A TrustZone Based Application Protection Scheme in Highly Open Scenarios

Zhang Yingjun; Feng Dengguo; Qin Yu; Yang Bo

doi:10.7544/issn1000-1239.2017.20170387

Journal of Computer Research and Development > 2017 > 54(10): 2268-2283. > DOI: 10.7544/issn1000-1239.2017.20170387

Zhang Yingjun, Feng Dengguo, Qin Yu, Yang Bo. A TrustZone Based Application Protection Scheme in Highly Open Scenarios[J]. Journal of Computer Research and Development, 2017, 54(10): 2268-2283. DOI: 10.7544/issn1000-1239.2017.20170387

Citation:

PDF (3757 KB)

A TrustZone Based Application Protection Scheme in Highly Open Scenarios

¹(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190)
²(State Key Laboratory of Computer Sciece (Institute of Software, Chinese Academy of Sciences), Beijing 100190)
³(University of Chinese Academy of Sciences, Beijing 100190)

More Information

Published Date: September 30, 2017

Graphical Abstract

Abstract

Abstract

We propose a protection scheme for security-sensitive applications on mobile embedded devices, which is focus on the scenarios with both strong security and high openness requirements, such as “bring your own device”, mobile cloud computing. To meet the security requirements, we leverage the trusted execution environment of ARM TrustZone to provide strong isolation guarantees for applications even in the presence of a malicious operating system. To meet the openness requirements, our scheme has two major advantages compared with previous TrustZone-based solutions. Firstly, it moves concrete sensitive applications from TrustZone secure world to the normal world, so that the trusted computing base keeps small and unchanged regardless of the amount of supported security applications. Secondly, it leverages a light-weight kernel monitor in the secure world to enforce the untrusted operating system to serve these security applications legally, so that they could securely use standard system calls, which could provide critical features for the openness requirements, such as dynamic application deployment. We also propose proactive attestation, a novel technique that greatly improves the system efficiency by enforcing the operating system to contribute to its own verification. We implement the prototype system on real TrustZone devices. The experiment results show that our scheme is practical with acceptable performance overhead.
- TrustZone,
- trusted execution environment,
- sensitive application protection,
- kernel monitor,
- kernel proactive attestation

FullText(HTML)

References (0)

[1]	Xiong Xin, Tan Xin, Zhang Yuan. Kernel Refcount Bug Detection Based on the Consistency of Error Path Behavior[J]. Journal of Computer Research and Development, 2023, 60(7): 1489-1500. DOI: 10.7544/issn1000-1239.202220768
[2]	Zhao Xiaolei, Chen Zhaoyun, Shi Yang, Wen Mei, Zhang Chunyuan. Kernel Code Automatic Generation Framework on FT-Matrix[J]. Journal of Computer Research and Development, 2023, 60(6): 1232-1245. DOI: 10.7544/issn1000-1239.202330058
[3]	Hou Pengpeng, Zhang Heng, Wu Yanjun, Yu Jiageng, Tai Yang, Miao Yuxia. Kernel Configuration Infographic Based on Multi-Label and Its Application[J]. Journal of Computer Research and Development, 2021, 58(3): 651-667. DOI: 10.7544/issn1000-1239.2021.20200186
[4]	Zhang Liancheng, Wei Qiang, Tang Xiucun, Fang Jiabao. Path and Port Address Hopping Based SDN Proactive Defense Technology[J]. Journal of Computer Research and Development, 2017, 54(12): 2761-2771. DOI: 10.7544/issn1000-1239.2017.20160461
[5]	Zhang Yingjun, Feng Dengguo, Qin Yu, Yang Bo. A Trustzone-Based Trusted Code Execution with Strong Security Requirements[J]. Journal of Computer Research and Development, 2015, 52(10): 2224-2238. DOI: 10.7544/issn1000-1239.2015.20150582
[6]	Tian Meng, Wang Wenjian. Generalized Kernel Polarization Criterion for Optimizing Gaussian Kernel[J]. Journal of Computer Research and Development, 2015, 52(8): 1722-1734. DOI: 10.7544/issn1000-1239.2015.20150110
[7]	Yang Bo, Feng Dengguo, Qin Yu, Zhang Qianying, Xi Li, Zheng Changwen. Research on Direct Anonymous Attestation Scheme Based on Trusted Mobile Platform[J]. Journal of Computer Research and Development, 2014, 51(7): 1436-1445.
[8]	Wang Yong, Fang Juan, Ren Xingtian, and Lin Li. Formal Verification of TCG Remote Attestation Protocols Based on Process Algebra[J]. Journal of Computer Research and Development, 2013, 50(2): 325-331.
[9]	Wang Qi'an and Chen Bing. Intrusion Detection System Using CVM Algorithm with Extensive Kernel Methods[J]. Journal of Computer Research and Development, 2012, 49(5): 974-982.
[10]	Huang Wei, Zhan Jianfeng, Fan Jianpin. DCFT-Kernel: A Fault-Tolerant Cluster Middleware Based on Group Service[J]. Journal of Computer Research and Development, 2005, 42(6): 993-999.