Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM

Le Guan; Chen Cao; Peng Liu; Xinyu Xing; Xinyang Ge; Shengzhi Zhang; Meng Yu; Trent Jaeger

doi:10.1109/TDSC.2018.2861756

Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM

Le Guan^*, Chen Cao, Peng Liu, Xinyu Xing, Xinyang Ge, Shengzhi Zhang, Meng Yu, Trent Jaeger

^*Corresponding author for this work

Computer Science

Research output: Contribution to journal › Article › peer-review

13 Scopus citations

Abstract

The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. However, the smartness comes at the cost of multi-vector security exploits. From cyber space, a compromised operating system could access all the data in a cloud-aware IoT device. From physical space, cold-boot attacks and DMA attacks impose a great threat to the unattended devices. In this paper, we propose TrustShadow that provides a comprehensively protected execution environment for unmodified application running on ARM-based IoT devices. To defeat cyber attacks, TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system. The runtime system does not provide system services itself. Rather, it forwards them to the untrusted normal-world OS, and verifies the returns. The runtime system further employs a page based encryption mechanism to ensure that all the data segments of a security-critical application appear in ciphertext in DRAM chip. When an encrypted data page is accessed, it is transparently decrypted to a page in the internal RAM, which is immune to physical exploits.

Original language	English (US)
Article number	8423674
Pages (from-to)	438-453
Number of pages	16
Journal	IEEE Transactions on Dependable and Secure Computing
Volume	16
Issue number	3
DOIs	https://doi.org/10.1109/TDSC.2018.2861756
State	Published - May 1 2019

Funding

This work was supported by U.S. Army Research Office award W911NF-13-1-0421 (MURI), US National Science Foundation under Grant No. CNS-1422594, CNS-1505664, CNS-1634441, CNS-1422355, CNS-1408880, SBE-1422215, and the Penn State Institute for CyberScience (ICS) Seed Funding Initiative grant. This manuscript is an extension of the conference version appearing in the Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys ’17) [1]. This manuscript presents a more detailed description of the system design, and augments the system to enable more comprehensive protection to trusted applications even in the presence of physical intrusions to the devices.

Keywords

ARM trustzone
cold-boot attack
IoT
Malicious operating systems
physical attack
TEE

ASJC Scopus subject areas

General Computer Science
Electrical and Electronic Engineering

Access to Document

10.1109/TDSC.2018.2861756

Cite this

@article{0d34a307dc3d472ea4e04195d272db82,

title = "Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM",

abstract = "The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. However, the smartness comes at the cost of multi-vector security exploits. From cyber space, a compromised operating system could access all the data in a cloud-aware IoT device. From physical space, cold-boot attacks and DMA attacks impose a great threat to the unattended devices. In this paper, we propose TrustShadow that provides a comprehensively protected execution environment for unmodified application running on ARM-based IoT devices. To defeat cyber attacks, TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system. The runtime system does not provide system services itself. Rather, it forwards them to the untrusted normal-world OS, and verifies the returns. The runtime system further employs a page based encryption mechanism to ensure that all the data segments of a security-critical application appear in ciphertext in DRAM chip. When an encrypted data page is accessed, it is transparently decrypted to a page in the internal RAM, which is immune to physical exploits.",

keywords = "ARM trustzone, cold-boot attack, IoT, Malicious operating systems, physical attack, TEE",

author = "Le Guan and Chen Cao and Peng Liu and Xinyu Xing and Xinyang Ge and Shengzhi Zhang and Meng Yu and Trent Jaeger",

note = "Funding Information: This work was supported by U.S. Army Research Office award W911NF-13-1-0421 (MURI), US National Science Foundation under Grant No. CNS-1422594, CNS-1505664, CNS-1634441, CNS-1422355, CNS-1408880, SBE-1422215, and the Penn State Institute for CyberScience (ICS) Seed Funding Initiative grant. This manuscript is an extension of the conference version appearing in the Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys {\textquoteright}17) [1]. This manuscript presents a more detailed description of the system design, and augments the system to enable more comprehensive protection to trusted applications even in the presence of physical intrusions to the devices. Publisher Copyright: {\textcopyright} 2004-2012 IEEE.",

year = "2019",

month = may,

day = "1",

doi = "10.1109/TDSC.2018.2861756",

language = "English (US)",

volume = "16",

pages = "438--453",

journal = "IEEE Transactions on Dependable and Secure Computing",

issn = "1545-5971",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "3",

}

TY - JOUR

T1 - Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM

AU - Guan, Le

AU - Cao, Chen

AU - Liu, Peng

AU - Xing, Xinyu

AU - Ge, Xinyang

AU - Zhang, Shengzhi

AU - Yu, Meng

AU - Jaeger, Trent

N1 - Funding Information: This work was supported by U.S. Army Research Office award W911NF-13-1-0421 (MURI), US National Science Foundation under Grant No. CNS-1422594, CNS-1505664, CNS-1634441, CNS-1422355, CNS-1408880, SBE-1422215, and the Penn State Institute for CyberScience (ICS) Seed Funding Initiative grant. This manuscript is an extension of the conference version appearing in the Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys ’17) [1]. This manuscript presents a more detailed description of the system design, and augments the system to enable more comprehensive protection to trusted applications even in the presence of physical intrusions to the devices. Publisher Copyright: © 2004-2012 IEEE.

PY - 2019/5/1

Y1 - 2019/5/1

N2 - The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. However, the smartness comes at the cost of multi-vector security exploits. From cyber space, a compromised operating system could access all the data in a cloud-aware IoT device. From physical space, cold-boot attacks and DMA attacks impose a great threat to the unattended devices. In this paper, we propose TrustShadow that provides a comprehensively protected execution environment for unmodified application running on ARM-based IoT devices. To defeat cyber attacks, TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system. The runtime system does not provide system services itself. Rather, it forwards them to the untrusted normal-world OS, and verifies the returns. The runtime system further employs a page based encryption mechanism to ensure that all the data segments of a security-critical application appear in ciphertext in DRAM chip. When an encrypted data page is accessed, it is transparently decrypted to a page in the internal RAM, which is immune to physical exploits.

AB - The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. However, the smartness comes at the cost of multi-vector security exploits. From cyber space, a compromised operating system could access all the data in a cloud-aware IoT device. From physical space, cold-boot attacks and DMA attacks impose a great threat to the unattended devices. In this paper, we propose TrustShadow that provides a comprehensively protected execution environment for unmodified application running on ARM-based IoT devices. To defeat cyber attacks, TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system. The runtime system does not provide system services itself. Rather, it forwards them to the untrusted normal-world OS, and verifies the returns. The runtime system further employs a page based encryption mechanism to ensure that all the data segments of a security-critical application appear in ciphertext in DRAM chip. When an encrypted data page is accessed, it is transparently decrypted to a page in the internal RAM, which is immune to physical exploits.

KW - ARM trustzone

KW - cold-boot attack

KW - IoT

KW - Malicious operating systems

KW - physical attack

KW - TEE

UR - http://www.scopus.com/inward/record.url?scp=85050996903&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050996903&partnerID=8YFLogxK

U2 - 10.1109/TDSC.2018.2861756

DO - 10.1109/TDSC.2018.2861756

M3 - Article

AN - SCOPUS:85050996903

SN - 1545-5971

VL - 16

SP - 438

EP - 453

JO - IEEE Transactions on Dependable and Secure Computing

JF - IEEE Transactions on Dependable and Secure Computing

IS - 3

M1 - 8423674

ER -

Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM

Abstract

Funding

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this