort is often referred to minimizing
is inthat
charge
of
assigning
EPC
pages
to security
enclaves.
The over the
and
the
code
for
encrypting
the
results.
The
code
that
must
be
secured
to
assure
desired
properties
the Trusted Computing Base (TCB). Thus, we anticipate that TEE
CPUapplication.
tracks eachApplications
EPC page’sthat
state
the Enclave
Page to implereceiveswill
thebeuploaded
encrypted
images
storescommon
them
areindesigned
and believed
technologies
used in the
near future
as theyand
become
ment
a particular
function
for the user
(e.g., health
data repository),
Metadata
(EPCM,
§ 5.1.2),
to ensure
that each
would bechips
left outside
the enclave.
in commercial
and concerns
around data protection intensify, Cache
that
use a set
of trustworthy
hardware and software compoEPCand
page
belongs
to exactly
one enclave.
SGX-enabled
protects
and
and that An
these
technologies processor
will provide
securitythe
at integrity
an increasingly
nents
to protect
its computation
and data,
are referred
to as trusted
The
initial
code and
data in an enclave
is loaded
by unconfidentiality
of the computation
anthe
enclave
by
granular
level (e.g., application-specific
TEEsinside
such as
application
applications.
enclave
approach
in Intel’s
SGX).
trusted system software. During the loading stage (§ 5.3),
isolating
theused
enclave’s
code
and data from the outside
The works that we cover in the following sections of this paper
Although
the concepts
of trusted
computing
have and
beenhyperaround the system
software asks the CPU to copy data from unenvironment,
including
the operating
system
attempt to implement systems that provide the desired security
for some
time,
the
availability
of
this
technology
is
relatively
new
visor, and hardware devices attached to the system bus. protected memory (outside PRM) into EPC pages, and
properties (SP1) – (SP6), though none of the systems provide all of
and itAt
is only
recently
thatthe
application
developers
have
the tools to assigns
the pages to the enclave being setup (§ 5.1.2).
the same
time,
SGX model
remains
compatible
the desired properties today. In trusted computing, it is assumed
develop
applications
that leverage
power of
that
the initial
enclave
state is known
to the
with
the traditional
softwarethelayering
inhardware
the Intel security
archi- It follows
that
any
deployed
software
and hardware
in the TCB,
and any crypfeatures such as TEEs. A TEE is an environment with desirable
system
software.
tecture, where the OS kernel and hypervisor manage the
tographic
mechanisms
used,
are
secure
and
implemented
correctly.
security properties (SP) where code can be executed and data can be
computer’s resources.
After
all
the
enclave’s
pages
are
loaded
into
EPC,
the
With
respect
to
platforms
and
the
sensitive
data
they
store
and
stored. Specifically, a TEE should provide the following properties,
This
work
discusses
the
original
version
of
SGX,
also
system
software
asks
the
CPU
to
mark
the
enclave
as
process,
it
is
generally
the
goal
of
an
adversary
to
compromise
appli2
even in the presence of compromised system software; we adapt
cations (§
running
on which
a platform
that
are not owned
by the adversary;
referred tothem
as SGX
1.according
While SGX
2 brings
very provided
useful
initialized
5.3), at
point
application
software
and summarize
below
to the
definitions
here,
to
compromise
applications
means
to
obtain
improvements
for enclave authors, it is a small incre- can run the code inside the enclave. After an enclave unauthorized
is
by Vasudevan
et al. [19].
access to their code or data, or to affect the underlying trusted
mental
improvement,
a design
and and
implementation
(SP1)
Isolated
Executionfrom
provides
secrecy
integrity of a initialized, the loading method described above is disstandpoint.
Afterand
understanding
the principles behind
abled.
process’s code
data.
Data Owner’s
Computer

2 While

Remote Computer

the list is largely a summary of the original list, we add local attestation (SP3)2
and secure IPC (SP5) to the list presented by Vasudevan et al. [19].

3 Digital

Rights Management (DRM) schemes are access-control technologies that
can be used to restrict access to copyrighted works such as software and multimedia
content.

