TrustICT: An efficient trusted interaction interface between isolated execution domains on ARM multi-core processors

Abstract

The Trusted Execution Environment (TEE) has been widely used to protect the security-sensitive sensing systems on Internet-of-Thing (IoT) devices. In the TEE systems, the execution environment is securely divided into a normal domain and a higher privileged secure domain which executing sensing systems through hardware. One common way to achieve the protection is implementing the sensitive functions of the sensing systems as trusted applications (TAs) in the well-isolated secure domain. Users in rich OS have to call TAs through the client applications (CAs), and the invocations must pass through the rich OS kernel. However, an untrusted rich OS may launch man-in-the-middle attacks on the communication between the CAs and TAs, and the misuse of cross-domain communication channel is becoming one severe threat on the TEE systems. In this paper, we develop a defense system named TrustICT to construct a lightweight trusted interaction channel between CAs and TAs without modifying existing TEE architecture. The main idea is to block attacks on the cross-domain interactions via dynamically setting the access permission of domain-shared memory, locking it from kernel mode and unlocking it only to legal CAs in the user mode. Particularly, we propose a multi-core scheduling strategy to defeat potential attacks from all privileged cores. Compared to existing cryptography-based methods, TrustICT dramatically reduces the system overhead since it does not require time-consuming cryptographic computation or sophisticated real-time kernel protection. We implement a prototype of TrustICT on a Freescale i.MX6Quad platform with the OP-TEE software system and evaluate its impacts on rich OS and the cross-domain transactions.