PrivateZone: Providing a Private Execution Environment Using ARM TrustZone

ARM TrustZone is widely used to provide a Trusted Execution Environment (TEE) for mobile devices. However, the use of TrustZone is limited because TrustZone resources are only available for some pre-authorized applications. In other words, only alliances of the TrustZone OS vendors and device manufacturers can use TrustZone to secure their services. To help overcome this problem, we designed the PrivateZone framework to enable individual developers to utilize TrustZone resources. Using PrivateZone, developers can run Security Critical Logics (SCL) in a Private Execution Environment (PrEE). The advantage of PrivateZone is its leveraging of TrustZone resources without undermining the security of existing services in the TEE. To guarantee this, PrivateZone creates a PrEE using a memory region that is isolated from both the Rich Execution Environment (REE) and TEE. In this paper, we describe the design and implementation of PrivateZone. The prototype of PrivateZone was implemented on an Arndale board with a Cortex-A15 dual-core processor. We built PrivateZone by exploring both security and virtualization extensions of the ARM architecture. To illustrate the usage and the efficacy of PrivateZone, we developed an Android application based on PrivateZone framework, and evaluated the performance overhead imposed on the OS in the REE and SCLs in the PrEE.

[1]  Yangchun Fu,et al.  Hybrid-Bridge: Efficiently Bridging the Semantic-Gap in VMI via Decoupled Execution and Training Memoization , 2014, NDSS.

[2]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  Brent Byunghoon Kang,et al.  SeCReT: Secure Channel between Rich Execution Environment and Trusted Execution Environment , 2015, NDSS.

[4]  Brent Byunghoon Kang,et al.  OpenSGX: An Open Platform for SGX Research , 2016, NDSS.

[5]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Will Dietz,et al.  Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation , 2015, ASPLOS.

[7]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[8]  Yuewu Wang,et al.  TrustICE: Hardware-Assisted Isolated Computing Environments on Mobile Devices , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[9]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[10]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX ATC.

[11]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[12]  Jiang Wang,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Transactions on Dependable and Secure Computing.

[13]  Angelos Stavrou,et al.  Using Hardware Features for Increased Debugging Transparency , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  Angelos Stavrou,et al.  SPECTRE: A dependable introspection framework via System Management Mode , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[15]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[16]  Vikram S. Adve,et al.  Virtual ghost: protecting applications from hostile operating systems , 2014, ASPLOS.

[17]  Trent Jaeger,et al.  Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture , 2014, ArXiv.

[18]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[19]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[20]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[21]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[22]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Sushil Jajodia,et al.  TrustDump: Reliable Memory Acquisition on Smartphones , 2014, ESORICS.

[24]  N. Asokan,et al.  On Making Emerging Trusted Execution Environments Accessible to Developers , 2015, TRUST.

[25]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[26]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[27]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[28]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[29]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[30]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  ネイガー、ギルバート,et al.  Method and apparatus for providing secure application execution , 2009 .

[32]  N. Asokan,et al.  Open-TEE -- An Open Virtual Trusted Execution Environment , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[33]  Yuewu Wang,et al.  TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens , 2015, CCS.

[34]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[35]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[36]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[37]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[38]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[39]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[40]  N. Asokan,et al.  On-board credentials with open provisioning , 2009, ASIACCS '09.

[41]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[42]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[43]  Yubin Xia,et al.  Building trusted path on untrusted device drivers for mobile devices , 2014, APSys.

[44]  Quan Chen,et al.  Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World , 2014, CCS.

[45]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[46]  Alec Wolman,et al.  Software abstractions for trusted sensors , 2012, MobiSys '12.

[47]  Alec Wolman,et al.  Using ARM trustzone to build a trusted language runtime for mobile applications , 2014, ASPLOS.

[48]  Yubin Xia,et al.  AdAttester: Secure Online Mobile Advertisement Attestation Using TrustZone , 2015, MobiSys.