4

components of the platform in such a way that violates the desired functional and security properties. To this end, it is generally
assumed that the adversary has full control over the (untrusted)
OS and other software running on the platform. In addition, it is
not unreasonable to assume that the adversary also controls all
communication with the platform and can eavesdrop, manipulate
and intercept any network links or I/O channels.
The physical security of platforms often arises as a topic of interest in trustworthy computing. In trusted computing it is generally
assumed that the high levels of integration achievable with modern
IC fabrication processes render chip-level invasive attacks such
as tampering, on-chip bus probing, extracting keys from on-chip
memory, or fault injection out of scope for economically motivated
attackers and that mitigations are in place against side-channel
leakage through power, electromagnetic emissions or timing behavior.
When we discuss trusted computing solutions and their weaknesses or limitations it is useful to have a specific adversary and her
respective capabilities in mind. For this we adapt a list of progressively capable adversaries (AD) from Mirzamohammadi et al. [12]:
(AD1) The first attacker can only use the application API in the
operating system, e.g., the Android API. This attacker can
run native code but without root privileges.
(AD2) The second attacker runs native code with root privileges
in user space, but cannot run code with kernel privileges
or secretly modify the system image (for future boots).
(AD3) The third attacker leverages some vulnerabilities of the
kernel to compromise it and hence can run code with kernel
privileges.
(AD4) The fourth attacker is a more advanced version of the third
attacker that, after compromising the kernel, leverages
some vulnerabilities of the hypervisor to compromise it
and hence can run code with hypervisor privileges.
(AD5) The fifth attacker is a root user in a system without any
sort of verified boot feature, which would allow him to
rewrite the kernel and hypervisor images (to be used after
a reboot).
(AD6) The sixth attacker has physical access to the device and
can manipulate the hardware. This attacker is assumed to
have the necessary knowledge and capabilities to carry out
chip-level invasive attacks such as tampering, on-chip bus
probing, extracting keys from on-chip memory, or fault
injection.
Trusted computing solutions are almost always resilient to (AD1)
and (AD2). Few solutions can protect against (AD6). Hence, the
trusted-computing solutions of greatest interest are those that can
protect against as many of (AD3) – (AD5) as possible.

3

TRUSTWORTHY COMPUTING ON
UNCONSTRAINED SYSTEMS

To best understand the state of trustworthy computing on constrained mobile and wearable systems, we first touch on solutions
that are relevant to computing systems that are less constrained –
such as those designed for PCs and servers. Of particular interest
are hardware-based solutions that offer security properties relevant
to our goals and the promise of being implemented as efficiently

as possible; specifically, we look at Hardware-assisted Isolated Execution Environments (HIEEs). HIEEs provide isolated execution,
sometimes referred to as a TEE, for code execution even on a compromised system. Note that while the terms HIEEs and TEEs are
sometimes used interchangeably, they are not the same in all cases;
a TEE can be enforced in software, and not all HIEEs are designed
for security.
In the remainder of this section we briefly describe relevant
projects and build atop an organization of these types of works
presented in an SoK paper on HIEEs [22], and an informative white
paper that reviews Intel’s SGX technology in great detail along
with other related work [2].

3.1

Legacy solutions

We begin by reviewing some of the earliest work in HIEEs.
3.1.1 System Management Mode (SMM). System Management
Mode (SMM) is a mode of execution similar to Real and Protected
modes available on x86 platforms. It provides a hardware-assisted
isolated execution environment for implementing platform-specific
system control functions such as power management. SMM is triggered by asserting the System Management Interrupt (SMI) pin on
the CPU. It is initialized by the Basic Input/Output System (BIOS).
The BIOS loads the SMI handler into SMRAM (dedicated RAM in
main memory for SMM) at boot time. The SMI handler has unrestricted access to the physical address space and can run privileged
instructions; for this reason, SMM is often referred to as ring -2
(pronounced “ring negative-two").
3.1.2 Dynamic Root of Trust for Measurements (DRTM). DTRM
is an alternate to Static Root of Trust Measurements, which allows
the root of trust measurement to be initialized at any point. DTRM
was introduced to the TPM v1.2 specification in 2005.
Two well-known implementations of DTRM are (a) Intel’s Trusted
eXecution Technology (TXT), which implements a trusted way to
load and execute system software (e.g., OS or VMM); and (b) AMD’s
Secure Virtual Machine (SecVM), which implements new CPU instructions to enter/exit a secure environment for code execution.
Intel’s TXT and AMD’s SecVM are similar and are both hardwareassisted isolated execution environments used for running securitysensitive tasks. The drawback to these solutions, however, is that
they introduce significant performance overhead due to the expensive CPU instructions (e.g., SENTER, SKINIT) that control the
transition between secure and non-secure environments.

3.2

Recent solutions

Next, we review popular developments from the last 10-15 years
that are still in use today.
3.2.1 Intel Management Engine (ME) & AMD Platform Security Processor (PSP). Intel ME and AMD PSP (and AMD System
Management Unit (SMU)) are similar solutions. This design consists of embedding a micro-computer (i.e., co-processor) into the
main processor. This coprocessor is commonly integrated into the
northbridge, which is commonly integrated into the main processor
package. This design creates a completely isolated environment for
code execution and data storage (i.e., a TEE). The ME, PSP, SMU
solutions are interesting since the embedded computer really is a
5

may contain state information about secure code, we must
prevent the running Rich OS and other secure code from
reading the memory of the suspended secure code. Instead
of using the heavy encryption/decryption mechanisms, we
use the hardware-assisted Watermark technique [13] on ARM
processors to dynamically protect the memory regions of the
suspended secure code.

secure apps on a small customized secure OS in the secure
domain. The isolation between two domains is enforced by
a secure monitor in the secure domain to ensure CPU state
isolation, memory isolation, and I/O device isolation. When
the system boots up, a secure boot ensures the integrity and
authenticity of the secure OS.

