Journal Home > Volume 22 , Issue 5
Tsinghua Science and Technology 2017, 22(5): 447-457 https://doi.org/10.23919/TST.2017.8030534
Open Access | Issue | Published: 11 September 2017

A TrustEnclave-Based Architecture for Ensuring Run-Time Security in Embedded Terminals

Show Author's Information Rui Chang( ) Liehui Jiang Wenzhi Chen Yaobin Xie Zhongyong Lu
State Key Laboratory of Mathematic Engineering and Advanced Computing, Zhengzhou 450001, China.
Department of Computer, Zhejiang University, Hangzhou 310027, China.
Keywords:
TrustZone, run-time security, trusted execution environment, hardware isolation
Cite this article:
Chang R, Jiang L, Chen W, et al. A TrustEnclave-Based Architecture for Ensuring Run-Time Security in Embedded Terminals. Tsinghua Science and Technology, 2017, 22(5): 447-457. https://doi.org/10.23919/TST.2017.8030534
Download citation
EndNote(RIS)
BibTeX

395

Views

27

Downloads

Citations

4

Crossref

N/A

WoS

7

Scopus

1

CSCD

Abstract Full text About this article

The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.


menu
Abstract
Full text
Outline
About this article

A TrustEnclave-Based Architecture for Ensuring Run-Time Security in Embedded Terminals

Show Author's information Rui Chang( )Liehui JiangWenzhi ChenYaobin XieZhongyong Lu
State Key Laboratory of Mathematic Engineering and Advanced Computing, Zhengzhou 450001, China.
Department of Computer, Zhejiang University, Hangzhou 310027, China.

Abstract

The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.

Keywords: TrustZone, run-time security, trusted execution environment, hardware isolation

References(38)

