微信服务号

微信订阅号

2025年3月24日 16:41 星期一
首页 > 过刊浏览>2022年第33卷第6期 >2189-2207. DOI:10.13328/j.cnki.jos.006577
PDF HTML阅读 XML下载 导出引用 引用提醒
基于精化的可信执行环境内存隔离机制验证
作者:
作者简介:

靳翠珍(1992-),女,硕士生,CCF学生会员,主要研究领域为形式化验证,系统安全;王国辉(1984-),男,博士,高级实验师,CCF专业会员,主要研究领域为形式化验证,高可靠嵌入式系统;张倩颖(1986-),女,博士,副教授,CCF专业会员,主要研究领域为形式化验证,系统安全,操作系统;施智平(1974-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为形式化验证,视觉信息处理;马雨薇(1995-),女,硕士,主要研究领域为形式化验证,系统安全;关永(1966-),男,博士,教授,博士生导师,CCF专业会员,主要研究领域为形式化验证,高可靠嵌入式系统;李希萌(1987-),男,博士,讲师,CCF专业会员,主要研究领域为形式化验证,区块链系统可靠性,信息流安全

通讯作者:

张倩颖,E-mail:qyzhang@cnu.edu.cn

中图分类号:

TP311

基金项目:

国家自然科学基金(61802375,61602325,61876111,61877040,62002246);北京市教委科技计划(KM201910028005,KM202010028010);中国科学院计算技术研究所计算机体系结构国家重点实验室开放课题(CARCH201920);中央支持地方建设-“双一流”建设项目(20531120005)


Refinement-based Verification of Memory Isolation Mechanism for Trusted Execution Environment
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [33]
    • |
  • 相似文献 [20]
    • |
  • 引证文献
    • | |
  • 文章评论
    摘要:

    可信执行环境(trusted execution environment,TEE)基于硬件隔离机制,为安全敏感应用提供隔离的执行环境,保护敏感数据的安全性.内存隔离机制是TEE的关键机制之一,用于对安全内存和非安全内存进行隔离,并对安全内存实施访问控制,如果其安全性不能保证,可能造成存储在安全内存中的敏感数据泄露.为验证TEE内存隔离机制的安全性,针对基于ARM TrustZone技术构建的TEE,提出一种基于精化的可信执行环境内存隔离机制安全性验证方法.建立抽象模型和具体模型,并定义两种模型之间的精化关系,在证明精化关系成立和抽象模型满足信息流安全性的前提下,验证具体模型的信息流安全性.具体模型建模了TEE内存隔离机制的关键硬件和软件,包括TrustZone地址空间控制器、MMU和TrustZone monitor等,在定理证明器Isabelle/HOL中,验证了该模型满足无干扰、无泄露、无影响等信息流安全属性.

    Abstract:

    A trusted execution environment (TEE) provides security-sensitive applications with an isolated execution environment based on hardware isolation mechanisms to protect sensitive data. The memory isolation mechanism is one of the key mechanisms of TEE, which is used to isolate the secure memory from the non-secure memory and to control the access to the secure memory. If the security of the memory isolation mechanism can not be guaranteed, sensitive data stored in the secure memory may be leaked. To verify the security of the TEE memory isolation mechanism, a refinement-based security verification method of the memory isolation mechanism is propose for ARM TrustZone-based TEE. An abstract model and a concrete model are established, a refinement relation between these two models is defined, and the information flow security of the concrete model is verified on the premise of proving that the refinement relation is held and the abstract model satisfies the information flow security properties. The proposed concrete model consists of key hardware and software of the TEE memory isolation mechanism, including TrustZone address space controller, MMU, and TrustZone monitor, and using the theorem prover Isabelle/HOL, it is verified that the concrete model satisfies the information flow security properties, such as noninterference, nonleakage, and noninfluence.