We implement a TrustICE prototype on Freescale i.MX53
QSB
and develop
two ICE
usage
instances
to demonstrate
the
computer
that contains
its own
dedicated
processor,
internal Static
usability
of TrustICE.
First,
we can
successfully
run(ROM),
a self-a
Random-Access
Memory
(SRAM),
Read-Only
Memory
contained
cryptographic
library
in one
ICE(DMA)
to provide
cryptography
engine, Direct
Memory
Access
engine,public
Hostkey
operations.
Second, we Interface
implement
a trusted
user
interface
Embedded
Communication
(HECI)
engine,
a timer,
and
containing
a touchscreen
driver
and a wireless
communication
other I/O devices.
With these
resources
the Intel ME,
for example,
driver
for users
to interact
with
theprocessor;
ICE. it has code and data
can execute
instructions
on its
own
caches
to reducewe
themake
number
accesses to
the internal in
SRAM;
In summary,
theoffollowing
contributions
this
it
uses
its
own
internal
SRAM
is
to
store
the
firmware
code
and
paper.
runtime data; it is capable of using its DMA and HECI engine to
access
memory
of the computer; and
it can runframework
Intel secu• the
Wemain
design
a TrustZone-based
isolation
rity applications
(e.g., Enhanced
Privacyisolated
Identification
[5], Identity
named TrustICE
to provide
computing
enviProtection
Technology
[6]). devices without using a hypervironments
on mobile
Bootsor.
code stored in internal ROM is used as the root of trust for
these embedded devices. The boot code loads and runs code from
• We enhance the system security. TrustICE can reduce
external flash memory (usually accessed over SPI); flash devices are
the attack surface of the secure domain and minimize
typically “locked" by Original Equipment Manufacturers (OEMs)
the system’s TCB by moving secure code from the
to prevent (malicious) modifications, but researchers have shown
secure domain to the normal domain. TrustICE’s TCB
that it is possible to modify this code. Thus, while this approach is
only includes a Boot ROM and a small trusted domain
common, it is not without flaws.

controller, which is protected by TrustZone in the
secure domain.

3.2.2 ARM TrustZone (TZ). The ARM TrustZone (TZ) technol• We can ensure the isolation of secure code in the
ogy [8] technically falls into the domain of “recent solutions;" Trustnormal domain. Since all secure code will be executed
Zone technology, however, is primarily aimed at ARM’s mobile
in the normal domain, we ensure that no matter
processors.
Please
to Section
forormore
information
whether
therefer
secure
code is4 below
running
suspended,
the
on TrustZone.
untrusted Rich OS cannot access or manipulate it.

•

3.3

We implement a TrustICE prototype on Freescale

i.MX53 solutions
QSB. The Rich OS is a customized Linux
Latest

2.6.35
Android
2.3.4. Computing
The experimental
results
To conclude
ourand
summary
of Trusted
on unconstrained
show
that
our
system
can
switch
from
the
Rich
systems we review promising efforts from the last few years. OS

to ICE in 10.6 ms, and switch back from ICE to the
Rich OS in 0.8 ms.

3.3.1 Intel Software Guard Extensions (SGX). Announced in
TheSGX
remainder
is organized
follows.access
Sec2013,
[11] is aofsetthe
of paper
CPU instructions
andasmemory
tion
II introduces
TrustZone
background.
III describes
mechanisms
added
to Intel Architecture
(IA)Section
processors.
These exthetensions
threat allow
modelanand
assumptions.
We present
the TrustICE
application
to instantiate
a protected
container
framework
in
Section
IV.
A
prototype
implementation
is
referred to as an enclave. An enclave could be used as a TEE, which
provides confidentiality and integrity even without trusting the
BIOS, firmware, hypervisors, or operating systems.
2
This solution is considered to be the “next generation of TXT"
and has aroused a lot of attention recently. Not everyone, however, is convinced that SGX is the future of trusted computing.
Costan et al. [2] examine SGX in great detail and identify many
potential concerns with the technology; in response, they propose
Sanctum [3].
3.3.2 Sanctum. Sanctum [3] offers the same promise as SGX,
namely strong provable isolation of software modules running concurrently and sharing resources, but protects against an important
class of additional software attacks that infer private information
from a program’s memory-access patterns. The authors of Sanctum
claim to “follow a principled approach to eliminating entire attack
surfaces through isolation, rather than plugging attack-specific privacy leaks" and that “strong software isolation is achievable with
a surprisingly small set of minimally invasive hardware changes,
and a very reasonable overhead."