[1]
Sailer R., Zhang X., Jaeger T., and Van Doorn L., Design and implementation of a TCG-based integrity measurement architecture, in Usenix Security Symposium, San Diego, CA, USA, 2004, p. 16.
[2]
Azab A. M., Ning P., Sezer E. C., and Zhang X., HIMA: A hypervisor-based integrity measurement agent, in Computer Security Applications Conference, IEEE Computer Society, 2009, pp. 461-470.
DOI
[3]
Seshadri A., Luk M., Qu N., and Perrig A., SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes, ACM SIGOPS Operating Systems Review, vol. 41, no. 6, pp. 335-350, 2007.
DOI Google Scholar
[4]
Xu L., Chen W., and Wang Z., Research about virtualization of ARM-based mobile smart devices, Lecture Notes in Electrical Engineering, vol. 308, pp. 259-266, 2014.
DOI Google Scholar
[5]
Zheng Y., He D., and He M., Trusted computing based user authentication for mobile equipment, (in Chinese), Chinese Journal of Computer, vol. 29, no. 8, pp. 1255-1264, 2006.
Google Scholar
[6]
Chen S. Y., Wen Y. Y., and Zhao H., Conceptual design of trusted mobile platform, (in Chinese), Journal of Northeastern University, vol. 29, no. 8, pp. 1096-1099, 2008.
Google Scholar
[7]
Zhao B., Zhang H. G., Li J., Chen L., and Wen S., The system architecture and security structure of trusted PDA, (in Chinese), Chinese Journal of Computers, vol. 33, no. 1, pp. 82-92, 2010.
DOI Google Scholar
[8]
Kim M., Ju H., Kim Y., Park J., and Park Y., Design and implementation of mobile trusted module for trusted mobile computing, IEEE Transactions on Consumer Electronics, vol. 56, no. 1, pp. 134-140, 2010.
DOI Google Scholar
[9]
Kim M., Lee D., and Ryou J., Compact and unified hardware architecture for SHA-1 and SHA-256 of trusted mobile computing, Personal and Ubiquitous Computing, vol. 17, no. 5, pp. 921-932, 2013.
DOI Google Scholar
[10]
Shen D. Z., Hu X. B., Liu H. Z., Li F. L., Liu F., Tao Y., and Ye Z. L., Security research of state cryptographic authentication security chip in smart grid, in China International Conference on Electricity Distribution, Shenzhen, China, 2014, pp. 416-418.
DOI
[11]
Hoekstra M., Lal R., Pappachan P., Phegade V., and Del Cuvillo J., Using innovative instructions to create trustworthy software solutions, in International Workshop on Hardware and Architectural Support for Security and Privacy, New York, NY, USA, 2013, pp. 1-10.
DOI
[12]
Sadeghi A., Trusted execution environments Intel SGX, Available: http://sigops.org/sosp/sosp13/, Accessed on Nov. 18, 2014.
[13]
Jain P. and Desai S., Intel SGX emulation using QEMU, Available: https://github.com/sslab-gatech/opensgx, Accessed on May 15, 2015.
[14]
Zhou Y. M., The analysis of TrustZone secure technology based on ARM architecture, (in Chinese), Microcomputer Information, vol. 24, no. 36, pp. 69-71, 2008.
Google Scholar
[15]
Baumann A., Peinado M., and Hunt G., Shielding applications from an untrusted cloud with haven, ACM Transactions on Computer Systems, vol. 33, no. 3, pp. 1-26, 2015.
DOI Google Scholar
[16]
Alves T., TrustZone: Integrated hardware and software security, ARM White Paper, vol. 3, no. 4, pp. 18-24, 2004.
Google Scholar
[17]
Gonzlez J. and Bonnet P., Towards an open framework leveraging a trusted execution environment, in the 5th International Symposium on Cyberspace Safety and Security, 2013, pp. 458-467.
DOI
[18]
Pinto S., Oliveira D., Pereira J., Cardoso N., Ekpanyapong M., Cabral J., and Tavares A., Towards a lightweight embedded virtualization architecture exploiting ARM TrustZone, in IEEE International Conference on Emerging Technologies and Factory Automation, Barcelona, Spain, 2014, pp. 1-4.
DOI
[19]
McGillion B., Dettenborn T., Nyman T., and Asokan N., Open-TEE — An open virtual trusted execution environment, in TRUSTCOM’15 Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA, Washington, DC, USA, 2015, pp. 58-67.
DOI
[20]
Winter J., Wiegele P., Pirker M., and Tögl R., A flexible software development and emulation framework for ARM TrustZone, in International Conference on Trusted Systems, Beijing, China, 2011, pp. 1-15.
DOI
[21]
Yang X., Shi P., Tian B., Zeng B., and Xiao W., Trust-E: A trusted embedded operating system based on the ARM Trustzone, in IEEE 11th Intl. Conf. on Ubiquitous Intelligence and Computing and 11th Intl. Conf. on Autonomic and Trusted Computing and 14th Intl. Conf. on Scalable Computing and Communications and Its Associated Workshops (UIC-ATC-ScalCom), IEEE Computer Society, 2014, pp. 495-501.
