TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone

The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make it smarter. A variety of applications now run simultaneously on an ARM-based processor. For example, devices on the edge of the Internet are provided with higher horsepower to be entrusted with storing, processing and analyzing data collected from IoT devices. This significantly improves efficiency and reduces the amount of data that needs to be transported to the cloud for data processing, analysis and storage. However, commodity OSes are prone to compromise. Once they are exploited, attackers can access the data on these devices. Since the data stored and processed on the devices can be sensitive, left untackled, this is particularly disconcerting. In this paper, we propose a new system, TrustShadow that shields legacy applications from untrusted OSes. TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system that coordinates the communication between applications and the ordinary OS running in the normal world. The runtime system does not provide system services itself. Rather, it forwards requests for system services to the ordinary OS, and verifies the correctness of the responses. To demonstrate the efficiency of this design, we prototyped TrustShadow on a real chip board with ARM TrustZone support, and evaluated its performance using both microbenchmarks and real-world applications. We showed TrustShadow introduces only negligible overhead to real-world applications.Comment: MobiSys 201

TWallet ARM TrustZone Enabled Trustable Mobile Wallet: A Case for Cryptocurrency Wallets

With the increasing popularity of Blockchains supporting virtual cryptocurrencies it has become more important to have secure devices supporting operations in trustable cryp- tocurrency wallets. These wallets, currently implemented as mobile Apps or components of mobile Apps must be protected from possible intrusion attacks. ARM TrustZone technology has made available an extension of the ARM processor ar- chitecture, allowing for the isolation of trusted and non-trusted execution environments. Critical components and their runtime support can be "booted" and loaded to run in the isolated execution environment, backed by the ARM processor. The ARM TrustZone solution provides the possible enforcement of security and privacy conditions for applica- tions, ensuring the containment of sensitive software components and data-management facilities, isolating them from OS-level intrusion attacks. The idea is that sensitive compo- nents and managed data are executed with a trust computing base supported at hardware and firmware levels, not affected by intrusions against non-protected OS-level runtime components. In this dissertation we propose TWallet: a solution designed as a generic model to sup- port secure and trustable Mobile Client Wallets (implemented as mobile Apps), backed by the ARM TrustZone technology. The objective is to manage local sensitive stored data and processing components in a trust execution environment isolated from the Android OS. We believe that the proposed TWallet framework model can also inspire other specific solutions that can benefit from the isolation of sensitive components in mobile Android Apps. As a proof-of-concept, we used the TWallet framework model to implement a trusted wallet application used as an Ethereum wallet, to operate with the Ethereum Blockchain. To achieve our goals, we also conducted different experimental observations to analyze and validate the solution, with the implemented wallet integrated, tested and validated with the Rinkeby Ethereum Test Network.Com o aumento da popularidade de Blockchains e utilização de sistemas de criptomoedas, tornou-se cada vez mais importante a utilização de dispositivos seguros para suportar aplicações de carteiras móveis (vulgarmente conhecidas por mobile wallets ou mobile cryptowallets). Estas aplicações permitem aos utilizadores uma gestão local, cómoda, confiável e segura de dados e operações integradas com sistemas de Blockchains. Estas carteiras digitais, como aplicações móveis completas ou como componentes de outras aplicações, têm sido desenvolvidas de forma generalizada para diferentes sistemas operativos convencionais, nomeadamente para o sistema operativo Android e para diferentes sistemas de criptomoedas. As wallets devem permitir processar e armazenar informação sensível associada ao controlo das operações realizadas, incluindo gestão e consulta de saldos de criptomoedas, realização e consultas de históricos de movimentos de transações ou consolidação do estado destas operações integradas com as Blockchains remotas. Devem também garantir o controlo seguro e confiável do processamento criptográfico envolvido, bem como a segurança das respetivas chaves criptográficas utilizadas. A Tecnologia ARM TrustZone disponibiliza um conjunto de extensões para as arquiteturas de processadores ARM, possibilitando o isolamento e execução de código num ambiente de execução suportado ao nível do hardware do próprio processador ARM. Isto possibilita que componentes críticos de aplicações ou de sistemas operativos suportados em processadores ARM, possam executar em ambientes isolados com minimização propiciada pelo isolamento da sua Base de Computação Confiável (ou Trusted Computing Base). A execução em ambiente seguro suportado pela solução TrustZone pode oferecer assim um reforço adicional de propriedades de confiabilidade, segurança e privacidade. Isto possibilita isolar componentes e dados críticos de possíveis ataques ou intrusões ao nível do processamento e gestão de memória ou armazenamento suportados pelo sistema operativo ou bibliotecas middleware, como é usual no caso de aplicações móveis, executando em ambiente Android OS ou noutros sistemas operativos de dispositivos móveis. Nesta dissertação propomos a solução TWallet, uma aproximação genérica para suporte de wallets utilizadas como aplicações móveis confiáveis em ambiente Android OS e fortalecidas pela utilização da tecnologia ARM TrustZone. O objetivo é possibilitar o isolamento de dados e componentes sensíveis deste tipo de aplicações, tornando-as mais seguras e confiáveis. Acreditamos que o modelo de desenho e implementação da solução TWallet, visto como uma framework de referência, poderá também ser utilizada no desenvolvimento de outras aplicações móveis em que o isolamento e segurança de componentes e dados críticos são requisitos semelhantes aos endereçados. Este pode ser o caso de aplicações de pagamento móvel, aplicações bancárias na área de mobile banking ou aplicações de bilhética na área vulgarmente chamada como mobile e-ticketing, entre outras. Como prova de conceito, utilizámos a TWallet framework para implementar um protótipo de uma wallet confiável, suportável em Android OS, para gestão de operações e criptomoedas na Blockchain Ethereum. A implementação foi integrada, testada e validada na rede Rinkeby Test Network - uma rede de desenvolvimento e testes utilizada como primeiro estágio de validação de aplicações e componentes para a rede Ethereum em operação real. Para validação da solução TWallet foi realizada uma avaliação experimen- tal. Esta avaliação envolveu a observação de indicadores de operação com verificação e comparação de diferentes métricas de operação e desempenho, bem como de alocação de recursos da aplicação protegida no modelo TWallet, comparando esses mesmo indicadores com o caso da mesma aplicação sem essa proteção