Normal Domain

App

App

Secure Domain

App

Trusted
App

Rich OS

Trusted
App

Trusted
App

Secure OS

Secure Monitor

Secure Boot

TrustZone-enabled ARM processor

1: Traditional
TrustZone
Architecture
Figure 3:Fig.
TrustZone
architecture.
Figure
from TrustICE [18].

4

TRUSTWORTHY COMPUTING ON

A. CPU
State Isolation SYSTEMS
CONSTRAINED
The
work reviewed
in Section
3 is helpful
tryingstate
to understand
TrustZone
supports
two CPU
states, for
secure
and nonvarious
approaches
that
have
been
considered
when
trying
to resecure state, for the secure domain and the normal
domain,
alize
trustworthy
computing
on
platforms
with
few
limitations.
respectively. Two CPU states are separated through a set of
Keeping
approaches
mind,
now turn
attention
banked
CPthese
15 registers
thatin
could
bewe
assigned
twoour
values.
Each
to the
state ofof
trustworthy
computing
on constrained
mobile
and
state
consists
seven CPU
modes: User,
FIQ, IRQ,
Superviwearable
systems.
sor, Abort, Undefined, and System. All the modes, except the

User mode, are privileged modes. Mobile applications run in
4.1
the
UserARM
mode,TrustZone
and the OS kernel runs in the privileged modes.
Secure
andbynon-secure
states the
can ARM
be distinguished
bysecurity
setting
We begin
briefly discussing
TrustZone (TZ)
the
N S bit in[8].
the
which
technology
InSecure
the text Configuration
that follows we Register
introduce(SCR),
some technical
can
only be modified
in thethen
secure
state
[14]. TrustZone addsso-a
background
on TrustZone,
review
trustworthy-computing
new
privileged
Monitor
mode
that3only
runsa high-level
in the secure
state
lutions
built atop
TrustZone.
Figure
presents
overview
toofserve
as aTrustZone
gatekeeper
managing
switching
between
the
the ARM
architecture,
andthe
Figure
4 illustrates
an ARMtwo
states.
Both states
can call
a on
privileged
Secure Monitor
based
smartphone
SoC design
based
TrustZone.
CallTrustZone
(SMC) instruction
to feature
enter the
andexecuthen
is a hardware
thatMonitor
creates anmode
isolated
switch
to the othersimilar
state. toMoreover,
a hypervisor
called
tion environment,
other hardware
isolation mode
technologies.
HYP
mode
has beenprovides
integrated
in ARM
Cortex
processor
Namely,
TrustZone
security
extensions
forA15
hardware
comfamily
to
support
virtualization
of
non-secure
operations
[4],
ponents including the CPU, memory, and peripherals. The processor
[5].
on a TrustZone-enabled ARM platform has two security modes: the
“secure world" mode (i.e., a TEE) and “normal world" mode. Each
processor mode has its own memory access region and privilege.
Code running in normal world cannot access memory in secure
world, but secure world code can access normal world memory.
A secure bit (also known as the NS bit) in the Secure Configuration Register (SCR) is used to identify the secure/normal worlds; it
can only be modified in the secure world. An interface known as
the “Monitor Mode" (which technically resides in the secure world
domain) is the gate keeper between normal and secure worlds, managing transitions between the worlds. The normal world invokes a
Secure Monitor Call (SMC) to enter the monitor mode, which can
modify the NS bit to switch into the secure world.
In Figure 4, the red IP blocks are TrustZone-aware. The red
connections ignore the TrustZone secure bit in the bus address.
We now review trusted-computing solutions built atop TrustZone.
4.1.1 Sentry. Projects such as the Sentry [1] system are great
examples of interesting work that grows out of developers having
access to trustworthy computing technologies. Sentry is a system
6

ARM is an IP core provider, not a chip manufacturer.
Therefore, the mere presence of TrustZone IP blocks in a
system is not sufficient to determine whether the system
is secure under a specific threat model. Figure 58 illustrates a design for a smartphone System-on-Chip (SoC)
design that uses TrustZone IP blocks.
System-on-Chip Package

SRAM
Boot ROM

TZMA

Interrupt Controller

Processor
without
Secure
Extensions

Processor
with
Secure
Extensions

4G Modem
DMA
Controller

L2 Cache

AMBA AXI On-Chip Bus
L3 Cache
AMBA AXI Bus

Real-Time
Clock

OTP
Polyfuses

AXI to APB
Bridge

APB Bus

TZASC
Memory
Controller

Memory
Controller

Display
Controller

ADC / DAC

Keypad
Controller

DRAM

Flash

Display

Audio

Keypad

Figure
SmartphoneSoC
SoCdesign
designbased
based on
on TrustZone.
TrustZone. The
The
Figure 58:
4: Smartphone
red
IP
blocks
are
TrustZone-aware.
The
red
connections
ignore
red IP blocks are TrustZone-aware. Figure from Intel SGX
the
TrustZone
Explained
[2].secure bit in the bus address. Defining the system’s
security properties requires a complete understanding of all the red
elements in this figure.

