微信服务号

微信订阅号

2025年4月1日 0:53 星期二
首页 > 过刊浏览>2018年第29卷第8期 >2511-2526. DOI:10.13328/j.cnki.jos.005492
PDF HTML阅读 XML下载 导出引用 引用提醒
借助Hypervisor强化TrustZone对非安全世界的监控能力
作者:
作者简介:

章张锴(1989-),男,浙江绍兴人,博士生,CCF学生会员,主要研究领域为虚拟化安全,系统安全,移动安全;马金鑫(1986-),男,博士,副研究员,主要研究领域为软件安全,程序分析;李舟军(1963-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为网络与信息安全,数据挖掘,智能信息处理;崔津华(1990-),男,助理工程师,主要研究领域为系统安全,虚拟化安全;夏春和(1965-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为网络与信息安全,信息对抗,云安全,网络策略

通讯作者:

李舟军,E-mail:lizj@buaa.edu.cn

基金项目:

国家重点研发计划(2016QY04W0802);国家高技术研究发展计划(863)(2015AA016004);国家自然科学基金(61370126,61672081,61502536,U1636208)


Utilizing Hypervisor to Enhance TrustZone's Introspection Capabilities on Non-Secure World
Author:
Fund Project:

National Key Research and Development Program of China (2016QY04W0802); National High-Tech R&D Program of China (863) (2015AA016004); National Natural Science Foundation of China (61370126, 61672081, 61502536, U1636208)

  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [29]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    ARM TrustZone技术已经在Android手机平台上得到了广泛的应用,它把Android手机的硬件资源划分为两个世界——非安全世界(non-secure world)和安全世界(secure world).用户所使用的Android操作系统运行在非安全世界,而基于TrustZone对非安全世界监控的系统(例如KNOX,Hypervision)运行在安全世界.这些监控系统拥有高权限,可以动态地检查Android系统的内核完整性,也可以代替Android内核来管理非安全世界的内存.但是由于TrustZone和被监控的Android系统分处于不同的世界,world gap(世界鸿沟)的存在导致处于安全世界的监控系统不能完全地监控非安全世界的资源(例如Cache).TrustZone薄弱的拦截能力和内存访问控制能力也弱化了它对非安全世界的监控能力.提出了一种可扩展框架系统HTrustZone,能够结合Hypervisor来协助TrustZone抵御利用world gap的攻击,增强其拦截能力和内存访问控制能力,从而为非安全世界的操作系统提供更高的安全性保障.并在Raspberry Pi2开发板上实现了HTrustZone的原型系统,实验结果表明,HTrustZone的性能开销仅仅增加了3%左右.

    Abstract:

    Widely used on the Android phones, the technology of ARM TrustZone divides the hardware resources of Android phones into two worlds:non-secure world and secure world. The Android operating system used by user is running in the non-secure world, while the non-secure world's introspection systems (e.g., KNOX, Hypervisor) that are based on TrustZone are running in the secure world. These introspection systems have the high privilege. They can dynamically check Android kernel integrity and perform memory management of non-secure world instead of Android kernel. But TrustZonecan can not completely introspect the hardware resources (e.g., Cache) of non-secure world because of the world gap (introspection systems and Android system are in the different worlds). TrustZone's inferior interception capabilities and memory access control capabilities make its introspection capabilities weaker. This article first proposes an extendable frame system HTrustZone that utilizes Hypervisor to extend TrustZone's introspection capabilities to defeat world gap attacks and strengthen interception capabilities and memory access control capabilities. HTrustZone can help TrustZone make great progress on system introspection and give more security protection to the operating system in non-secure world. HTrustZone system is implemented on Raspberry Pi2 development board and the experiment results show that the overhead of HTrustZone is about 3%.

