1,410 research outputs found
Open-TEE - An Open Virtual Trusted Execution Environment
Hardware-based Trusted Execution Environments (TEEs) are widely deployed in
mobile devices. Yet their use has been limited primarily to applications
developed by the device vendors. Recent standardization of TEE interfaces by
GlobalPlatform (GP) promises to partially address this problem by enabling
GP-compliant trusted applications to run on TEEs from different vendors.
Nevertheless ordinary developers wishing to develop trusted applications face
significant challenges. Access to hardware TEE interfaces are difficult to
obtain without support from vendors. Tools and software needed to develop and
debug trusted applications may be expensive or non-existent.
In this paper, we describe Open-TEE, a virtual, hardware-independent TEE
implemented in software. Open-TEE conforms to GP specifications. It allows
developers to develop and debug trusted applications with the same tools they
use for developing software in general. Once a trusted application is fully
debugged, it can be compiled for any actual hardware TEE. Through performance
measurements and a user study we demonstrate that Open-TEE is efficient and
easy to use. We have made Open- TEE freely available as open source.Comment: Author's version of article to appear in 14th IEEE International
Conference on Trust, Security and Privacy in Computing and Communications,
TrustCom 2015, Helsinki, Finland, August 20-22, 201
Secure Cloud Storage with Client-Side Encryption Using a Trusted Execution Environment
With the evolution of computer systems, the amount of sensitive data to be
stored as well as the number of threats on these data grow up, making the data
confidentiality increasingly important to computer users. Currently, with
devices always connected to the Internet, the use of cloud data storage
services has become practical and common, allowing quick access to such data
wherever the user is. Such practicality brings with it a concern, precisely the
confidentiality of the data which is delivered to third parties for storage. In
the home environment, disk encryption tools have gained special attention from
users, being used on personal computers and also having native options in some
smartphone operating systems. The present work uses the data sealing, feature
provided by the Intel Software Guard Extensions (Intel SGX) technology, for
file encryption. A virtual file system is created in which applications can
store their data, keeping the security guarantees provided by the Intel SGX
technology, before send the data to a storage provider. This way, even if the
storage provider is compromised, the data are safe. To validate the proposal,
the Cryptomator software, which is a free client-side encryption tool for cloud
files, was integrated with an Intel SGX application (enclave) for data sealing.
The results demonstrate that the solution is feasible, in terms of performance
and security, and can be expanded and refined for practical use and integration
with cloud synchronization services
Mixed Fault Tolerance Protocols with Trusted Execution Environment
Blockchain systems are designed, built and operated in the presence of
failures. There are two dominant failure models, namely crash fault and
Byzantine fault. Byzantine fault tolerance (BFT) protocols offer stronger
security guarantees, and thus are widely used in blockchain systems. However,
their security guarantees come at a dear cost to their performance and
scalability. Several works have improved BFT protocols, and Trusted Execution
Environment (TEE) has been shown to be an effective solution. However, existing
such works typically assume that each participating node is equipped with TEE.
For blockchain systems wherein participants typically have different hardware
configurations, i.e., some nodes feature TEE while others do not, existing
TEE-based BFT protocols are not applicable.
This work studies the setting wherein not all participating nodes feature
TEE, under which we propose a new fault model called mixed fault. We explore a
new approach to designing efficient distributed fault-tolerant protocols under
the mixed fault model. In general, mixed fault tolerance (MFT) protocols assume
a network of nodes, among which up to can be subject to
mixed faults. We identify two key principles for designing efficient MFT
protocols, namely, (i) prioritizing non-equivocating nodes in leading the
protocol, and (ii) advocating the use of public-key cryptographic primitives
that allow authenticated messages to be aggregated. We showcase these design
principles by prescribing an MFT protocol, namely MRaft.
We implemented a prototype of MRaft using Intel SGX, integrated it into the
CCF blockchain framework, conducted experiments, and showed that MFT protocols
can obtain the same security guarantees as their BFT counterparts while still
providing better performance (both transaction throughput and latency) and
scalability.Comment: 12 pages, 3 figure
Open Virtual Trusted Execution Environment
Hardware-based Trusted Execution Environments (TEEs) are widely deployed in mobile devices. Yet their use has been limited primarily to applications developed by the device vendors. Recent standardization of TEE interfaces by GlobalPlatform (GP) promises to partially address this problem by enabling GP-compliant trusted applications to run on TEEs from different vendors. Nevertheless ordinary developers wishing to develop trusted applications face significant challenges. Access to hardware TEE interfaces are difficult to obtain without support from vendors. Tools and software needed to develop and debug trusted applications may be expensive or non-existent.
This thesis describes Open-TEE, a virtual TEE implemented in software. Open-TEE follows GP specifications. It allows developers to develop and debug trusted applications with the same tools they use for developing software in general. Once a trusted application is fully debugged, it can be compiled for any actual hardware TEE. This thesis also describes the experience in getting trusted application developers to try Open-TEE. Open-TEE is freely available as open source
Towards Runtime Customizable Trusted Execution Environment on FPGA-SoC
Processing sensitive data and deploying well-designed Intellectual Property
(IP) cores on remote Field Programmable Gate Array (FPGA) are prone to private
data leakage and IP theft. One effective solution is constructing Trusted
Execution Environment (TEE) on FPGA-SoCs (FPGA System on Chips). Researchers
have integrated this type TEE with Trusted Platform Module (TPM)-based trusted
boot, denoted as FPGA-SoC tbTEE. But there is no effort on secure and trusted
runtime customization of FPGA-SoC TEE. This paper extends FPGA-SoC tbTEE to
build Runtime Customizable TEE (RCTEE) on FPGA-SoC by additive three major
components (our work): 1) CrloadIP, which can load an IP core at runtime such
that RCTEE can be adjusted dynamically and securely; 2) CexecIP, which can not
only execute an IP core without modifying the operating system of FPGA-SoC TEE,
but also prevent insider attacks from executing IPs deployed in RCTEE; 3)
CremoAT, which can provide the newly measured RCTEE state and establish a
secure and trusted communication path between remote verifiers and RCTEE. We
conduct a security analysis of RCTEE and its performance evaluation on Xilinx
Zynq UltraScale+ XCZU15EG 2FFVB1156 MPSoC
- …