微信服务号

微信订阅号

2025年4月14日 21:05 星期一
首页 > 过刊浏览>2023年第34卷第8期 >3637-3658. DOI:10.13328/j.cnki.jos.006612
PDF HTML阅读 XML下载 导出引用 引用提醒
可信执行环境访问控制建模与安全性分析
作者:
作者简介:

苗新亮(1994-),男,博士生,主要研究领域为形式化方法,嵌入式系统安全;常瑞(1981-),女,博士,副教授,博士生导师,CCF高级会员,主要研究领域为嵌入式系统安全,形式化分析与验证;潘少平(1994-),男,硕士生,CCF学生会员,主要研究领域为形式化方法,可信执行环境;赵永望(1979-),男,博士,教授,博士生导师,CCF杰出会员,主要研究领域为形式化方法,操作系统与安全,安全认证;蒋烈辉(1967-),男,博士,教授,博士生导师,主要研究领域为计算机体系结构,逆向工程与安全.

通讯作者:

常瑞,E-mail:crix1021@zju.edu.cn

中图分类号:

TP311

基金项目:

国家自然科学基金(61872016,62132014)


Modeling and Security Analysis of Access Control in Trusted Execution Environment
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [64]
    • |
  • 相似文献
    • | | |
  • 文章评论
    摘要:

    可信执行环境(TEE)的安全问题一直受到国内外学者的关注. 利用内存标签技术可以在可信执行环境中实现更细粒度的内存隔离和访问控制机制, 但已有方案往往依赖于测试或者经验分析表明其有效性, 缺乏严格的正确性和安全性保证. 针对内存标签实现的访问控制提出通用的形式化模型框架, 并提出一种基于模型检测的访问控制安全性分析方法. 首先, 利用形式化方法构建基于内存标签的可信执行环境访问控制通用模型框架, 给出访问控制实体的形式化定义, 定义的规则包括访问控制规则和标签更新规则; 然后利用形式化语言B以递增的方式设计并实现该框架的抽象机模型, 通过不变式约束形式化描述模型的基本性质; 再次以可信执行环境的一个具体实现TIMBER-V为应用实例, 通过实例化抽象机模型构建TIMBER-V访问控制模型, 添加安全性质规约并运用模型检测验证模型的功能正确性和安全性; 最后模拟具体攻击场景并实现攻击检测, 评估结果表明提出的安全性分析方法的有效性.

    Abstract:

    The security of the trusted execution environment (TEE) has been concerned by Chinese and foreign researchers. Memory tag technology utilized in TEE helps to achieve finer-grained memory isolation and access control mechanisms. Nevertheless, prior works often rely on testing or empirical analysis to show their effectiveness, which fails to strongly guarantee the functional correctness and security properties. This study proposes a general formal model framework for memory tag-based access control and introduces a security analysis method in access control based on model checking. First, a general model framework for the access control model of TEE based on memory tag is constructed through a formal method, and those access control entities are formally defined. The defined rules include access control rules and tag update rules. Then abstract machines under the framework are incrementally designed and implemented with formal language B. In addition, the basic properties of the machines are formalized through invariant constraints. Next, a TEE implementation called TIMBER-V is used as an application case. The TIMBER-V access control model is constructed by instantiating these abstract machines, and the security properties are formally specified. Furthermore, the functional correctness and security of the models are verified based on model checking. Finally, this study simulates the specific attack scenarios, and these attacks are successfully detected. The evaluation results have proved the effectiveness of the security analysis method.

