sanctuary: arming trustzone with user-space enclaves · with user-space enclaves. research problem...

Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, Emmanuel Stapf Technische Universität Darmstadt

Sanctuary: ARMing TrustZonewith User-space Enclaves

Research Problem

How can we construct an ecosystem of mutually distrusted enclaves on mobile

devices?

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

• OS large attack surface

• Insufficient sensitive app protection

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

• OS large attack surface

• Insufficient sensitive app protection

App

Operating System

SensitiveApp

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

ARM TrustZone

• OS large attack surface

• Insufficient sensitive app protection

App

Operating System

SensitiveApp

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

ARM TrustZone

Normal World Secure World

• OS large attack surface

• Insufficient sensitive app protection

App

Operating System

SensitiveApp

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

ARM TrustZone

Normal World Secure World

App App

OS

• OS large attack surface

• Insufficient sensitive app protection

App

Operating System

SensitiveApp

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

ARM TrustZone

Normal World Secure World

App App

OS Trusted OS

Sensitive App

Sensitive App

• OS large attack surface

• Insufficient sensitive app protection

App

Operating System

SensitiveApp

Trusted Untrusted Compromised

Commodity OS

App

Operating System

AppSensitive

App

ARM TrustZone

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

• OS large attack surface

• Insufficient sensitive app protection

App

Operating System

SensitiveApp

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

• Trusted OS still large attack surface

• High costs to protect apps with TrustZone

• Main problem: Single security domain

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

• Trusted OS still large attack surface

• High costs to protect apps with TrustZone

• Main problem: Single security domain

Sensitive App

Sensitive App

Trusted OS

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

SanctuaryMultiple Security Domains

EL0

EL1

EL3

Normal World Secure World

Trusted Firmware

App

OS

VendorCode

Sensitive App

Sensitive App

• Trusted OS still large attack surface

• High costs to protect apps with TrustZone

• Main problem: Single security domain

Sensitive App

Sensitive App

Trusted OS

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

SanctuaryMultiple Security Domains

EL0

EL1

EL3

Normal World Secure World

Trusted Firmware

App

OS

VendorCode

Sensitive App

Sensitive App

• Trusted OS still large attack surface

• High costs to protect apps with TrustZone

• Main problem: Single security domain

Sensitive App

Sensitive App

Trusted OS

Sensitive App

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

SanctuaryMultiple Security Domains

EL0

EL1

EL3

Normal World Secure World

Trusted Firmware

App

OS

VendorCode

Sensitive App

Sensitive App

• Trusted OS still large attack surface

• High costs to protect apps with TrustZone

• Main problem: Single security domain

• Sensitive apps can remain untrusted

• Make TrustZone protection available to third parties

Sensitive App

Sensitive App

Trusted OS

Sensitive App

Trusted Untrusted Compromised

ARM TrustZoneThe Solution?

Normal World Secure World

Trusted Firmware

App App

OS Trusted OS

Sensitive App

Sensitive App

SanctuaryMultiple Security Domains

EL0

EL1

EL3

Normal World Secure World

Trusted Firmware

App

OS

VendorCode

Sensitive App

Sensitive App

• Trusted OS still large attack surface

• High costs to protect apps with TrustZone

• Main problem: Single security domain

• Sensitive apps can remain untrusted

• Make TrustZone protection available to third parties

Sensitive App

Sensitive App

Trusted OS

Sensitive App

Challenges

• No new hardware components• No replacement of existing code bases (e.g. Trusted OS)• Only minor impact on commodity OS

Adversary Model

• Adversary can

• compromise normal-world software at all privilege levels

• run malicious sensitive apps

• Adversary cannot

• compromise TrustZone (trust anchor)

• perform physical attacks

Related Work

Existing Research Proposals

Normal World Secure World

Software ApproachesUtilizing TrustZone

AppApp

App

Sensitive App

Existing Research Proposals

Normal World Secure World

Software ApproachesUtilizing TrustZone

among others,

[Ferraiuolo et al., SOSP 2017]