[22]
Zhang Y., Feng D., Qin Y., and Yang B., A Trustzone-based trusted code execution with strong security requirements, (in Chinese), Journal of Computer Research and Development, vol. 52, no. 10, pp. 2224-2238, 2015.
Google Scholar
[23]
Aaraj N., Raghunathan A., and Jha N. K., Analysis and design of a hardware/software trusted platform module for embedded systems, ACM Transactions on Embedded Computing Systems, vol. 8, no. 1, pp. 3296-3306, 2008.
DOI Google Scholar
[24]
Choi S., Han J., Lee J., Kim J., and Jun S., Implementation of a TCG-based trusted computing in mobile device, in International Conference on Trust, Privacy and Security in Digital Business, Springer-Verlag, 2008, pp. 18-27.
DOI
[25]
Bugiel S. and Ekberg J. E., Implementing an application-specific credential platform using late-launched mobile trusted module, in STC’10 Proceedings of the Fifth ACM Workshop on Scalable Trusted Computing, Chicago, IL, USA, 2010.
DOI
[26]
Ekberg J. E., Asokan N., and Kostiainen K., Method and apparatus to reset platform configuration register in mobile trusted module, European Patent EP2537115, May 13, 2015.
[27]
Zhang F., Leach K., Stavrou A., Wang H., and Sun K., Using hardware features for increased debugging transparency, in IEEE Symposium on Security and Privacy, IEEE, 2015, pp. 55-69.
DOI
[28]
Smolyar I., Ben-Yehuda M., and Tsafrir D., Securing selfvirtualizing ethernet devices, in USENIX Conference on Security Symposium, Washington, DC, USA, 2015, pp. 335-350.
[29]
Fahl S., Harbach M., Muders T., Baumg L., Freisleben B., and Smith M., Why eve and mallory love android: An analysis of android SSL (in) security, in CCS’12: Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, NC, USA, 2012, pp. 50-61.
DOI
[30]
Kim S. H., Han D., and Lee D. H., Predictability of Android OpenSSL’s pseudo random number generator, in ACM Sigsac Conference on Computer and Communications Security, Berlin, Germany, 2013, pp. 659-668.
DOI
[31]
Egele M., Brumley D., Fratantonio Y., and Kruegel C., An empirical study of cryptographic misuse in Android applications, in ACM Sigsac Conference on Computer and Communications Security, Berlin, Germany, 2013, pp. 73-84.
DOI
[32]
Santos N., Raj H., Saroiu S., and Wolman A., Using ARM trustzone to build a trusted language runtime for mobile applications, in International Conference on Architectural Support for Programming Languages and Operating Systems, Salt Lake City, UT, USA, 2014, pp. 67-80.
DOI
[33]
Azab A. M., Ning P., Shah J., Chen Q., Bhutkar R., Ganeshand G., Ma J., and Shen W., Hypervision across worlds: Real-time kernel protection from the ARM TrustZone secure world, in ACM Sigsac Conference on Computer and Communications Security, Scottsdale, AZ, USA, 2014, pp. 1028-1031.
DOI
[34]
Ge X., Vijayakumar H., and Jaeger T., Sprobes: Enforcing kernel code integrity on the TrustZone architecture, arXiv: 1410.7747, 2014.
[35]
Dmitrienko A., Heuser S., Nguyen T. D., Ramos M. D. S., Rein A., and Sadeghi A., Market-driven code provisioning to mobile secure hardware, in Financial Cryptography and Data Security, Springer Berlin Heidelberg, 2015, pp. 387-404.
DOI
[36]
Baumann A., Peinado M., and Hunt G., Shielding applications from an untrusted cloud with Haven, ACM Transactions on Computer Systems, vol. 33, no. 3, pp. 1-26, 2015.
DOI Google Scholar
[37]
Schuster F., Costa M., Fournet C., Gkantsidis C., Peinado M., Mainar G., and Russinovich M., VC3: Trustworthy data analytics in the cloud using SGX, in IEEE Symposium on Security and Privacy, Washington, DC, USA, 2015, pp. 38-54.
DOI
[38]
Jin S., Ahn J., Seol J., Cha S., Huh J., and Maeng S., HSVM: Hardware-assisted secure virtual machines under a vulnerable hypervisor, IEEE Transactions on Computers, vol. 64, no. 10, pp. 2833-2846, 2015.
DOI Google Scholar
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 28 September 2016
Accepted: 20 October 2016
Published: 11 September 2017
Issue date: October 2017

Copyright

© The author(s) 2017

Acknowledgements

Many thanks to Xian Chen and Yuxia Cheng for their helpful discussion about this work. This work was supported by the National Natural Science Foundation of China (Nos. 61572516 and 61503213).

Rights and permissions

Return