that
protects against
DRAM
leveraging
storage
TrustZone
extends
the attacks
addressbylines
in theon-SoC
AMBA
AXI
mechanisms
originally
intended
for
realtime
predictable
perforsystem bus [17] with one signal that indicates whether
mance. Sentry can bootstrap additional secure storage by safely
an
access belongs to the secure or normal (non-secure)
encrypting regions of memory much larger than the capacity of
the ARM SoC. Sentry allows applications and OS components to
store their code and data on the System-on-Chip (SoC) rather than 52
in DRAM, thus enabling protections for applications and OS subsystems from memory attacks.
4.1.2 TrustICE. TrustICE [18] is a TrustZone-based isolation
framework that creates isolated computing environments (ICEs) in
the normal world. The authors of TrustICE anticipate that as more
secure code is designated to run in the secure world, the attack
surface of the secure domain will increase along with the size of
secure code, and it will be an arduous process to negotiate with
OEMs to get new secure code installed.
TrustICE securely isolates the secure code in an ICE from an
untrusted Rich OS in the normal domain. The TCB of TrustICE
remains small and unchanged regardless of the amount of secure
code being protected. Their prototype shows that the switching
time between an ICE and the Rich OS is less than 12 ms. Also,
TrustICE proposed the use of LEDs to protect against spoofing
attacks that “pretend" to switch between normal/secure world; i.e.,
LEDs are actuated in a meaningful way to indicate to the user that
the system has really switched from one world to the other.

4.2

Flicker

Flicker [10] is an infrastructure for executing security-sensitive
code in complete isolation while trusting as few as 250 lines of
additional code. Flicker can also provide meaningful, fine-grained
attestation of the code executed (as well as its inputs and outputs) to

can implement inter-process communication (IPC) between the software in the two worlds. Specifically, the
monitor can issue bus accesses using both secure and nonsecure addresses. In general, the secure world’s software
can compromise any level in the normal world’s software
stack. For example, the secure container’s software can
jump into arbitrary locations in the normal world by flipa remote
guarantees
properties
even if the
ping
a bitparty.
in aFlicker
register.
The these
untrusted
software
in BIOS,
the
OS
and
DMA-enabled
devices
are
all
malicious.
Flicker
leverages
normal world can only access the secure world via an
new commodity processors from AMD and Intel and does not
instruction
that jumps into a well-defined location inside
require a new OS or VMM. The authors of Flicker demonstrate a
the
monitor.
full implementation on an AMD platform.
Conceptually, each TrustZone CPU core provides separate
translation units for the secure and normal
4.3 address
TrustVisor
worlds.
This
by two page
table base
TrustVisor
[9] isisa implemented
special-purpose hypervisor
that provides
code
integrity asand
wellby
as data
integrity
and secrecy
for selected
registers,
having
the page
walker
use theportions
page
of an application. TrustVisor achieves a high level of security, first
table
base corresponding to the core’s current world. The
because it can protect sensitive code at a fine granularity, and second
physical
addresses
in code
the page
tablearound
entries6Karelines
extended
because it
has a small
base (only
of code),
towhich
include
theverification
values of the
secure
bit to becan
issued
on the
makes
feasible.
TrustVisor
also attest
the
existence
isolated
execution
external entity.
their work,
AXI
bus. of
The
secure
worldtoisan
protected
fromInuntrusted
the authors
TrustVisor
observe
lessforce
than the
7% overhead
on in
the
software
by of
having
the CPU
core
secure bit
legacy OS and its applications when protecting security-sensitive
the
address translation result to zero for normal world
code blocks.
address translations. As the secure container manages its
own
tables, its memory
accesses
cannot be directly
4.4 page
Self-Protecting
Modules
(SPM)
observed
by
the
untrusted
OS’s
page
fault
handler.
Strackx et al. propose self-protecting modules (SPM)
[16], a design
TrustZone-aware
hardware
modules,
such
caches,
for
a generic and lightweight
hardware
mechanism
thatascan
support
antrusted
efficient to
implementation
of isolation
subsystems
that
are
use the secure
addressfor
bitseveral
in each
bus access
share the same processor and memory space.
to enforce the isolation between worlds. For example,
TrustZone’s caches store the secure bit in the address
4.5 SMART
tag for each cache line, which effectively provides comThe Secure and Minimal Architecture for (Establishing a Dynamic)
pletely
different views of the memory space to the softRoot of Trust (SMART) [4] is an efficient (lightweight and low cost)
ware
running
in different
worlds.a This
design
assumes
and secure approach
for establishing
dynamic
root of
trust in a
remote embedded device. SMART is primarily intended for lowend micro-controller units (MCU) that lack specialized memory
management or protection features. The authors of SMART demonstrate that a simple measurement routine in ROM with exclusive
access to a protected secret key can provide remote attestation and
trusted execution. The implementation of SMART requires minimal changes to existing MCUs (while providing concrete security
guarantees) and imposes few limitations on adversarial capabilities when arguing for the quality of security provided by SMART.
Their work shows that SMART implementations require only a few
changes to memory bus access logic.

