Secure Operating Systems requirements due in 12 hours

Architectures for Security: A comparative analysis

of hardware security features in Intel SGX and

ARM TrustZone

Muhammad Asim Mukhtar

Information Technology University

Lahore, Pakistan

asim.mukhtar@itu.edu.pk

Muhammad Khurram Bhatti

Information Technology University

Lahore, Pakistan

khurram.bhatti@itu.edu.pk

Guy Gogniat

University of South Brittany

Lorient, France

guy.gogniat@univ-ubs.fr

Abstract—A variety of applications are executing on a large untrusted computing base, which includes the operating system, hypervisor, firmware, and hardware. This large computing base is becoming complex and unverifiable. This untrusted computing base problem opens a way for a malicious application to steal secrets of a security-critical application by compromising the untrusted computing base. To resolve the untrusted computing base problem, computer architectures have introduced a concept of the trusted execution environment, which aim to ensure the sensitive data to be stored and processed in an isolated environment. Existing popular trusted execution environments are relying on hardware to isolate the environments without or minimum relying on system software. However, existing hardware assisted trusted execution environments are still vul- nerable to sophisticated attacks. This paper analyses popular trusted execution environments that are Intel SGX and ARM TrustZone in order to provide better insights about the intended scope of the protection. This paper illustrates the functionality, implementation and security analysis.

Index Terms—Trusted Execution Environments, TEE, Memory isolation, Intel SGX, and ARM TrustZone.

I. INTRODUCTION

Normal and security-critical applications are executing on

a large untrusted computing base, which includes an operat-

ing system, hypervisor, firmware, and hardware. This large

computing base is becoming complex and unverifiable. For

example, an operating system such as Linux has 17 millions

of lines code [2] and CVE has reported 166 vulnerabilities in it

during the year of 2018 related to Denial-of-Service, overflow,

unauthorized privilege gain, memory corruption, directory

traversal, execute unauthorized code. Similarly, Xen is a well-

known hypervisor that has 150,000 lines code [27], which has

relatively small code than Linux but still has vulnerabilities,

and CVE has reported 18 vulnerabilities in Xen in the year

of 2018 [11]. Moreover, attacks that subvert firmware are

reported [1] [25] [23]. Execution of normal and security-

critical applications are executing on shared resources that

controlled by untrusted computing base raises security threats.

This opens the way for a malicious application to attack the

This research work is partially supported by the PHC PERIDOT Project e-health.SECURE and National Center for Cyber Security (NCCS), Pakistan.

vulnerabilities to gain the unauthorized privilege, and then

steal secrets form security critical application’s address space.

To cope up the untrusted computing base problem, computer

architectures have introduced the concept of trusted execution

environments that aim to isolate security-critical applications

from untrusted computing base. Trusted execution environ-

ments guarantee security by relying on less hardware and

software computing base. Hardware is generally considered

as the trusted base because the cost and complexity of attacks

on hardware are usually high [12]. This leads the industry to

develop computer architectures to develop a trusted execution

environment for security-critical application maintained by

hardware with no or less dependency on OS and hypervi-

sor. These architectures includes ARM TrustZone Technology

[17], Intel Software Guard eXtensions (SGX) [14] [20], AMD

Memory Encryption Technologies [15], AMD Platform Secure

Processor [13], x86 System Management Mode [8], and Intel

Management Engine (ME) [22].

Intel SGX and ARM TrustZone are popular trusted exe-

cution environments. Both Intel SGX and ARM TrustZone

are hardware assisted trusted execution environments but the

mechanism behind making the trusted environment for trusted

applications are different. Intel SGX creates a trusted environ-

ment for trusted applications such that it executes over existing

untrusted system software. Whereas, ARM TrustZone creates

a new trusted world for trusted applications that executes over

trusted system software and hardware that only visible to the

trusted world. These TEEs are vulnerable to a different set

of attacks because of different mechanism of creating trusted

execution environments. This paper analyses these trusted

execution environments in order to provide better insights into

the intended scope of the protection. This paper illustrates the

functionality, implementation and security analysis.

II. FUNCTIONALITY AND IMPLEMENTATION OF ARM

TRUSTZONE AND INTEL SGX

A. ARM TrustZone

ARM TrustZone provides a set of intellectual property cores

(IP blocks) to develop a partitioning based security framework.

