Poster

Abstract

Mobile and embedded system software designer are often torn between choosing security and functionality. In particular, the security of out-of-band execution environment is sensitive to rich functionality. ARM TrustZone has been used to develop a Trusted Execution Environment (TEE), which runs in parallel with rich functionality commodity OS and provides an isolated and tamper-resistant execution context for trusted applications. ARM TrustZone splits access of the processor, memory and peripherals into two different worlds, namely normal world and secure world. The secure world is more privileged and the recommended context to implement TEE. However, despite the security of TrustZone TEE, the functionality is very limited. Hardware virtualization could balance the tradeoff between security and functionality by creating two VMes atop of the hardware. However, most of embedded and mobile devices lack hardware virtualization support, which makes it hard to deploy. Red-green dual-OS design, which provides a highly-protected and constrained trusted environment (green OS) to perform secure sensitive tasks and a general purpose environment (red OS) for all other tasks and applications, is an attractive design to achieve both security and functionality. Red-green dual-OS architecture uses resources partition instead of virtualization to achieve its goal and has been deployed in many mobile devices by running the red OS in normal world and the green OS in secure world of ARM TrustZone. However, even red-green dual-OS provides an isolated environment and rich functionality, the two OSes are not created equally: a compromise of the green OS would also result in the compromise of the red OS since secure world is more privileged. We show that how TVisor, a lightweight dual-OS architecture that creates two born-equal OS and each of them could still use the secure services of TEE in secure world, balances security and functionality for mobile devices. TVisor could be deployed to many low-cost embedded and mobile devices which are equipped with ARM TrustZone but without hardware virtualization support.