    参考文献
    [1] ARMs TrustZone. 2021. https://developer.arm.com/ip-products/security-ip/trustzone
    [2] McKeen F, Alexandrovich I, Berenzon A, Rozas CV, Shafi H, Shanbhogue V, Savagaonkar UR. Innovative instructions and software model for isolated execution. In: Proc. of the 2nd Int’l Workshop on Hardware and Architectural Support for Security and PrivacyHasp@ isca. Tel-Aviv: ACM, 2013. 10.
    [3] Kaplan D, Powell J, Woller T. AMD memory encryption. White Paper, 2016. https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
    [4] Weiser S, Werner M, Brasser F, Malenko M, Mangard S, Sadeghi A-R. TIMBER-V: Tag-isolated memory bringing fine-grained enclaves to RISC-V. In: Proc. of the 26th Annual Network and Distributed System Security Symp. San Diego: NDSS, 2019.
    [5] Costan V, Lebedev I, Devadas S. Sanctum: Minimal hardware extensions for strong software isolation. In: Proc. of the 25th USENIX Conf. on Security Symp. Austin: USENIX Association (USENIX Security 16), 2016. 857–874.
    [6] Brasser F, Gens D, Jauernig P, Sadeghi AR, Stapf E. SANCTUARY: Arming trustzone with user-space enclaves. In: Proc. of the 26th Annual Network and Distributed System Security Symp. San Diego: NDSS, 2019.
    [7] Lee D, Kohlbrenner D, Shinde S, Asanović K, Song D. Keystone: An open framework for architecting trusted execution environments. In: Proc. of the 15th European Conf. on Computer Systems. Heraklion: ACM, 2020. 1–1638.
    [8] McGillion B, Dettenborn T, Nyman T, Asokan N. Open-tee–an open virtual trusted execution environment. In: Proc. of the 2015 IEEE Trustcom/BigDataSE/ISPA. Helsinki: IEEE, 2015, 1. 400–407.
    [9] Pirker M, Slamanig D. A framework for privacy-preserving mobile payment on security enhanced arm trustzone platforms. In: Proc. of the 11th IEEE Int’l Conf. on Trust, Security and Privacy in Computing and Communications. Liverpool: IEEE, 2012. 1155–1160.
    [10] Santos N, Raj H, Saroiu S, Wolman A. Using ARM trustzone to build a trusted language runtime for mobile applications. In: Proc. of the 19th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. Salt Lake City: ACM, 2014. 67–80.
    [11] Zheng XY, Yang LL, Ma JG, Shi G, Meng D. TrustPAY: Trusted mobile payment on security enhanced ARM trustzone platforms. In: Proc. of the 2016 IEEE Symp. on Computers and Communication (ISCC). Messina: IEEE, 2016. 456–462.
    [12] Bianchi A, Fratantonio Y, Machiry A, Krüegel C, Vigna G, Chung SP, Lee W. Broken fingers: On the usage of the fingerprint API in android. In: Proc. of the 25th Annual Network and Distributed System Security Symp. San Diego: NDSS, 2018.
    [13] Lipp M, Gruss D, Spreitzer R, Maurice C, Mangard S. ARMageddon: Cache attacks on mobile devices. In: Proc. of the 25th USENIX Conf. on Security Symp. Austin: USENIX Association (USENIX Security 16), 2016. 549–564.
    [14] 王鹃, 樊成阳, 程越强, 赵波, 韦韬, 严飞, 张焕国, 马婧. SGX技术的分析和研究. 软件学报, 2018, 29(9): 2778-2798. http://www.jos.org.cn/1000-9825/5594.htm
    Wang J, Fan CY, Cheng YQ, Zhao B, Wei T, Yan F, Zhang HG, Ma J. Analysis and research on SGX technology. Ruan Jian Xue Bao/Journal of Software, 2018, 29(9): 2778–2798 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5594.htm
    [15] Ryan K. Hardware-backed heist: Extracting ECDSA keys from qualcomm’s TrustZone. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London: ACM, 2019. 181–194.
    [16] Lee D, Jung D, Fang IT, Tsai CC, Popa RA. An off-chip attack on hardware enclaves via the memory bus. In: Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association (USENIX Security 20), 2020. 28.
