SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems

Cerdeira, David; Santos, Nuno; Fonseca, Pedro; Pinto, Sandro

doi:10.1109/sp40000.2020.00061

Cited by 127 publications

(76 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The focus of the above papers is different from our approach, as none of the three exposes the degree of vulnerability and the importance of the various TrustZone-based TEE solutions used in market deployed devices, while they fail to pinpoint common design flaws that lead to these vulnerabilities. Finally, concurrent to our work, Cerdeira et al [ 22 ] presented and provided a comprehensive taxonomy of TrustZone-based TEE vulnerabilities. The results of this paper are complementary to our research and analysis.…”

Section: Introductionmentioning

confidence: 82%

Building Trust for Smart Connected Devices: The Challenges and Pitfalls of TrustZone

Koutroumpouchos

Ntantogian

Xenakis

2021

Sensors

View full text Add to dashboard Cite

TrustZone-based Trusted Execution Environments (TEEs) have been utilized extensively for the implementation of security-oriented solutions for several smart intra and inter-connected devices. Although TEEs have been promoted as the starting point for establishing a device root of trust, a number of published attacks against the most broadly utilized TEE implementations request a second view on their security. The aim of this research is to provide an analytical and educational exploration of TrustZone-based TEE vulnerabilities with the goal of pinpointing design and implementation flaws. To this end, we provide a taxonomy of TrustZone attacks, analyze them, and more importantly derive a set of critical observations regarding their nature. We perform a critical appraisal of the vulnerabilities to shed light on their underlying causes and we deduce that their manifestation is the joint effect of several parameters that lead to this situation. The most important ones are the closed implementations, the lack of security mechanisms, the shared resource architecture, and the absence of tools to audit trusted applications. Finally, given the severity of the identified issues, we propose possible improvements that could be adopted by TEE implementers to remedy and improve the security posture of TrustZone and future research directions.

show abstract

Section: Introductionmentioning

confidence: 82%

Building Trust for Smart Connected Devices: The Challenges and Pitfalls of TrustZone

Koutroumpouchos

Ntantogian

Xenakis

2021

Sensors

View full text Add to dashboard Cite

show abstract

“…In particular, MCSFI only requires general-purpose registers; hence it can be extended to TEEs based on RISC-V CPUs, e.g., Sanctum [79] or Keystone [80]. Furthermore, CHANCEL can also be extended to ARM CPUs, like Native Client's extension [81], but existing ARM TEEs lack hardware memory encryption [82], crucial to ensure client data confidentiality on cloud machines. Importantly, CHANCEL's extension to RISC-V TEEs like Sanctum or Keystone would benefit both parties.…”

Section: Discussionmentioning

confidence: 99%

CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs

Ahmad¹,

Kim²,

Seo³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Intel SGX aims to provide the confidentiality of user data on untrusted cloud machines. However, applications that process confidential user data may contain bugs that leak information or be programmed maliciously to collect user data. Existing research that attempts to solve this problem does not consider multi-client isolation in a single enclave. We show that by not supporting such in-enclave isolation, they incur considerable slowdown when concurrently processing multiple clients in different enclave processes, due to the limitations of SGX. This paper proposes CHANCEL, a sandbox designed for multi-client isolation within a single SGX enclave. In particular, CHANCEL allows a program's threads to access both a per-thread memory region and a shared read-only memory region while servicing requests. Each thread handles requests from a single client at a time and is isolated from other threads, using a Multi-Client Software Fault Isolation (MCSFI) scheme. Furthermore, CHANCEL supports various in-enclave services such as an inmemory file system and shielded client communication to ensure complete mediation of the program's interactions with the outside world. We implemented CHANCEL and evaluated it on SGX hardware using both micro-benchmarks and realistic target scenarios, including private information retrieval and product recommendation services. Our results show that CHANCEL outperforms a baseline multi-process sandbox by 4.06 − 53.70× on micro-benchmarks and 0.02−21.18× on realistic workloads while providing strong security guarantees.

show abstract

“…a smartphone), in an external element such as a flash memory card, in the circuitry of devices such as the SIM card itself used in mobile phones, or as a cloud service in Host Card Emulation technology. A new family of embedded environments known as Trusted Execution Environments (TEE) [25,26] has emerged. A TEE is a hardware environment with a secure operating system that is isolated and completely separated from the mobile platform.…”

Section: Secure Element As Trust Anchormentioning

confidence: 99%

P2ISE: Preserving Project Integrity in CI/CD Based on Secure Elements

et al. 2021

View full text Add to dashboard Cite

Over the past decade, software development has evolved from a rigid, linear process to a highly automated and flexible one, thanks to the emergence of continuous integration and delivery environments. Nowadays, more and more development teams rely on such environments to build their complex projects, as the advantages they offer are numerous. On the security side, however, most environments seem to focus on authentication, neglecting other critical aspects, such as the integrity of the source code and the compiled binaries. To ensure the soundness of a software project, its source code must be secured from malicious modifications. Yet, no method can accurately verify that the integrity of a project’s source code has not been breached. This paper presents P2ISE, a novel integrity-preserving tool that provides strong security assertions for developers against attackers. At the heart of P2ISE lies the TPM trusted computing technology, which is leveraged to ensure integrity preservation. We have implemented the P2ISE and quantitatively assessed its performance and efficiency.

show abstract

SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems

Cited by 127 publications

References 26 publications

Building Trust for Smart Connected Devices: The Challenges and Pitfalls of TrustZone

Building Trust for Smart Connected Devices: The Challenges and Pitfalls of TrustZone

CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs

P2ISE: Preserving Project Integrity in CI/CD Based on Secure Elements

Contact Info

Product

Resources

About