ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2015, Vol. 52 ›› Issue (10): 2224-2238.doi: 10.7544/issn1000-1239.2015.20150582

Special Issue: 2015网络安全与隐私保护研究进展

Previous Articles     Next Articles

A Trustzone-Based Trusted Code Execution with Strong Security Requirements

Zhang Yingjun1, Feng Dengguo1,2, Qin Yu1, Yang Bo1   

  1. 1(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190);2(State Key Laboratory of Computer Science (Institute of Software, Chinese Academy of Sciences), Beijing 100190)
  • Online:2015-10-01

Abstract: We propose a secure scheme for trusted code execution on mobile embedded devices based on the idea of program whitelist, which is focus on the application scenarios with strong security requirements and fixed calculation functions, such as industrial 4.0 and “bring your own device”. We leverage the trusted execution environment provided by ARM Trustzone and the virtual memory protection mechanism of ARM to build an enclave in the OS kernels address space, which cannot be tampered by the untrusted OS kernel itself. Some monitor functions are placed in the enclave to provide integrity protection for executable files, runtime code and runtime control flow of trusted processes, ensuring that only authorized code complying with the whitelist strategy can be executed on target devices. The sheme also enhances the security for communications between the target devices and the center control server by building secure shared memory areas between communication client processes and Trustzone secure world, and by building a trusted timer interrupt source in Trustzone secure world. Secure protocols for whitelist update and platform status attestation are proposed based on these security enhancements. We implement the prototype system on real Trustzone-enable hardware devices. The experimental results show that our scheme achieves ideal usability, security and efficiency.

Key words: whitelist, trusted code execute, Trustzone technology, trusted execution environment, kernel enclave, platform status attestation

CLC Number: