Ferdinand Brasser, David Gens, Patrick Jauernig, A. Sadeghi, Emmanuel Stapf
{"title":"避难所:用用户空间飞地武装TrustZone","authors":"Ferdinand Brasser, David Gens, Patrick Jauernig, A. Sadeghi, Emmanuel Stapf","doi":"10.14722/ndss.2019.23448","DOIUrl":null,"url":null,"abstract":"ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE’s attack surface: any vulnerable or malicious TA can compromise the system’s security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel’s SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone’s normal world comparable to SGX’s user-space enclaves. In particular, we leverage TrustZone’s versatile AddressSpace Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone’s secure world to isolated compartments minimizes the TEE’s attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"115","resultStr":"{\"title\":\"SANCTUARY: ARMing TrustZone with User-space Enclaves\",\"authors\":\"Ferdinand Brasser, David Gens, Patrick Jauernig, A. Sadeghi, Emmanuel Stapf\",\"doi\":\"10.14722/ndss.2019.23448\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE’s attack surface: any vulnerable or malicious TA can compromise the system’s security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel’s SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone’s normal world comparable to SGX’s user-space enclaves. In particular, we leverage TrustZone’s versatile AddressSpace Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone’s secure world to isolated compartments minimizes the TEE’s attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.\",\"PeriodicalId\":20444,\"journal\":{\"name\":\"Proceedings 2019 Network and Distributed System Security Symposium\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-02-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"115\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings 2019 Network and Distributed System Security Symposium\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.14722/ndss.2019.23448\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23448","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 115
摘要
ARM TrustZone是提供可信执行环境(tee)的最广泛部署的安全架构之一。不幸的是,由于设备供应商强加的限制部署策略,它的使用和对应用程序开发人员和最终用户的潜在好处在很大程度上受到限制。由于每个受信任的应用程序(TA)都增加了TEE的攻击面,因此实施了限制:任何易受攻击或恶意的TA都可能危及系统的安全性。因此,部署TA需要设备供应商和应用程序开发人员之间的相互信任,这为双方都带来了高昂的成本。供应商通过提供选定TEE功能的接口来解决这个问题,然而,这些还不足以安全地实现像银行这样的高级移动服务。学术界和工业界对英特尔SGX技术的广泛讨论揭示了对tee无限制使用的需求,但迄今为止还没有针对移动设备的类似安全架构。我们提出了SANCTUARY,这是第一个允许在TrustZone生态系统中不依赖虚拟化而不受约束地使用tee的安全架构。SANCTUARY使安全敏感的应用程序能够在TrustZone的正常世界中与SGX的用户空间飞地相媲美的高度隔离的隔间内执行。特别是,我们利用TrustZone的通用AddressSpace控制器在当前的ARM片上系统参考设计中可用,以强制双向硬件级隔离:(i)安全敏感的应用程序被屏蔽在受损的正常世界操作系统中,同时(ii)系统也被保护免受潜在的恶意应用程序的隔离。此外,将对安全敏感的应用程序从TrustZone的安全世界转移到隔离的隔间可以最大限度地减少TEE的攻击面。因此,设备供应商和开发人员之间的相互信任关系变得过时了:tee的全部潜力可以被利用。通过在HiKey 960开发板上使用微基准测试和双因素身份验证一次性密码生成用例彻底评估我们的原型,我们展示了SANCTUARY的实用性和现实世界的好处。
SANCTUARY: ARMing TrustZone with User-space Enclaves
ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE’s attack surface: any vulnerable or malicious TA can compromise the system’s security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel’s SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone’s normal world comparable to SGX’s user-space enclaves. In particular, we leverage TrustZone’s versatile AddressSpace Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone’s secure world to isolated compartments minimizes the TEE’s attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