The way of combining these IP blocks by chip manufactures

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

� � �� � � � � ! ” # � � # � � � ! $ � � $ % ” � & � � ‘ � � � � � � � �

define the security properties. In general ARM TrustZone

divides a system’s resources (CPU, memory, and peripherals)

into two classes referred to as secure world and normal world

[17].

Processor

with secure

extensions

AMBA AXI bus with secure bit extension

Interrupt

Controller

Caches

SRAM

TZMA

AXI to APB

Bridge

APB Bus

Keypad

Controller

ADC

DAC

Other

peripherals

DRAM

TZASC

TZMA

ROM

System-On-Chip

Secure aware Component

Fig. 1. ARM TrustZone Implementation

Untrusted

OS

App

Hypervisor

EL-0

EL-1

App

Trusted

OS

Secure

Firmware

Hardware

EL-2

EL-3

No EL-2 in

Secure World

������� ��� � �� ���� ��� �

EL Exception Level

App Application

OS Operating System

No EL-3 in

Normal World

Secure

Monitor

Fig. 2. ARM TrustZone software stack.

ARM TrustZone introduced a new execution environment in

processor referred as secure world along with the old execution

environment referred as normal world. The secure world also

has multiple privilege levels same as normal world. Therefore,

whole trusted software stack can be developed from user-

level to system-level except hypervisor in secure-world, as

shown in Figure 2. Each world has its own operating system

and manages the resources for application belonging to its

world’s space. One world’s software stack executes at a time

on a processor. The context switching between secure and

normal world is handled by monitor mode, which is the highest

privilege-level of the secure world and can access both worlds

system’s resources. To reflect the current processor’s world

to other system’s resources, bus is extended with a new bit

called non-secure bit (NS). Cache lines are also extended with

NS bit, which specifies the security state of the cache line.

Extension of NS bit in each cache line eliminates the need

of flushing the cache lines while context switches between a

secure world and normal world, which results in low context

switching overhead. The allocation of cache lines depends on

the demand of each world and can evict the cache line of

another world. TrustZone processor provides separate address

translation units for the secure and normal worlds. This is

achieved by implementing two page-table base registers, which

are used by page walker according to the processor’s current

world. The physical addresses in the page-table entries are

also extended to include the values of the NS bit to be issued

on the AXI bus, as shown in Figure 3. The addition of

secure bit in the address tag for each cache line effectively

creates completely different views of the memory space to the

software executing in different worlds.

VA NSTID

VA NSTID

VA NSTID

PA NS

PA NS

TLB

Processor

PA NS

PA NS

DATA

L1 Cache

To AXI bus

VA Virtual Address

PA Physical Address

NSTID Non Secure Tag Identi er

NS Non Secure bit

DATA

Fig. 3. ARM TrustZone TLB and cache isolation.

The memory modules like DRAM, SRAM, and ROM that

are not designed according to extended AXI bus can be

connected using adapters as shown in Figure 1. The TrustZone

Memory Adapter (TZMA) can be used to partition an on-

chip ROM or SRAM into a secure region and a normal

region, and the TrustZone Address Space Controller (TZASC)

partitions the memory space provided by a DRAM controller

into secure and normal regions. A TrustZone-aware DMA

controller rejects DMA transfers from the normal world that

reference secure world addresses.

In ARM system most peripherals are connected to the APB

bus, which is a low power bus than the main AXI bus. The

APB protocol does not carry the NS bit. To defeat software

attacks that use peripheral to extract information, and ARM

TrustZone introduced the security handling feature AXI-to-

APB Bridge, which interfaces the high-speed AXI domain to

the low-power APB domain. The bridge contains an address

decoder that selects the APB peripheral based on the incoming

AXI transaction. The bridge takes a single bit input for each

peripheral that is located on the bus to determine whether the

peripheral is configured as secure or non-secure. The AXI-to-

APB bridge will reject non-secure requests to secure peripheral

address ranges using NS bit information of AXI bus.

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

� � �

There are two types of hardware interrupts in ARM Trust-

Zone: Fast Interrupt Request (FIQ) and Interrupt Request

(IRQ). Both of the interrupts can be configured as secure-

interrupt by configuring the IRQ bit and FIQ bit in secure-

configuration register (SCR). The secure interrupt is directly

trapped into monitor mode (EL-3 level) and then forwarded to

the normal world if required. ARM recommends that the IRQ

should be used as the interrupt source of the normal world

and the FIQ should be used as a secure-interrupt because

most commonly used interrupt source most of the operating

environments is IRQ, so the use of FIQ as the secure interrupt

will require the fewest modifications to existing software.