[Sun et al., DSN 2015]

Improve isolation of sensitive apps without add. HW features

AppApp

App

Sensitive App

Existing Research Proposals

Normal World Secure World

Software ApproachesUtilizing TrustZone

among others,

[Ferraiuolo et al., SOSP 2017]

[Sun et al., DSN 2015]

among others,

[Hua et al., USENIX 2017]

[Cho et al., USENIX 2016]

Improve isolation of sensitive apps without add. HW features

Use virtualization to protect sensitive apps.Use TrustZone as trust anchor

AppApp

App

Sensitive App

Hypervisor

Hypervisor-based IsolationUtilizing TrustZone

AppApp

App

Sensitive App

Existing Research Proposals

Normal World Secure World

Software ApproachesUtilizing TrustZone

Cache

Memory

Architectural Modifications

among others,

[Ferraiuolo et al., SOSP 2017]

[Sun et al., DSN 2015]

among others,

[Hua et al., USENIX 2017]

[Cho et al., USENIX 2016]

among others,

[Costan et al., USENIX 2016]

[Evtyushkin et al., MICRO 2014]

Improve isolation of sensitive apps without add. HW features

Use virtualization to protect sensitive apps.Use TrustZone as trust anchor

Overcome TrustZone’sshortcomings with own HW

AppApp

App

Sensitive App

Hypervisor

Hypervisor-based IsolationUtilizing TrustZone

AppApp

App

Sensitive App

App Sensitive App

Existing Research Proposals - Problems

Replaces existing code base Hypervisor blocked New hardware design

Normal World Secure World

Software ApproachesUtilizing TrustZone

Cache

Memory

Architectural Modifications

AppApp

App

Sensitive App

App Sensitive App

Hypervisor

Hypervisor-based IsolationUtilizing TrustZone

AppApp

App

Sensitive App

Existing Research Proposals - Problems

Replaces existing code base Hypervisor blocked New hardware design

Slows down commodity OS

Additional HW for DMA access control

No support for multi-core environments

OS needs to be suspended

Additional TCB component

Normal World Secure World

Software ApproachesUtilizing TrustZone

Cache

Memory

Architectural Modifications

AppApp

App

Sensitive App

App Sensitive App

Hypervisor

Hypervisor-based IsolationUtilizing TrustZone

AppApp

App

Sensitive App

Low adoption by industry

High deployment costs

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SW

AppApp

App

Security Primitives

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SW

AppApp

App

Security Primitives

Secure world forms our trust anchor

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SW

AppApp

App

Security Primitives

Contains security primitives provided by

the device vendor

Secure world forms our trust anchor

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SW

AppApp

App

Security Primitives

Core B

NW SW

SecurityPrimitives

Core C

NW SW

Security Primitives

Every core can access same security

primitives

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SWNW SW Sanctuary I (Core B)

AppApp

App

Security Primitives

Core B

NW SW

SecurityPrimitives

Core C

NW SW

Security Primitives

Isolate core using TrustZone features

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SWNW SW Sanctuary I (Core B)

AppApp

App

Security Primitives

Core B

NW SW

SecurityPrimitives

Core C

NW SW

Security Primitives

Sensitive App I

Isolate core using TrustZone features

Sanctuary provides Multi-Domain Isolation

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SWNW SW Sanctuary I (Core B)NW SW Sanctuary I (Core B) Sanctuary II (Core C)

AppApp

App

Security Primitives

Core B

NW SW

SecurityPrimitives

Core C

NW SW

Security Primitives

Sensitive App I

Sensitive App II

Sanctuary provides Multi-Domain Isolation

• Only using TrustZone features.No new HW design

• Vendor can keep existing code in SW

• No heavy influence on commodity OS

NW SW

Memory

Core A

NW = Normal WorldSW = Secure World

NW SWNW SW Sanctuary I (Core B)NW SW Sanctuary I (Core B) Sanctuary II (Core C)