SoK: A Systematic Review of TEE Usage for Developing Trusted Applications

Trusted Execution Environments (TEEs) are a feature of modern central processing units (CPUs) that aim to provide a high assurance, isolated environment in which to run workloads that demand both confidentiality and integrity. Hardware and software components in the CPU isolate workloads, commonly referred to as Trusted Applications (TAs), from the main operating system (OS). This article aims to analyse the TEE ecosystem, determine its usability, and suggest improvements where necessary to make adoption easier. To better understand TEE usage, we gathered academic and practical examples from a total of 223 references. We summarise the literature and provide a publication timeline, along with insights into the evolution of TEE research and deployment. We categorise TAs into major groups and analyse the tools available to developers. Lastly, we evaluate trusted container projects, test performance, and identify the requirements for migrating applications inside them.Comment: In The 18th International Conference on Availability, Reliability and Security (ARES 2023), August 29 -- September 01, 2023, Benevento, Italy. 15 page

iFlask: Isolate flask security system from dangerous execution environment by using ARM TrustZone

Security is essential in mobile computing. And, therefore, various access control modules have been introduced. However, the complicated mobile runtime environment may directly impact on the integrity of these security modules, or even compels them to make wrong access control decisions. Therefore, for a trusted Flask based security system, it needs to be isolated from the dangerous mobile execution environment at runtime. In this paper, we propose an isolated Flask security architecture called iFlask to solve this problem for the Flask-based mandatory access control (MAC) system. iFlask puts its security server subsystem into the enclave provided by the ARM TrustZone so as to avert the negative impacts of the malicious environment. In the meanwhile, iFlask’s object manager subsystems which run in the mobile system kernel use a built-in supplicant proxy to effectively lookup policy decisions made by the back-end security server residing in the enclave, and to enforce these rules on the system with trustworthy behaviors. Moreover, to protect iFlask’s components which are not protected by the enclave, we not only provide an exception trap mechanism that enables TrustZone to enlarge its protection scope to protect selected memory regions from the malicious system, but also establish a secure communication channel to the enclave as well. The prototype is implemented on SELinux, which is the widely used Flask-based MAC system, and the base of SEAndroid. The experimental results show that SELinux receives reliable protection, because it resists all known vulnerabilities (e.g., CVE-2015-1815) and remains unaffected by the attacks in the test set. The propose architecture have very slight impact on the performance, it shows a performance degradation ranges between 0.53% to 6.49% compared to the naked system

MicroTEE: Designing TEE OS Based on the Microkernel Architecture

ARM TrustZone technology is widely used to provide Trusted Execution Environments (TEE) for mobile devices. However, most TEE OSes are implemented as monolithic kernels. In such designs, device drivers, kernel services and kernel modules all run in the kernel, which results in large size of the kernel. It is difficult to guarantee that all components of the kernel have no security vulnerabilities in the monolithic kernel architecture, such as the integer overflow vulnerability in Qualcomm QSEE TrustZone and the TZDriver vulnerability in HUAWEI Hisilicon TEE architecture. This paper presents MicroTEE, a TEE OS based on the microkernel architecture. In MicroTEE, the microkernel provides strong isolation for TEE OS's basic services, such as crypto service and platform key management service. The kernel is only responsible for providing core services such as address space management, thread management, and inter-process communication. Other fundamental services, such as crypto service and platform key management service are implemented as applications at the user layer. Crypto Services and Key Management are used to provide Trusted Applications (TAs) with sensitive information encryption, data signing, and platform attestation functions. Our design avoids the compromise of the whole TEE OS if only one kernel service is vulnerable. A monitor has also been added to perform the switch between the secure world and the normal world. Finally, we implemented a MicroTEE prototype on the Freescale i.MX6Q Sabre Lite development board and tested its performance. Evaluation results show that the performance of cryptographic operations in MicroTEE is better than it in Linux when the size of data is small.Comment: 8 pages, 8 figure

Achieving Performance Balance for Dual-Criticality System Based on ARM TrustZone

Many mixed-criticality systems are composed of a RTOS (Real-Time Operating System) and a GPOS (General Purpose Operating System), and we define this as a mixed-timesensitive system. Complexity, isolation, real-time latency, and overhead are the main metrics to design such a mixed-timesensitive system. These metrics may conflict with each other, so it is difficult for them to be consistently optimized. Most existing implementations only optimize with part of the above metrics but not all. As the first contribution, this paper provides a detailed analysis of performance influencing factors which are exerted by various runtime mechanisms of existing mixed-time-sensitive systems. We figure out the difference in performance across system designs such as task switching, memory management, interrupt handling, and resource isolation. We propose the philosophy of utilizing TrustZone characteristics to optimize various mechanisms in mixed-time-sensitive systems. The second contribution of the paper is to propose a Trustzonebased solution - termed TZDKS - for mixed-time sensitive system. Appropriate utilization of TrustZone extensions helps TZDKS to implements (i) virtualization environment for GPOS and RTOS, (ii) high efficiency task switching, memory accessing, interrupt handling and device accessing which are verified by experiments. Therefore, TZDKS can achieve a full-scale balance amongst aforementioned metrics