Ferdinand Brasser (Technische Universität Darmstadt), David Gens (Technische Universität Darmstadt), Patrick Jauernig (Technische Universität Darmstadt), Ahmad-Reza Sadeghi (Technische Universität Darmstadt), Emmanuel Stapf (Technische Universität Darmstadt)

ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE's attack surface: any vulnerable or malicious TA can compromise the system's security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel's SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day.

We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone's normal world comparable to SGX's user-space enclaves. In particular, we leverage TrustZone's versatile Address-Space Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone's secure world to isolated compartments minimizes the TEE's attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged.

We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.

View More Papers

Mind Your Own Business: A Longitudinal Study of Threats...

Platon Kotzias (IMDEA Software Institute, Universidad Politécnica de Madrid), Leyla Bilge (Symantec Research Labs), Pierre-Antoine Vervier (Symantec Research Labs), Juan Caballero (IMDEA Software Institute)

Read More

Constructing an Adversary Solver for Equihash

Xiaofei Bai (School of Computer Science, Fudan University), Jian Gao (School of Computer Science, Fudan University), Chenglong Hu (School of Computer Science, Fudan University), Liang Zhang (School of Computer Science, Fudan University)

Read More

CRCount: Pointer Invalidation with Reference Counting to Mitigate Use-after-free...

Jangseop Shin (Seoul National University and Inter-University Semiconductor Research Center), Donghyun Kwon (Seoul National University and Inter-University Semiconductor Research Center), Jiwon Seo (Seoul National University and Inter-University Semiconductor Research Center), Yeongpil Cho (Soongsil University), Yunheung Paek (Seoul National University and Inter-University Semiconductor Research Center)

Read More

RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the...

Tohid Shekari (ECE, Georgia Tech), Christian Bayens (ECE, Georgia Tech), Morris Cohen (ECE, Georgia Tech), Lukas Graber (ECE, Georgia Tech), Raheem Beyah (ECE, Georgia Tech)

Read More