    [17] Cloosters T, Rodler M, Davi L. TEEREX: discovery and exploitation of memory corruption vulnerabilities in SGX enclaves. In: Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association (USENIX Security 20), 2020. 841–858.
    [18] Cerdeira D, Santos N, Fonseca P, Pinto S. SoK: Understanding the prevailing security vulnerabilities in TrustZone-assisted TEE systems. In: Proc. of the 2020 IEEE Symp. on Security and Privacy (SP). San Francisco: IEEE, 2020. 1416–1432.
    [19] Cho Y, Shin J, Kwon D, Ham M, Kim Y, Paek Y. Hardware-assisted on-demand hypervisor activation for efficient security critical code execution on mobile devices. In: Proc. of the 2016 USENIX Conf. on Usenix Annual Technical Conf. Denver: USENIX Association (USENIX ATC 16), 2016. 565–578.
    [20] Jang J, Choi C, Lee J, Kwak N, Lee S, Choi Y, Kang BB. PrivateZone: Providing a private execution environment using ARM trustzone. IEEE Trans. on Dependable and Secure Computing. IEEE, 2016, 15(5): 797–810.
    [21] Hua ZC, Gu JY, Xia YB, Chen HB, Zang BY, Guan HB. vTZ: Virtualizing ARM trustzone. In: Proc. of the 26th USENIX Conf. on Security Symp. (USENIX Security 17), Vancouver: USENIX Association, 2017. 541–556.
    [22] Li WH, Xia YB, Lu L, Chen HB, Zang BY. TEEv: Virtualizing trusted execution environments on mobile platforms. In: Proc. of the 15th ACM SIGPLAN/SIGOPS Int’l Conf. on Virtual Execution Environments. Providence: ACM, 2019. 2–16.
    [23] Kwon D, Seo J, Cho Y, Lee B, Paek Y. PrOS: Light-weight privatized Se cure OSes in ARM TrustZone. IEEE Trans. on Mobile Computing, 2019, 19(6): 1434–1447.
    [24] Kaplan D. Protecting vm register state with sev-es. White Paper, 2017. https://www.amd.com/system/files/TechDocs/Protecting%20VM%20Register%20State%20with%20SEV-ES.pdf
    [25] SEV-SNP A. Strengthening vm isolation with integrity protection and more. White Paper, 2020. https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf
    [26] Feng EH, Lu X, Du D, Yang BC, Jiang XQ, Xia YB, Zang BY, Chen HB. Scalable memory protection in the penglai enclave. In: Proc. of the 15th USENIX Symp. on Operating Systems Design and Implementation (OSDI 21). OSDI, 2021. 275–294.
    [27] Joffrey G. Attacking the ARM’s TrustZone. 2021. https://blog.quarkslab.com/attacking-the-arms-trustzone.html
    [28] Brandon A, Trimarchi M. Trusted display and input using screen overlays. In: Proc. of the 2017 Int’l Conf. on ReConFigurable Computing and FPGAs (ReConFig). Cancun: IEEE, 2017. 1–6.
    [29] Suciu D, McLaughlin S, Simon L, Sion R. Horizontal privilege escalation in trusted applications. In: Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association (USENIX Security 20), 2020. 47.
    [30] Wing JM. A specifier’s introduction to formal methods. Computer. IEEE, 1990, 23(9): 8–22. [doi: 10.1109/2.58215]
    [31] Dhawan U, Hritcu C, Rubin R, Vasilakis N, Chiricescu S, Smith JM, Knight Jr TF, Pierce BC, DeHon A. Architectural support for software-defined metadata processing. In: Proc. of the 20th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. Istanbul: ACM, 2015. 487–502.
    [32] Suh GE, Lee JW, Zhang D, Devadas S. Secure program execution via dynamic information flow tracking. ACM Sigplan Notices, 2004, 39(11): 85–96. [doi: 10.1145/1037187.1024404]
    [33] Dalton M, Kannan H, Kozyrakis C. Raksha: A flexible information flow architecture for software security. ACM SIGARCH Computer Architecture News, 2007, 35(2): 482–493. [doi: 10.1145/1273440.1250722]