    参考文献
    [1] Sabt M, Achemlal M, Bouabdallah A. Trusted execution environment:What it is, and what it is not. In:Proc. of the 14th IEEE Int'l Conf. on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 2015. 57-64.[doi:10.1109/Trustcom. 2015.357]
    [2] Pinto S, Santos N. Demystifying ARM TrustZone:A comprehensive survey. ACM Computing Surveys (CSUR), 2019, 51(6):1-36.[doi:10.1145/3291047]
    [3] Costan V, Devadas S. Intel SGX explained. IACR Cryptology. ePrint Archive, 2016, 2016(86):1-118.
    [4] Göttel C, Pires R, Rocha I, Vaucher S, Felber P, Pasin M, Schiavoni V. Security, performance and energy trade-offs of hardware-assisted memory protection mechanisms. In:Proc. of the 37th IEEE Symp. on Reliable Distributed Systems (SRDS). IEEE, 2018. 133-142.[doi:10.1109/SRDS.2018.00024]
    [5] Guanciale R, Nemati H, Dam M, Baumann C. Provably secure memory isolation for Linux on ARM. Journal of Computer Security, 2016, 24(6):793-837.[doi:10.3233/JCS-160558]
    [6] Li SW, Li X, Gu R, Nieh J, Hui JZ. A secure and formally verified Linux KVM hypervisor. In:Proc. of the 42th IEEE Symp. on Security and Privacy (S&P). IEEE, 2021. 1782-1799.[doi:10.1109/SP40001.2021.00049]
    [7] Ma YW, Zhang QY, Zhao SJ, Wang GH, Li XM, Shi ZP. Formal verification of memory isolation for the TrustZone-based TEE. In:Proc. of the 27th Asia-Pacific Software Engineering Conf.(APSEC). IEEE, 2020. 149-158.[doi:10.1109/APSEC51365.2020. 00023]
    [8] Klein G, Andronick J, Elphinstone K, Murray T, Sewell T, Kolanski R, Heiser G. Comprehensive formal verification of an OS microkernel. ACM Trans. on Computer Systems (TOCS), 2014, 32(1):1-70.[doi:10.1145/2560537]
    [9] Gu R, Shao Z, Chen H, Wu X, Kim J, Sjoberg V, David C. CertiKOS:An extensible architecture for building certified concurrent OS kernels. In:Proc. of the 12th USENIX Symp. on Operating Systems Design and Implementation (OSDI). Savannah:USENIX Association, 2016. 653-669.
    [10] Jomaa N, Nowak D, Grimaud G, Hym S. Formal proof of dynamic memory isolation based on MMU. Science of Computer Programming, 2018, 162(34):76-92.
    [11] Costanzo D, Shao Z, Gu R. End-to-end verification of information-flow security for C and assembly programs. In:Proc. of the 37th ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI). Santa Barbara:ACM, 2016. 648-664.[doi:10.1145/2980983.2908100]
    [12] ARM Ltd. ARM architecture reference manual, ARMv8, for ARMv8-A architecture profile. 2019.
    [13] Ning ZY, Zhang FW. Ninja:Towards transparent tracing and debugging on ARM. In:Proc. of the 26th USENIX Security Symp.(USENIX Security 2017). Vancouver:USENIX Association, 2017. 33-49.
    [14] Ngabonziza B, Martin D, Bailey A, Cho H, Martin S. TrustZone explained:Architectural features and use cases. In:Proc. of the 2nd IEEE Int'l Conf. on Collaboration and Internet Computing (CIC). IEEE, 2016. 445-451.[doi:10.1109/CIC.2016.065]
    [15] Bhattacharjee A. Large-reach memory management unit caches. In:Proc. of the 46th Annual IEEE/ACM Int'l Symp. on Microarchitecture (MICRO). New York:ACM, 2013. 383-394.[doi:10.1145/2540708.2540741]
    [16] Wirth N. Program development by stepwise refinement. Communications of the ACM, 1971, 14(4):221-227.[doi:10.1145/362575. 362577]
    [17] Back R. A calculus of refinements for program derivations. Acta Informatica, 1988, 25(6):593-624.[doi:10.1007/BF00291051]
    [18] Lynch N, Vaandrager F. Forward and backward simulations. Information and Computation, 1995, 121(2):214-233.[doi:10.1006/inco.1995.1134]