    参考文献
    [1] Xu W, Li J, Shu J, Yang W, Xie T, Zhang Y, Gu D. From collision to exploitation:Unleashing use-after-free vulnerabilities in linux kernel. In:Proc. of the 22nd ACM Conf. on Computer and Communications Security (CCS 2015). 2015.
    [2] Zhou Y, Jiang X. Dissecting android malware:Characterization and evolution. In:Proc. of the 2012 IEEE Symp. on Security and Privacy (S&P 2012). 2012.
    [3] Artenstein N, Revivo I. Man in the binder:He who controls IPC, controls the Droid. Black Hat Europe, 2014.
    [4] Li W, Li H, Chen H, Xia Y. Adattester:Secure online mobile advertisement attestation using trustzone. In:Proc. of the 13th Annual Int'l Conf. on Mobile Systems, Applications, and Services (MobiSys 2015). 2015.
    [5] Sun H, Sun K, Wang Y, Jing J, Jajodia S. Trustdump:Reliable memory acquisition on smartphones. In:Proc. of the Computer Security-ESORICS. 2014.
    [6] Azab AM, Ning P, Shah J, Chen Q, Bhutkar R, Ganesh G, Ma J, Shen W. Hypervision across worlds:Real-Time kernel protection from the arm trustzone secure world. In:Proc. of the 21st ACM Conf. on Computer and Communications Security (CCS 2014). 2014.
    [7] Ge X, Vijayakumar H, Jaeger T. SPROBES:Enforcing kernel code integrity on the trustzone architecture. In:Proc. of the 2014 Mobile Security Technologies (MoST) Workshop. 2014.
    [8] Samsung. White Paper:An Overview of Samsung KNOX. 2013.
    [9] Jang J, Kong S, Kim M, Kim D, Kang BB. Ssecret:Secure channel between rich execution environment and trusted execution environment. In:Proc. of the 22nd Annual Network and Distributed System Security Symp. (NDSS 2015). 2015.
    [10] Sun H, Sun K, Wang Y, Jing J. Trustotp:Transforming smartphones into secure one-time password tokens. In:Proc. of the 22nd ACM Conf. on Computer and Communications Security (CCS 2015). 2015.
    [11] Guan L, Liu P, Xing X, Ge X, Zhang S, Yu M, Jaeger T. TrustShadow:Secure execution of unmodified applications with ARM TrustZone. In:Proc. of the 15th Annual Int'l Conf. on Mobile Systems, Applications, and Services (MobiSys 2017). 2017.
    [12] ARM. ARMv6-m architecture reference manual. Technical Report, ARM DDI 0419C (ID092410), ARM, 2007.
    [13] ARM. Architecture reference manual ARMv7-a and ARMv7-r edition. Technical Report, ARM DDI 0406C.c (ID051414), ARM, 2014.
    [14] Zhang N, Sun H, Sun K, Lou W, Hou Y. Cachekit:Evading memory introspection using cache incoherence. In:Proc. of the 2016 IEEE European Symp. on Security and Privacy (Euro S&P 2016). 2016.
    [15] Tam K, Khan SJ, Fattori A, Cavallaro L. CopperDroid:Automatic reconstruction of Android malware behaviors. In:Proc. of the 22nd Annual Network and Distributed System Security Symp. (NDSS 2015). 2015.
    [16] Raspberry Pi2 development board. https://www.raspberrypi.org/products/raspberry-pi-2-model-b/
    [17] Kanonov U, Wool A. Secure containers in Android:The Samsung KNOX case study. In:Proc. of the Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2016). 2016.
    [18] Cho Y, Shin J, Kwon D, Ham MJ, Kim Y, Paek Y. Hardware-Assisted on-demand hypervisor activation for efficient security critical code execution on mobile devices. In:Proc. of the USENIX ATC. 2016.
    [19] Sun H, Sun K, Wang Y, Jing J, Wang H. TrustICE:Hardware-Assisted isolated computing environments on mobile devices. In:Proc. of the 45th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN 2015). 2015.
    [20] Williams J. Inspecting Data from Safety of Your Trusted Execution Environment. Black Hat USA, 2015.
    [21] Zhang Z, Ding X, Tsudik G, Cui J, Li Z. Presence attestation:The missing link in dynamic trust bootstrapping. In:Proc. of the 24th ACM Conf. on Computer and Communications Security (CCS 2017). 2017.
    [22] Intel. Intel software guard extensions programming reference (rev2). Technical Report, Intel Corporation, 2014.
    [23] Shih M, Lee S, Kim T, Peinado M. T-SGX:Eradicating controlled-channel attacks against enclave programs. In:Proc. of the 24th Annual Network and Distributed System Security Symp. (NDSS 2017). 2017.
    [24] Wang W, Chen G, Pan X, Zhang Y, Wang X, Bindschaedler V, Tang H, Gunter C. Leaky cauldron on the dark land:understanding memory side-channel hazards in SGX. In:Proc. of the 24th ACM Conf. on Computer and Communications Security (CCS 2017). 2017.
    [25] Shahzad A, Litchfield A. Virtualization technology:Cross-VM cache side channel attacks make it vulnerable. In:Proc. of the Australasian Conf. on Information Systems. 2015.
    [26] Zhang N, Sun K, Shands D, Lou W, Hou Y. TruSpy:Cache side-channel information leakage from the secure world on ARM devices. In:Proc. of the Cryptology ePrint Archive 2016. 2016.
    [27] Baumann A, Peinado M, Hunt G. Shielding applications from an untrusted cloud with haven. ACM Trans. on Computer Systems, 2014,33(3):1-26.
    [28] Zhang F, Chen J, Chen H, Zhang B. Cloudvisor:Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In:Proc. of the 23rd ACM Symp. on Operating System Principles. 2011.
    [29] Machiry A, Gustafson E, Spensky C, Salls C, Stephens N, Wang R, Bianchi A, Choe Y, Kruegel C, Vigna G. BOOMERANG:Exploiting the semantic gap in trusted execution environments. In:Proc. of the 24th Annual Network and Distributed System Security Symp. (NDSS 2017). 2017.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

章张锴,李舟军,夏春和,马金鑫,崔津华.借助Hypervisor强化TrustZone对非安全世界的监控能力.软件学报,2018,29(8):2511-2526

复制
分享
文章指标
  • 点击次数:3436
  • 下载次数: 4983
  • HTML阅读次数: 1620
  • 引用次数: 0
历史
  • 收稿日期:2017-07-01
  • 最后修改日期:2017-08-29
  • 录用日期:2017-11-21
  • 在线发布日期: 2018-01-09
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19759933位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号