    [34] Song CY, Moon H, Alam M, Yun I, Lee B, Kim T, Lee W, Paek Y. HDFI: Hardware-assisted data-flow isolation. In: Proc. of the 2016 IEEE Symp. on Security and Privacy (SP). San Jose: IEEE, 2016. 1–17.
    [35] Witchel E, Cates J, Asanović K. Mondrian memory protection. In: Proc. of the 10th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems. ACM, 2002. 304–316.
    [36] Xia HY, Woodruff J, Barral H, Esswood L, Joannou A, Kovacsics R, Chisnall D, Roe M, Davis B, Napierala E, Baldwin J, Gudka K, Neumann PG, Richardson A, Moore SW, Watson RNM. CheriRTOS: A capability model for embedded devices. In: Proc. of the 36th IEEE Int’l Conf. on Computer Design (ICCD). Orlando: IEEE, 2018. 92–99.
    [37] Markettos AT, Baldwin J, Bukin R, Neumann PG, Moore SW, Watson RNM. Position paper: Defending direct memory access with CHERI capabilities. In: Proc. of the 2020 Hardware and Architectural Support for Security and Privacy. ACM, 2020. 7.
    [38] Zeldovich N, Kannan H, Dalton M, Kozyrakis C. Hardware enforcement of application security policies using tagged memory. In: Proc. of the 8th USENIX Conf. on Operating Systems Design and Implementation. San Diego: USENIX Association. 2008, 8. 225–240.
    [39] Hughes G, Bultan T. Automated verification of access control policies using a sat solver. Int’l Journal on Software Tools for Technology Transfer. Springer, 2008, 10(6): 503–520. [doi: 10.1007/s10009-008-0087-9]
    [40] Wu XG, Wen YJ, Chen LQ, Dong W, Wang J. Data race detection for interrupt-driven programs via bounded model checking. In: Proc. of the 7th IEEE Int’l Conf. on Software Security and Reliability Companion. Gaithersburg: IEEE, 2013. 204–210.
    [41] 王博, 白晓颖, 贺飞, Song XY. 可组合嵌入式软件建模与验证技术研究综述. 软件学报, 2014, 25(2): 234-253. http://www.jos.org.cn/1000-9825/4533.htm
    Wang B, Bai XY, He F, Song XY. Survey on modeling and verification techniques of composable embedded software. Ruan Jian Xue Bao/Journal of Software, 2014, 25(2): 234–253 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4533.htm
    [42] Xu FW, Fu M, Feng XY, Zhang XR, Zhang H, Li ZH. A practical verification framework for preemptive os kernels. In: Proc. of the 28th Int’l Conf. on Computer Aided Verification. Toronto: Springer, 2016. 59–79.
    [43] Abomhara M, Yang HH, Køien GM, Lazreg MB. Work-based access control model for cooperative healthcare environments: Formal specification and verification. Journal of Healthcare Informatics Research. Springer, 2017, 1(1): 19–51. [doi: 10.1007/s41666-017-0004-7]
    [44] 张业迪, 宋富. 异构多智能体系统模型检查. 软件学报, 2018, 29(6): 1582-1594. http://www.jos.org.cn/1000-9825/5462.htm
    Zhang YD, Song F. Model-checking for heterogeneous multi-agent systems. Ruan Jian Xue Bao/Journal of Software, 2018, 29(6): 1582–1594 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5462.htm
    [45] Rivera V. Formal verification of access control model for my health record system. In: Proc. of the 25th Int’l Conf. on Engineering of Complex Computer Systems (ICECCS). Singapore: IEEE, 2020. 21–30.
    [46] 袁春阳, 贺也平, 周洲仪, 贺也平, 何建波, 周洲仪. 具有冲突约束的RBAC模型的形式化规范与证明. 计算机研究与发展, 2006, 43(z2S2): 498-508.
    Yuan CY, He YP, He JB, Zhou ZY. Formal specification and proof of the RBAC model with constraints of conflicts. Journal of Computer Research and Development, 2006, 43(z2S2): 498–508 (in Chinese with English abstract).
    [47] 程亮, 张阳. 基于UML和模型检测的安全模型验证方法. 计算机学报, 2009, 32(4): 699–708. [doi: 10.3724/SP.J.1016.2009.00699].