    [19] Zhao Y, Yang ZB, Ma DF. A survey on formal specification and verification of separation kernels. Frontiers of Computer Science, 2017, 11(4):585-607.[doi:10.1007/s11704-016-4226-2]
    [20] Nelson L, Bornholt J, Krishnamurthy A, Torlak E, Wang X. Noninterference specifications for secure systems. ACM SIGOPS Operating Systems Review, 2020, 54(1):31-39.[doi:10.1145/3421473.3421478]
    [21] Ma YW. Formal verification of memory isolation for the TrustZone-based TEE[MS. Thesis]. Beijing:Capital Normal University, 2021(in Chinese with English abstract).
    [22] Nipkow T. Programming and proving in Isabelle/HOL. Technical Report, University of Cambridge, 2013.
    [23] Von Oheimb D. Information flow control revisited:Noninfluence=noninterference+nonleakage. In:Proc. of the 9th European Symp. on Research in Computer Security (ESORICS). Berlin:Springer, 2004. 225-243.[doi:10.1007/978-3-540-30108-0_14]
    [24] Mantel H. Unwinding possibilistic security properties. In:Proc. of the 6th European Symp. on Research in Computer Security. Berlin:Springer, 2000. 238-254.[doi:10.1007/10722599_15]
    [25] Zhao YW, Sanán D, Zhang FY, Liu Y. Refinement-based specification and security analysis of separation kernels. IEEE Trans. on Dependable and Secure Computing (TDSC), 2017, 16(1):127-141.[doi:10.1109/TDSC.2017.2672983]
    [26] Sinha R, Rajamani S, Seshia S, Vaswani K. Moat:Verifying confidentiality of enclave programs. In:Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security (CCS). Denver:ACM, 2015. 1169-1184.[doi:10.1145/2810103. 2813608]
    [27] Subramanyan P, Sinha R, Lebedev I, Devadas S, Seshia SA. A formal foundation for secure remote execution of enclaves. In:Proc. of the 24th ACM SIGSAC Conf. on Computer and Communications Security (CCS). Dallas:ACM, 2017. 2435-2450.[doi:10. 1145/3133956.3134098]
    [28] Shinde S, Wang S, Yuan P. BesFS:A POSIX filesystem for enclaves with a mechanized safety proof. In:Proc. of the 29th USENIX Security Symp.(USENIX Security 2020). Savannah:USENIX Association, 2020. 523-540.
    [29] Ferraiuolo A, Xu R, Zhang D, Myers AC, Suh GE. Verification of a practical hardware security architecture through static information flow analysis. In:Proc. of the 22nd Int'l Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS). Xi'an:ACM, 2017. 555-568.[doi:10.1145/3037697.3037739]
    [30] Murray T, Matichuk D, Brassil M, Gammie P, Bourke T, Seefried S, Lewis C, Xin G, Klein G. seL4:From general purpose to a proof of information flow enforcement. In:Proc. of the 34th IEEE Symp. on Security and Privacy (S&P). IEEE, 2013. 415-429.[doi:10.1109/SP.2013.35]
    [31] Klein G, Norrish M, Sewell T, Tuch H, Winwood S, Elphinstone K, Heiser G, Andronick J, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R. seL4:Formal verification of an OS kernel. In:Proc. of the 22nd ACM SIGOPS Symp. on Operating Systems Principles (SOSP). Montana:ACM, 2009. 207-220.[doi:10.1145/1629575.1629596]
    [32] Sigurbjarnarson H, Nelson L, Castro-Karney B, Bornholt J, Torlak E, Wang X. Nickel:A framework for design and verification of information flow control systems. In:Proc. of the 13th USENIX Symp. on Operating Systems Design and Implementation (OSDI). Carlsbad:USENIX Association, 2018. 287-305.
    附中文参考文献:
    [21] 马雨薇.可信执行环境内存隔离机制的形式化验证[硕士学位论文].北京:首都师范大学, 2021.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

靳翠珍,张倩颖,马雨薇,李希萌,王国辉,施智平,关永.基于精化的可信执行环境内存隔离机制验证.软件学报,2022,33(6):2189-2207

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-09-04
  • 最后修改日期:2021-10-14
  • 在线发布日期: 2022-01-28
  • 出版日期: 2022-06-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19728364位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号