4.6

Sancus

Sancus [14] proposes additional CPU instructions that can be used
to set up trusted software modules at runtime. For this purpose, they
implement multiple memory-protection regions, each containing a
code and data section. An extended processor instruction set enables
dynamic measurement and loading of code into protected regions
to query the protection status of modules and request tokens for
authenticated communication between processes.

4.7

TrustLite

TrustLite [7] is a security architecture for flexible, hardware-enforced
isolation of software modules. The main contribution behind TrustLite
is an execution-aware memory protection unit with a secure exception handler that protects the state of “tasks." The developers
7

of TrustLite acknowledged that tiny devices cannot afford sophisticated hardware security mechanisms, and therefore new hardware protection mechanisms were (and are) needed to provide
the required resilience and dependency at low cost. This work is
particularly necessary as tiny devices are increasingly embedded
in complex control infrastructures, medical support systems, and
health and wellness consumer products; our dependency on these
tiny devices, as well as our willingness to allow them to collect
copious amounts of personal data, has made these devices a popular
target of attack. TrustLite includes mechanisms for secure exception
handling and communication between protected modules, enabling
seamless interoperability with untrusted operating systems and
tasks. TrustLite scales from providing a simple protected firmware
runtime to advanced functionality such as attestation and trusted
execution of user space tasks. The authors demonstrate their design
using an FPGA prototype playing the role of a low-cost embedded
system.

5

DISCUSSION

From the work that we survey in this paper we observe that solutions tend to follow one of two approaches: (1) isolation or (2)
re-engineering shared resources; we describe these categories –
and the challenges that are present in each approach – below. To
conclude our discussion, we also address open challenges.

5.1

Isolation

Generally speaking, isolation-based security achieves security through
(complete) physical separation from the application processor. This
sort of isolation is realized through the inclusion of a trusted coprocessor that executes security-sensitive tasks using its own dedicated resources such as SRAM and caches. The co-processor may
have access to a shared bus, allowing it to interact with software
running on the application processor. To ensure protection from
untrusted software, custom bus logic is implemented to prevent the
application processor from accessing privileged resources.
This approach seems to only be used in the context of the unconstrained trusted-computing solutions we describe in Section 3;
this may be due to the expensive4 cryptographic operations that
security-oriented co-processors perform; or it may be possible due
to the larger area available inside of processor packages to include
an additional secure co-processor.

5.2

Re-engineering shared resources

Security through re-engineering shared resources seems to be a
more frequently pursued approach to providing trustworthy computing on mobile and wearable devices, according to the work
we survey. This approach relies on hardware modifications that
can logically partition a system’s resources, allowing both trusted
and untrusted software to share processors, memory, and so forth.
This approach is desirable because it builds security features into
hardware that is common in mobile and wearable systems. Other
benefits include keeping manufacturing costs low, little reliance on
energy-consuming cryptographic operations to realize and enforce
security, and so forth.
4 Expensive

Drawbacks to this approach include the complexities of managing access of software in different security domains. For instance,
this approach may require at least the following considerations:
System Bus modifications. Memory accesses can be performed
from different security domains. Thus, the system bus address lines
may need to be extended – as has been done to the AMBA AXI
system bus for ARM TrustZone-based SoCs – to contain contextual
information about the security domain in which memory accesses
occur. For instance, in TrustZone-based systems, “the address in
each bus access executed by a core reflects the world in which the
core is currently executing" [2].
Secure boot scheme. The trustworthiness of the system is ultimately rooted in how the system boots. Initially, a system should
boot into the highest-privilege security domain so that it can load
and execute the boot code that measures, loads, and executes subsequent software (e.g., non-secure domain bootloaders, operating
systems). This secure boot scheme can be realized by having a
first-stage bootloader verify a signature in the second-stage bootloader against a public key whose cryptographic hash is burned
into on-chip One-Time Programmable (OTP) fuses; the first-stage
bootloader and the hash burned into the OTP fuses constitutes the
system’s root of trust.
Context switching between security domains. There should
exist some trusted component to handle how the system contextswitches between security domains. For instance, a solution should
implement a “monitor" that controls context switching between security domains; the monitor is all-powerful in these designs, having
access to resources across all security domains. The monitor can
also be used to implement secure IPC between the security domains
(e.g., between the normal world and secure world in TrustZone).
Instruction set modifications. Ideally untrusted software should
have a way to invoke the secure monitor so it can initiate secure
IPC or use some service provided by software running in a highersecurity domain (e.g., software and platform attestation). For this
purpose, new CPU instructions can be added that cause code running in less-secure domains to jump to (invoke) the monitor; this
prevents direct access to higher-security domains.
Introducing or modifying CPU instructions for the aforementioned reasons requires additional considerations. For instance, it
is important that each (logical) execution core maintains information about the security context in which it is executing, as well
as maintain separate address translation units (e.g., for the secure
and normal worlds). Furthermore, this can require, for example, extending physical addresses in page-table entries to include security
context information; in this case, one must protect the integrity
of page tables for different security domains. Regarding memory,
these designs must also consider implications for shared caches,
SRAM, DRAM, flash, etc., and their respective memory controllers.
Threat models. Mobile and wearable devices present unique
challenges with respect to threats. They are often carried or worn,
and are easily lost or stolen. They are often cheap, which means
they are likely to have little or no countermeasures for physical
attacks.
Generally, threat models in trusted-computing trust the processor package. Unconstrained systems can include tamper-resistant