AppApp

App

Security Primitives

Core B

NW SW

SecurityPrimitives

Core C

NW SW

Security Primitives

Sensitive App I

Sensitive App II

Challenges revisited

Technical Details of Sanctuary

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM

Normal World Secure World

NM SM

Memory Controller

Soft

war

eCore A Core B

SM = Secure Mode

NM = Normal Mode

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM

Normal World Secure World

NM SM

NS = 0/1NS = 0/1

Memory Controller

NS = Non-Secure

Soft

war

eCore A Core B

SM = Secure Mode

NM = Normal Mode

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM

Normal World Secure World

NM SM

NS = 0/1NS = 0/1

Memory Controller

NS = Non-Secure

Soft

war

eSW

OS

NW

Trusted Firmware

App

TOS

SA

SW

OS

NW

Trusted Firmware

App

TOS

SA

Core A Core B

SM = Secure Mode

NM = Normal Mode

TOS = Trusted OS

SA = Sensitive App

SW = Secure World

NW = Normal World

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM

Normal World Secure World

NM SM

NS = 0/1NS = 0/1 NSAID = BNSAID = A

Memory Controller

NS = Non-Secure

NSAID = Non-Secure Access ID

Soft

war

eSW

OS

NW

Trusted Firmware

App

TOS

SA

SW

OS

NW

Trusted Firmware

App

TOS

SA

Core A Core B

SM = Secure Mode

NM = Normal Mode

TOS = Trusted OS

SA = Sensitive App

SW = Secure World

NW = Normal World

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM NM SM

NS = 0/1NS = 0/1 NSAID = BNSAID = A

Memory Controller

NW – Core A NW – Core B Secure World

NS = Non-Secure

NSAID = Non-Secure Access ID

Soft

war

eSW

OS

NW

Trusted Firmware

App

TOS

SA

SW

OS

NW

Trusted Firmware

App

TOS

SA

Core A Core B

SM = Secure Mode

NM = Normal Mode

TOS = Trusted OS

SA = Sensitive App

SW = Secure World

NW = Normal World

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM NM SM

NS = 0/1NS = 0/1 NSAID = BNSAID = A

Memory Controller

NW – Core A NW – Core B Secure World

NS = Non-Secure

NSAID = Non-Secure Access ID

Soft

war

eSW

OS

NW

Trusted Firmware

App

SW

OS

NW

Trusted Firmware

App

Core A Core B

SM = Secure Mode

NM = Normal Mode

TOS = Trusted OS

SA = Sensitive App

SW = Secure World

NW = Normal World

Going Beyond TrustZone …

Har

dw

are

RAM

NM SM NM SM

NS = 0/1NS = 0/1 NSAID = BNSAID = A

Memory Controller

NW – Core A NW – Core B Secure World

NS = Non-Secure

NSAID = Non-Secure Access ID

Soft

war

eSW

OS

NW

Trusted Firmware

App

SW

OS

NW

Trusted Firmware

App

Core A Core B

SM = Secure Mode

NM = Normal Mode

TOS = Trusted OS

SA = Sensitive App

SW = Secure World

NW = Normal World

SPSP = Security Primitives

SP

OS

Trusted Firmware

App

OS

Trusted Firmware

App

Sanctuary (Core C)

NM SM NM SM

Memory Controller

NS = 0/1 NSAID = CNS = 0/1 NSAID = BNS = 0/1 NSAID = A

Normal World Sanctuary Secure World

Soft

war

eCore A

NW SWNW SW

Core BH

ard

war

e

Going Beyond TrustZone …

RAM

SP SP

NM SM

OS

Trusted Firmware

App

OS

Trusted Firmware

App

Sanctuary (Core C)

NM SM NM SM

Memory Controller

NS = 0/1 NSAID = CNS = 0/1 NSAID = BNS = 0/1 NSAID = A

Normal World Sanctuary Secure World

Soft

war

eCore A

NW SWNW SW

Core BH

ard

war

e

Going Beyond TrustZone …

RAM

SP SP

Trusted Firmware

NW

Sanct. Library

Sensitive App

SW

SP

NM SM

OS

Trusted Firmware

App

OS

Trusted Firmware

App

Sanctuary (Core C)