    Cheng L, Zhang Y. A verification method of security model based on uml and model checking. Chinese Journal of Computers, 2009, 32(4): 699–708 (in Chinese with English abstracts). [doi: 10.3724/SP.J.1016.2009.00699]
    [48] Zahoor E, Asma Z, Perrin O. A formal approach for the verification of AWS IAM access control policies. In: Proc. of the 6th European Conf. on Service-oriented and Cloud Computing. Oslo: Springer, 2017. 59–74.
    [49] Lu JF, Li RX, Lu ZD, Li B. Integrating trust and role for secure interoperation in multi-domain environment. In: Proc. of the 2008 Int’l Conf. on Information Security and Assurance (ISA 2008). Busan: IEEE, 2008. 77–82.
    [50] Tang Z, Zhang SH, Li KL, Feng BM. Security analysis and validation for access control in multi-domain environment based on risk. In: Proc. of the 6th Int’l Conf. on Information Security Practice and Experience. Seoul: Springer, 2010. 201–216.
    [51] Gouglidis A, Mavridis I, Hu VC. Verification of secure inter-operation properties in multi-domain RBAC systems. In: Proc. of the 7th IEEE Int’l Conf. on Software Security and Reliability Companion. Gaithersburg: IEEE, 2013. 35–44.
    [52] Nazerian F, Motameni H, Nematzadeh H. Secure access control in multidomain environments and formal analysis of model specifications. Turkish Journal of Electrical Engineering & and Computer Sciences. The Scientific and Technological Research Council of Turkey, 2018, 26(5): 2525–2540. [doi: 10.3906/elk-1802-55]
    [53] 曹进, 李培峰, 朱巧明, 钱培德. 基于安全标签的多域安全访问控制模型. 计算机应用与软件, 2015, 32(1): 297-302. [doi: 10.3969/j.issn.1000-386x.2015.01.075].
    Cao J, Li PF, Zhu QM, Qian PD. SECURITY tag-based multi-domain secure access control model. Computer Applications and Software, 2015, 32(1): 297–302 (in Chinese with English abstract). [doi: 10.3969/j.issn.1000-386x.2015.01.075]ss
    [54] Unal D, Çağlayan Çaglayan MU. A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks. Elsevier, 2013, 57(1): 330–350. [doi: 10.1016/j.comnet.2012.09.018]
    [55] Unal D, Akar O, Caglayan MU. Model checking of location and mobility related security policy specifications in ambient calculus. In: Proc. of the 5th Int’l Conf. on Mathematical Methods, Models, and Architectures for Computer Network Security. St. Petersburg: Springer, 2010. 155–168.
    [56] Ünal D, Çağlayan MU. Spatiotemporal model checking of location and mobility related security policy specifications. Turkish Journal of Electrical Engineering and& Computer Sciences, The Scientific and Technological Research Council of Turkey, 2013, 21(1): 144–173. [doi: 10.3906/elk-1105-54]
    [57] Alam Q, Malik SUR, Akhunzada A, Choo K-KR, Tabbasum S, Alam M. A cross tenant access control (CTAC) model for cloud computing: formal specification and verification. IEEE Trans. on Information Forensics and Security, 2016, 12(6): 1259–1268.
    [58] Ren L, Chang R, Yin Q, Wang W. Using the B method to formalize access control mechanism with TrustZone hardware isolation (short paper). In: Proc. of the 13th Int’l Conf. on Information Security Practice and Experience. Melbourne: Springer, 2017. 759–769.
    相似文献
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

苗新亮,常瑞,潘少平,赵永望,蒋烈辉.可信执行环境访问控制建模与安全性分析.软件学报,2023,34(8):3637-3658

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-08-30
  • 最后修改日期:2021-10-14
  • 在线发布日期: 2022-01-28
  • 出版日期: 2023-08-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19824710位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号