in terms of processor cycles and energy consumption.

8

hardware and software, but these solutions are often too expensive
or bulky for mobile and wearable devices.

5.3

Open problems

Trusted computing for mobile and wearable systems is clearly on
the mind of many hardware vendors and security researchers. Even
with all of the existing work that has been done to date, however,
there remain open problems or at least areas where improvement
is greatly needed; we briefly discuss some of these below.
Trusted Switching Path. The HIEE-based systems we discuss
above generally assume attackers have ring 0, and maybe even
ring -1, privileges. Given that level of privilege, attackers can intercept the switching from the normal environment to TEE and
provide a fake switching process to deceive users. Or attackers
can perform a Denial of Service (DoS) attack against a system by
simply disabling the switching (since they have ring 0 privilege or
below). These attacks are challenging to overcome because trustedcomputing solutions are primarily concerned with ensuring the
desired security goals hold over sensitive user data even if the
system has been compromised.
Trusted I/O. TEE technology, especially in the form of HIEEbased TEE technology, provides hope that applications can perform
sensitive computations within a secure container that protects sensitive code and data. Unfortunately, ensuring that sensitive code and
data can be delivered to and from a secure container has proven to be
a more challenging problem. As in the rest of the trusted-computing
space, existing solutions are highly specific to a particular architecture, hypervisor, and/or operating system.
We believe the trusted computing community is in need of a
trusted I/O solution that can be broadly relevant, regardless of the
TEE solution that is used by some platform. In keeping with the
TEEs we review above, any solution claiming to provide trustworthy
I/O (i.e., a trusted path from peripherals to trusted software) should
ensure — at a minimum — the confidentiality and integrity of I/O
data even when running on a system in which the OS or hypervisor
has been compromised.
Trust rooted in manufacturers. One trust relationship that is
difficult to avoid is that of the user of a device trusting the hardware
vendor(s) of a device. Human user trust is inevitably rooted in
the hardware vendors; many hardware-based solutions are “black
boxes" and there is no way to verify the trustworthiness of their
implementations or manufacturing processes. For example, the Intel
ME is largely a mysterious black box that only the hardware vendor
really understands. The closed nature of some of these devices raise
questions about how to reliably evaluate the trustworthiness of
these (often mysterious) hardware security technologies.

6

By surveying legacy and current state-of-the-art trusted computing systems, we hope our summaries and observations provide
helpful insights into the design of future systems.

CONCLUSION

It is clear from the research and industry efforts reviewed in this
paper that realizing more trustworthy computing on mobile and
wearable systems is necessary but challenging. In this paper we
review the most relevant systems and architectures that have been
proposed as solutions for realizing more trustworthy computing
on mobile and wearable devices. We also discuss open challenges
and potential areas of future work.