NM SM NM SM

Memory Controller

NS = 0/1 NSAID = CNS = 0/1 NSAID = BNS = 0/1 NSAID = A

Normal World Sanctuary Secure World

Soft

war

eCore A

NW SWNW SW

Core BH

ard

war

e

Going Beyond TrustZone …

RAM

SP SP

Trusted Firmware

NW

Sanct. Library

Sensitive App

SW

SP

NM SM

Provides mgmt. functionalities. Not part of system TCB

Evaluation of Sanctuary PoC

Security Considerations

✔ Protection from compromised OSbefore, after and during runtime of sensitive app

✔ Protection from malicious sensitive appsensitive app isolated from OS and other sensitive apps

✔ Protection from cache-side channel attacksflush exclusive caches, exclude sensitive apps from shared caches

Performance Evaluation

Performance Evaluation

Sanctuary Life Cycle

Performance Evaluation

Sanctuary Life Cycle

OSExecution

Performance Evaluation

Sanctuary Life Cycle

OSExecution

Sensitive app execution triggered

Performance Evaluation

Sanctuary Life Cycle

SanctuarySetup

OSExecution

Sensitive app execution triggered

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

OSExecution

Sensitive app execution triggered

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

OSExecution

OS still runs in parallel on other cores

Sensitive app execution triggered

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

SanctuaryTeardown

OSExecution

OS still runs in parallel on other cores

Sensitive app execution triggered

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

SanctuaryTeardown

OSExecution

OSExecution

OS still runs in parallel on other cores

Sensitive app execution triggered

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

SanctuaryTeardown

OSExecution

OSExecution

OS still runs in parallel on other cores

Sensitive app execution triggered

Return core to OS

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

SanctuaryTeardown

OSExecution

OSExecution

OS still runs in parallel on other cores

Sensitive app execution triggered

440 msw/o

shared cache

110 msw/o

shared cache

Return core to OS

Performance Evaluation

Sanctuary Life Cycle

Sensitive App Execution

SanctuarySetup

SanctuaryTeardown

OSExecution

OSExecution

Sensitive app execution triggered

Return core to OS

Provision OTP Key:1.2 s (w/o shared cache)

Display OTP:600 ms (w/o shared cache)

Trusted Firmware

Normal World

Sanctuary Library

Sensitive App

SecureWorld

SecurityPrimitives

Code Modifications

Trusted Firmware

Normal World

Sanctuary Library

Sensitive App

SecureWorld

SecurityPrimitives

Reused OP-TEEModified 530 LOC

Code Modifications

Trusted Firmware

Normal World

Sanctuary Library

Sensitive App

SecureWorld

SecurityPrimitives

Reused OP-TEEModified 530 LOC

Reused ARM-TFmodified 92 LOC

Code Modifications

Trusted Firmware

Normal World

Sanctuary Library

Sensitive App

SecureWorld

SecurityPrimitives

Reused OP-TEEModified 530 LOC

Reused ARM-TFmodified 92 LOC

Used Zircon micro kernel

modified 211 LOC

Code Modifications

Conclusion

• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices

Conclusion

• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices

✔ Sanctuary does not introduce new HW designs

Conclusion

• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices

✔ Sanctuary does not introduce new HW designs

✔ Sanctuary does not replace existing code bases

Conclusion

• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices

✔ Sanctuary does not introduce new HW designs

✔ Sanctuary does not replace existing code bases

✔ Sanctuary does not impact the commodity OS heavily

Conclusion

• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices

✔ Sanctuary does not introduce new HW designs

✔ Sanctuary does not replace existing code bases

✔ Sanctuary does not impact the commodity OS heavily

• Current Work

➢ Implement further use cases (IP protection of ML algorithms, digital car key)

➢ Sanctuary for RISC-V

Questions ?

emmanuel.stapf@trust.tu-darmstadt.de