Running secure user services in a hostile environmentTROOS – Trusted Open OS, the basis for a trustzone based open TEEAssaf Rosenbuam, Eli Biham and Sara BitanDepartment of Computer Science, Technion

Do you trust your OS? We don’t...

0204060

Critical vulnerabiliteis foundJan–Apr 2017

How to protect critical assetsfrom a compromised OS?

Exploitation of an OS vulnerability might leave thesystem resources completely exposed to attacks.Hence, we need a mechanism (entity) that can betrusted even when the OS is breached.

Trusted Execution Environment(TEE)

We need an environment in which we can safelystore critical data and perform critical processing

User SpaceOSTEE

Current TEE technologies

Intel software guard extension (SGX)

SGX enables to run secure services in an isolatedexecution environment (called enclave), embeddedin the process virtual memory space.

ARM TrsutZone

TrustZone provides a technology to run two virtualworlds – a Normal World (NW) and Secure World(SW) – on the same CPU. This mechanism is aninfrastructure on which we can create a TrustedExecution Environment.

The Genode OS framework

Application TCBin Genode

Genode is an open source operat-ing system framework designed forincreased security. Genode main-tains strong application isolationproperties and is designed to keepeach application Trusted Computing Base (TCB)as small as possible.

Our contribution – TROOS

Our goal is to provide a TEE for user services (muchlike Intel’s SGX). We use Genode as the basis forour trusted OS. On top of the native Core and Initcomponents, which are the system kernel and firstuser process respectively, we added a few more com-ponents to enable trusted user services – trustlets –loading and execution.

TZ VMM: Intercepts SMCs and handles the switchbetween the two worlds.

Loader:Responsible of loading and verifying thetrustlets code from the normal world.

Trustlet Manager:Acts as a container for thetrustlets. Manages the trustlets resourcesallocation.

Crypto:Will provide each trustlet with uniquekeys, accessible only to it and only whilerunning on the secure world.

Trustlet TCB on TROOS

Core

Init

TZ VMM Trustlets Manager

Trustlet1 Trustlet2 Trustlet3

Loader Crypto

Notice that in TROOS, a trustlet must not trust theother trustlets in the system. A trustlet doesn’teven need to trust the TROOS services, unless itwishes to use them.

Secure world interface

The normal world OS utilizes the secure world in-terface in order to create and execute trustlets ac-cording to its needs via SMCs. As part of our effortsto keep the system attack surface as small as possi-ble, we keep the number of SMCs at the bare min-imum. The most significant SMCs are described inthe following table:

SMC DescriptionTcreate create a new (empty) trustletTload load and measure the trustlet codeTinit mark trustlet as ready to runTstart start executing a trustletTresume resume trustlet run after it was stoppedTdestroy stop the trustlet run and free its resources

Future work

Our next step is to complete the system implemen-tation with all of the designed components. Wethen plan to deliver an elaborated security analysisof the system and a comparison to existing TEEs(TrustZone based and others). The preference im-pact on the normal world will be tested as well.Due to time constrains, there are aspects that wedo not plan to address at this stage, even thoughthey surely are beneficial to TROOS. For example:

• Integrating a secure element.•Extending system abilities with secure IO.•Utilizing on chip memory to better protecttrustlets code and data against probing.

Contact Information