REFERENCES
[1] Patrick Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal de Lara, Himanshu
Raj, Stefan Saroiu, and Alec Wolman. Protecting data on smartphones and
tablets from memory attacks. In Proceedings of the International Conference
on Architectural Support for Programming Languages and Operating Systems
(ASPLOS), pages 177–189. ACM, March 2015. DOI 10.1145/2694344.2694380.
[2] Victor Costan and Srinivas Devadas. Intel SGX Explained. Cryptology ePrint
Archive, Report 2016/086, January 2016. Online at http://eprint.iacr.org/2016/086.
[3] Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimal hardware
extensions for strong software isolation. In Proceedings of the USENIX Security
Symposium, pages 857–874, August 2016. Online at https://www.usenix.org/
conference/usenixsecurity16/technical-sessions/presentation/costan.
[4] Karim Eldefrawy, Aurélien Francillon, Daniele Perito, and Gene Tsudik. SMART:
Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust. In
Proceedings of the Annual Network and Distributed System Security Symposium
(NDSS), pages 1–15, February 2012. Online at http://www.eurecom.fr/publication/
3536.
[5] Intel. Enhanced Privacy ID. https://software.intel.com/en-us/node/702985,
March 2017.
[6] Intel.
Identity Protection Technology.
http://www.intel.com/
content/www/us/en/architecture-and-technology/identity-protection/
identity-protection-technology-general.html, March 2017.
[7] Patrick Koeberl, Steffen Schulz, Ahmad R. Sadeghi, and Vijay Varadharajan.
TrustLite: A Security Architecture for Tiny Embedded Devices. In Proceedings of
the European Conference on Computer Systems (EuroSys), pages 1–14. ACM, April
2014. DOI 10.1145/2592798.2592824.
[8] ARM Limited. ARM Security Technology - Building a Secure System using
TrustZone Technology, 2009.
[9] Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil
Gligor, and Adrian Perrig. TrustVisor: Efficient TCB reduction and attestation.
In Proceedings of the IEEE Symposium on Security and Privacy, pages 143–158.
IEEE, May 2010. DOI 10.1109/sp.2010.17.
[10] Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, and
Hiroshi Isozaki. Flicker: an execution infrastructure for TCB minimization.
SIGOPS Operating Systems Review, 42(4):315–328, April 2008. DOI 10.1145/
1352592.1352625.
[11] Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham
Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. Innovative instructions
and software model for isolated execution. In Proceedings of the International
Workshop on Hardware and Architectural Support for Security and Privacy (HASP).
ACM, June 2013. DOI 10.1145/2487726.2488368.
[12] Saeed Mirzamohammadi and Ardalan A. Sani. Viola: Trustworthy sensor notifications for enhanced privacy on mobile systems. In Proceedings of the International
Conference on Mobile Systems, Applications, and Services (MobiSys), pages 263–276.
ACM, June 2016. DOI 10.1145/2906388.2906391.
[13] Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin
Beznosov. Understanding users’ requirements for data protection in smartphones.
In IEEE International Conference on Data Engineering Workshops, pages 228–235.
IEEE, April 2012. DOI 10.1109/icdew.2012.83.
[14] Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony V. Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, and Frank
Piessens. Sancus: Low-cost trustworthy extensible networked devices with a
zero-software trusted computing base. In Proceedings of the USENIX Security
Symposium, pages 479–498, August 2013. Online at https://www.usenix.org/
conference/usenixsecurity13/technical-sessions/presentation/noorman.
[15] StackExchange. Multi-chip Architecture. https://i.stack.imgur.com/3HIfQ.png,
February 2017.
[16] Raoul Strackx, Frank Piessens, and Bart Preneel. Efficient isolation of trusted
subsystems in embedded systems. In Proceedings of the International Conference
on Security and Privacy in Communication Systems (SecureComm), pages 344–361.
Springer, 2010. DOI 10.1007/978-3-642-16161-2_20.
[17] He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing. TrustOTP: Transforming smartphones into secure one-time password tokens. In Proceedings of the ACM SIGSAC
Conference on Computer and Communications Security (CCS), pages 976–988.
ACM, October 2015. DOI 10.1145/2810103.2813692.
[18] He Sun, Kun Sun, Yuewu Wang, Jiwu Jing, and Haining Wang. TrustICE:
Hardware-assisted isolated computing environments on mobile devices. In
Proceedings of the IEEE/IFIP International Conference on Dependable Systems and
Networks, pages 367–378. IEEE, June 2015. DOI 10.1109/dsn.2015.11.

9

[19] Amit Vasudevan, Emmanuel Owusu, Zongwei Zhou, James Newsome, and
Jonathan M. McCune. Trustworthy execution on mobile devices: What security properties can my mobile platform give me? In Trust and Trustworthy Computing, volume 7344 of LNCS, pages 159–178. Springer, 2012. DOI
10.1007/978-3-642-30921-2_10.
[20] Wikipedia. Trusted system. https://en.wikipedia.org/w/index.php?title=Trusted_
system, March 2017.
[21] Fengwei Zhang, Kevin Leach, Haining Wang, and Angelos Stavrou. TrustLogin:
Securing password-login on commodity operating systems. In Proceedings of the
ACM Symposium on Information, Computer and Communications Security (ASIA
CCS), pages 333–344. ACM, 2015. DOI 10.1145/2714576.2714614.
[22] Fengwei Zhang and Hongwei Zhang. SoK: A study of using hardware-assisted
isolated execution environments for security. In Proceedings of the International
Workshop on Hardware and Architectural Support for Security and Privacy (HASP).
ACM, June 2016. DOI 10.1145/2948618.2948621.

10

