ReZone: disarming TrustZone with TEE privilege reduction

In TrustZone-assisted TEEs, the trusted OS has unrestricted access to both secure and normal world memory. Unfortunately, this architectural limitation has opened an aisle of exploration for attackers, which have demonstrated how to leverage a chain of exploits to hijack the trusted OS and gain full control of the system, targeting (i) the rich execution environment (REE), (ii) all trusted applications (TAs), and (iii) the secure monitor. In this paper, we propose REZONE. The main novelty behind REZONE design relies on leveraging TrustZone-agnostic hardware primitives available on commercially off-the-shelf (COTS) platforms to restrict the privileges of the trusted OS. With REZONE, a monolithic TEE is restructured and partitioned into multiple sandboxed domains named zones, which have only access to private resources. We have fully implemented REZONE for the i.MX 8MQuad EVK and integrated it with Android OS and OP-TEE. We extensively evaluated REZONE using microbenchmarks and real-world applications. REZONE can sustain popular applications like DRM-protected video encoding with acceptable performance overheads. We have surveyed 80 CVE vulnerability reports and estimate that REZONE could mitigate 86.84% of them.We thank our shepherd Aastha Mehta and the anonymous reviewers for their comments and suggestions. This work was supported by national funds through Centro ALGORITMI / Universidade do Minho, Instituto Superior Técnico / Universidade de Lisboa, and FCT under project UIDB/50021/2020 and UIDB/00319/2020. David Cerdeira was supported by FCT grant SFRH/BD/146231/2019

Operating systems for Internet of Things low-end devices: analysis and benchmarking

In the era of the Internet of Things (IoT), billions of wirelessly connected embedded devices rapidly became part of our daily lives. As a key tool for each Internet-enabled object, embedded operating systems (OSes) provide a set of services and abstractions which eases the development and speedups the deployment of IoT solutions at scale. This article starts by discussing the requirements of an IoT-enabled OS, taking into consideration the major concerns when developing solutions at the network edge, followed by a deep comparative analysis and benchmarking on Contiki-NG, RIOT, and Zephyr. Such OSes were considered as the best representative of their class considering the main key-points that best define an OS for resource-constrained IoT devices: low-power consumption, real-time capabilities, security awareness, interoperability, and connectivity. While evaluating each OS under different network conditions, the gathered results revealed distinct behaviors for each OS feature, mainly due to differences in kernel and network stack implementations.This work has been supported by national funds through FCT - Fundação para a Ciência e a Tecnologia within the Project Scope: UID/CEC/00319/2019

Providing trusted execution environments using FPGA

Trusted Execution Environments (TEEs) drastically reduce the trusted computing base (TCB) of the systems by providing a secure execution environment for security-critical applications that are isolated from the operating system or the hypervisor. TEEs are often assumed to be highly secure; however, over the last few years, TEEs have been proven weak, as either TEEs built upon security-oriented hardware extensions (e.g., Arm TrustZone and Intel SGX) or resorting to dedicated secure elements were exploited multiple times. In this paper, we propose a novel TEE design, named Trusted Execution Environments On-Demand (TEEOD), which leverages the re configurable logic of FPGA-SoCs to dynamically provide secure execution environments for security-critical applications. Unlike other TEE designs, ours can provide high-bandwidth connections and physical on-chip isolation while providing configurable hard ware and software TCBs. We implemented a proof-of-concept (PoC) implementation targeting an Ultra96-V2 platform. The conducted evaluation demonstrated TEEOD can host up to 6 simultaneous enclaves with a resource usage per enclave of 7.0%, 3.8%, and 15.3% of the total LUTs, FFs, and BRAMS, respectively

Bao-Enclave: virtualization-based Enclaves for Arm

General-purpose operating systems (GPOS), such as Linux, encompass several million lines of code. Statistically, a larger code base inevitably leads to a higher number of potential vulnerabilities and inherently a more vulnerable system. To minimize the impact of vulnerabilities in GPOS, it has become common to implement security-sensitive programs outside the domain of the GPOS, i.e., in a Trusted Execution Environment (TEE). Arm TrustZone is the de-facto technology for implementing TEEs in Arm devices. However, over the last decade, TEEs have been successfully attacked hundreds of times. Unfortunately, these attacks have been possible due to the presence of several architectural and implementation flaws in TrustZone-based TEEs. In this paper, we propose Bao-Enclave, a virtualization-based solution that enables OEMs to remove security functionality from the TEE and move them into normal world isolated environments, protected from potentially malicious OSes, in the form of lightweight virtual machines (VMs). We evaluate Bao-Enclave on real hardware platforms and find out that Bao-Enclave may improve the performance of security-sensitive workloads by up to 4.8x, while significantly simplifying the TEE software TCB

Self-secured devices: high performance and secure I/O access in TrustZone-based systems

