The Dual-Execution-Environment Approach: Analysis and Comparative Evaluation

The dual-execution-environment approach (dual-EE) is a trusted model that was defined to allow mobile smart devices to guarantee tamper-resistant execution for highly sensitive applications. Although various solutions implementing dual-EE have been proposed in the literature, this model has not been formalized yet. In this paper, we revisit the dual-EE approach and propose a theoretical framework to systematize the design of dual-EE solutions regarding well-established primitives defined in the Multiple Independent Levels of Security (MILS) architecture. We provide a general classification of the different dual-EE proposals based on their isolation properties. We introduce a comparative framework allowing dual-EE solutions to be evaluated across a common set of criteria. The relevance of our framework is examined by applying it on three technologies, each one represents one category in our classification. Results are consistent and explain some hidden and unexpected properties of each technology. For instance, we find that bare-metal hypervisors are ill-adapted to provide high assurance security even though they might improve the overall security level of the system.

[1]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[2]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[3]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[4]  James Newsome,et al.  Trustworthy Execution on Mobile Devices: What Security Properties Can My Mobile Platform Give Me? , 2012, TRUST.

[5]  N. Asokan,et al.  On-board credentials with open provisioning , 2009, ASIACCS '09.

[6]  W. Marsden I and J , 2012 .

[7]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[8]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[9]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[10]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[11]  Jason Nieh,et al.  KVM/ARM: the design and implementation of the linux ARM hypervisor , 2014, ASPLOS.

[12]  Sang-Bum Suh,et al.  Xen on ARM: System Virtualization Using Xen Hypervisor for ARM-Based Secure Mobile Phones , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[13]  Peter Wilson,et al.  Implementing Embedded Security on Dual-Virtual-CPU Systems , 2007, IEEE Design & Test of Computers.

[14]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003 .

[15]  Quan Chen,et al.  Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World , 2014, CCS.

[16]  Katrin Hoeper,et al.  Delivering secure applications on commercial mobile devices: the case for bare metal hypervisors , 2011, SPSM '11.

[17]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[18]  Alec Wolman,et al.  Using ARM trustzone to build a trusted language runtime for mobile applications , 2014, ASPLOS.

[19]  W. Vanfleet,et al.  I Where We Have Been Where We Are Going Mils:architecture for High-assurance Embedded Computing , 2022 .

[20]  Ahmad-Reza Sadeghi,et al.  Mobile Trusted Computing , 2014, Proceedings of the IEEE.

[21]  Chamseddine Talhi,et al.  Securing Business Data on Android Smartphones , 2014, MobiWIS.

[22]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[23]  Mark Stamp,et al.  iPhone Security Analysis , 2010, J. Information Security.

[24]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.