Abstract
Hardware support for isolated execution (e.g., ARM TrustZone) enables the development of a trusted execution environment (TEE) that ensures the security of the code and data while communicating with a compromised rich execution environment (REE). The ability to satisfy various security services is complicated and usually consists of trusted applications, a trusted kernel and a secure monitor. However, formally verifying the security of an entire TEE security remains challenging. We present a methodology for designing a TEE in a way that enables verification of its security properties. Our methodology consists of forcing a trusted application and kernel to communicate with an REE via a narrow interface and compile and link them with a small secure monitor that implements the interface and runs at the highest privilege level. We provide functional verification of the secure monitor to ensure that it correctly switches the TEE/REE, communicates with the REE at a pre-defined memory space and has no integer overflow vulnerability. We also perform a verification of the secure monitor’s scheduler to ensure that it satisfies information flow noninterference. We present a modular verification framework that can prove an end-to-end security property for cross-language programmes (e.g., C and assembly languages). Our evaluation suggests that the methodology scales to real-world TEE applications.
Highlights
The rapid development and extensive application of the mobile internet offers substantial convenience to people’s lives
Security Property modelling—How do we model a clear and precise security property for different domains? If we express the property in terms of the abstraction level specification, what will this task imply for the programme implementation level? We need to model properties at different levels of abstraction and translate between or link separate properties
We demonstrate the efficacy of our verification framework by applying it to complete the secure monitor’s verification tasks
Summary
The rapid development and extensive application of the mobile internet offers substantial convenience to people’s lives. We need to prove the following tasks: the secure channel always reads/writes data in a pre-defined memory space; the scheduler always saves registers into and VOLUME 8, 2020 loads new values from proper places and switches to a proper execution environment; and the secure monitor’s implementation satisfies the information flow noninterference property. To complete these verification tasks, the following challenges need to be addressed:.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