Arm TrustZone is a hardware technology that adds significant value to the ongoing security picture. TrustZone-based systems typically consolidate multiple environments into the same platform, requiring resources to be shared among them. Currently, hardware devices on TrustZone-enabled system-on-chip (SoC) solutions can only be configured as secure or non-secure, which means the dual-world concept of TrustZone is not spread to the inner logic of the devices. The traditional passthrough model dictates that both worlds cannot use the same device concurrently. Furthermore, existing shared device access methods have been proven to cause a negative impact on the overall system in terms of security and performance.This work introduces the concept of self-secured devices, a novel approach for shared device access in TrustZone-based architectures. This concept extends the TrustZone dual-world model to the device itself, providing a secure and non-secure logical interface in a single device instance. The solution was deployed and evaluated on the LTZVisor, an open-source and lightweight TrustZone-assisted hypervisor. The obtained results are encouraging, demonstrating that our solution requires only a few additional hardware resources when compared with the native device implementation, while providing a secure solution for device sharing.This work has been supported by FCT -Fundação para a Ciência e a Tecnologia, Portugal within the R&D Units Project Scope: UIDB/00319/2020

The Genome of Anopheles darlingi, the main neotropical malaria vector

Anopheles darlingi is the principal neotropical malaria vector, responsible for more than a million cases of malaria per year on the American continent. Anopheles darlingi diverged from the African and Asian malaria vectors ∼100 million years ago (mya) and successfully adapted to the New World environment. Here we present an annotated reference A. darlingi genome, sequenced from a wild population of males and females collected in the Brazilian Amazon. A total of 10 481 predicted protein-coding genes were annotated, 72% of which have their closest counterpart in Anopheles gambiae and 21% have highest similarity with other mosquito species. In spite of a long period of divergent evolution, conserved gene synteny was observed between A. darlingi and A. gambiae. More than 10 million single nucleotide polymorphisms and short indels with potential use as genetic markers were identified. Transposable elements correspond to 2.3% of the A. darlingi genome. Genes associated with hematophagy, immunity and insecticide resistance, directly involved in vectorhuman and vectorparasite interactions, were identified and discussed. This study represents the first effort to sequence the genome of a neotropical malaria vector, and opens a new window through which we can contemplate the evolutionary history of anopheline mosquitoes. It also provides valuable information that may lead to novel strategies to reduce malaria transmission on the South American continent. The A. darlingi genome is accessible at www.labinfo.lncc.br/index.php/anopheles- darlingi. © 2013 The Author(s)

Security assurance of an In-vehicle HMI Manager: specifying certifiable software for In-vehicle infotainment systems

Dissertação de mestrado integrado em Engenharia de Electrónica Industrial e de ComputadoresTraditionally in the automotive industry, vehicle safety was the most crucial factor and security of in-vehicle systems was only an afterthought. This resulted in networks that withstood several technical interferences, but were mostly unprotected against malicious attacks. In the future, infotainment, and other software systems in the vehicle will be composed of, and be connected to, several processing units inside the car, with some of them even requiring Internet connection. Security then becomes at least as important as safety, even overlapping in some aspects. Two main problems surge from this interconnection: user data needs to be secure, and the system must be resilient to hacks that could allow remote control of the car. For users to have confidence in the software systems inside the vehicle, an evaluation must be performed. The evaluation result should meet some criteria that users or a regulatory body deem acceptable. With a security evaluation, careful analysis of implementation and design of a system is performed. The higher the scrutiny and detail of the evaluation the higher the cost. It is thus important that evaluation activities correspond to the assets’ value. This dissertation aims at specifying a secure architecture for an HMI Manager. The HMI Manager purpose is to manage several Human-Machine Interface (HMI) systems inside the vehicle to provide a better experience to the user. This work focuses on user data protection, and in generating documentation that would contribute the system certification. Best practices are followed to help create a secure system the system requirements through the use of tried and tested techniques.Tradicionalmente, na indústria automóvel, a segurança do veículo era o fator mais importante e a segurança interna de sistemas internos ao veículo era pensada depois. Isto resultou em sistemas capazes de resistir a várias interferências técnicas, mas na maior parte das vezes desprotegidos contra ataques. No futuro, sistemas de infotainment, e outros, serão compostos e estarão conectados a várias unidades de processamento dentro do carro, em que algumas delas podem mesmo necessitar de uma ligação à Internet. Nestes casos, a ciber-segurança torna-se, pelo menos, tão importante quanto a segurança física do veículo, sobrepondo-se até em alguns aspetos. Dois problemas principais surgem desta conectividade: os dados dos utilizadores precisam ser protegidos, e o sistema deve ser resistente a ataques que podem, em casos extremos, permitir o controlo remoto do carro. Para que os utilizadores tenham confiança nos sistemas de software dentro do veículo, deve ser executado uma avaliação a esses sistemas. O resultado da avaliação deve atender a alguns critérios que os utilizadores, ou órgão regulador achem aceitável. Com uma avaliação de segurança é efetuada uma análise cuidadosa arquitetura de um sistema e da sua implementação. Contudo quanto maior o escrutínio e mais detalhes a avaliar, maior será a custo da dita avaliação. Sendo assim, é importante que as atividades de avaliação correspondam ao valor daquilo que os utilizadores querem proteger. Esta dissertação visa especificar uma arquitetura de segurança para o HMI Manager, um sistema que coordena sistemas HMI dentro de um veículo, com foco na proteção de dados do utilizador, e em gerar documentação que contribua para a certificação do sistema. Para tal, serão seguidas as práticas recomendadas para a conceção de sistema seguros.European Structural and Investment Funds in the FEDER component, through the Operational Competitiveness and Internationalization Programme (COMPETE 2020) Project no 002797; Funding Reference: POCI-01-0247-FEDER-00279