ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (10): 2268-2283.doi: 10.7544/issn1000-1239.2017.20170387

• 信息安全 • 上一篇    下一篇



  1. 1(中国科学院软件研究所可信计算与信息保障实验室 北京 100190); 2(计算机科学国家重点实验室(中国科学院软件研究所) 北京 100190); 3(中国科学院大学 北京 100190) (
  • 出版日期: 2017-10-01
  • 基金资助: 
    国家自然科学基金项目 (91118006,61402455,61602455)

A TrustZone Based Application Protection Scheme in Highly Open Scenarios

Zhang Yingjun1,3, Feng Dengguo1,2, Qin Yu1, Yang Bo1   

  1. 1(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190); 2(State Key Laboratory of Computer Sciece (Institute of Software, Chinese Academy of Sciences), Beijing 100190); 3(University of Chinese Academy of Sciences, Beijing 100190)
  • Online: 2017-10-01

摘要: 针对BYOD(bring your own device)、移动云计算等兼具强安全性、高开放性需求的新型应用场景,提出了一种移动嵌入式平台敏感应用防护方案.为满足强安全性需求,方案基于ARM TrustZone硬件隔离技术构建可信执行环境,即使在整个操作系统内核被攻破的情况下仍能保证敏感应用的安全.为满足高开放性需求,方案实现了传统TrustZone安全方案不具备的两大优势.首先,将TrustZone保护域扩展至普通世界,安全世界不再实现具体的敏感应用,而只实现一个轻量级监控模块用以监控普通世界内核的行为.因此整个系统可信计算基不随敏感应用数量的增加而增大,减少了其可攻击面和潜在漏洞。其次,监控模块确保内核为这些敏感应用提供安全的系统服务,从而为满足开放性需求提供关键功能支持,例如提供标准系统调用接口、敏感应用动态部署和加载等. 最后,方案提出了内核主动证明机制,要求内核主动提供关键信息协助监控模块验证其自身行为,有效提高了系统运行效率.在真实设备上实现了原型系统,实验结果证明了该方案的安全性和较为理想的运行效率.

关键词: TrustZone, 可信执行环境, 敏感应用防护, 内核监控, 内核主动证明

Abstract: We propose a protection scheme for security-sensitive applications on mobile embedded devices, which is focus on the scenarios with both strong security and high openness requirements, such as “bring your own device”, mobile cloud computing. To meet the security requirements, we leverage the trusted execution environment of ARM TrustZone to provide strong isolation guarantees for applications even in the presence of a malicious operating system. To meet the openness requirements, our scheme has two major advantages compared with previous TrustZone-based solutions. Firstly, it moves concrete sensitive applications from TrustZone secure world to the normal world, so that the trusted computing base keeps small and unchanged regardless of the amount of supported security applications. Secondly, it leverages a light-weight kernel monitor in the secure world to enforce the untrusted operating system to serve these security applications legally, so that they could securely use standard system calls, which could provide critical features for the openness requirements, such as dynamic application deployment. We also propose proactive attestation, a novel technique that greatly improves the system efficiency by enforcing the operating system to contribute to its own verification. We implement the prototype system on real TrustZone devices. The experiment results show that our scheme is practical with acceptable performance overhead.

Key words: TrustZone, trusted execution environment, sensitive application protection, kernel monitor, kernel proactive attestation