B. Intel Software Guard Extensions (SGX)

Intel has provided the general purpose hardware-assisted

TEE referred as Intel SGX. Intel SGX is an extension of x86

architecture with new set of security-related instructions [6]

[8] [7]. These instructions are used by the security-critical

applications to build hardware-assisted trusted environment

referred to as an enclave [19]. Intel SGX enclave ensures

the confidentiality using memory access checks with hardware

maintained data structure and integrity by encrypting of data

and code when goes outside the CPU package [16]. Intel SGX

is a centralized security model, trusted computing base TCB

is considered to be the CPU package.

Execution

Unit

Page Miss

Handler

L1-Data

Cache

L1-Instruction

Cache

Instruction

Decoder

L2

Cache

Core-0

L3

Cache

Memory Controller

Memory Encryption Engine

QPI

Router

I/O

Controller

Other

Cores

Other

Secondary

Units

CPU

Other

CPU NIC

Platform Controller

Hub

USB, SATA, ME

DRAM

DDR

QPI PCI-X DMI

Secure aware components

Fig. 4. Intel SGX implementation.

SGX processor does not provide orthogonal privileged

levels to secure application as in the TrustZone, as shown

in Figure 5. The application executes on the same untrusted

operating system but security is achieved by matching with

hardware managed meta-data, which OS cannot read or write.

The reason behind achieving security over conventional soft-

ware stack is to minimize the effort required to modify

application code to benefit from SGX. History suggests this is

a wise decision, as a large factor in the continued dominance

of the Intel architecture is its ability to maintain backward

compatibility.

Conceptually, Intel SGX offers a new type of address space

to an application referred to as processor reserved memory

(PRM) that have special security properties as shown in Figure

6. PRM address space cannot read or write by high privileged

software such as operating system and hypervisor although it

contains the code/data of low privileged level. Inversely, the

code/data in PRM doesn’t have high privilege than the system

software because the code in it cannot access system software

address space. Moreover, processor checks and overrides the

memory mapping decision taken by OS if processor finds an

inconsistency with meta-data that is managed by the processor

without the assistance of OS, which is called enclave page

cache map (EPCM). EPCM contains expected virtual address

used to access enclave page and access permissions i.e. read,

write and execute of each enclave page.

Processor encrypts the pages in PRM when goes out of

the CPU chip, which guarantees security against bus tapping

attacks. The processor also measures signature before loading

into cache to ensure the integrity of page. This captures the

malicious write, read or replacing with other pages by OS but

cannot restrict the OS form doing such malicious acts.

To achieve trusted storage SGX modifies the CPU compo-

nents only in system resources, as shown in Figure 4. This

is because every memory and I/O access requests transferred

through the processor, so checks at CPU is sufficient for

achieving security. In SGX the major changes are in three

components: instruction decoder, page miss handler, and mem-

ory controller. Firstly, 18 new instructions are introduced in

instruction decoder, which contains 5 user instructions that

used by an application to initialize and build enclave and 13

supervisor instructions that are used by OS to manage enclave

page table. Also, microcode related to memory access checks

are added which are triggered by page miss handler [10].

Secondly, PMH hardware is modified to develop an ability to

trigger the microcode assist for all address translations when

a logical processor is in enclave mode, or when the physical

address produced by the page walker machine matches the

PRM range. Lastly, new register referred as processor reserved

memory range registers (PRMRR) is introduced in the memory

controller, which defines the size of PRM. Also, the memory

controller is integrated with a memory encryption engine,

which uses non-standard cryptographic primitives that consists

of slightly modified AES operating mode [21] and a Carter-

Wegman MAC construction [4] [24].

III. ARM TRUSTZONE AND INTEL SGX PROTECTION

AGAINST VULNERABILITIES

Trusted execution environments aim is to ensure secure data

to be stored and processed in an isolated, trusted environment.

Trusted execution environments reduce the computing base so

as to limit the links of security-critical application with the

potentially malicious applications. Direct or indirect critical

links between attacker and security-critical applications can

be broadly categorized into three classes: Attacker makes

link to security critical application through privileged software

(Figure 7, referred to as Vulnerability-1), Attacker links to

security critical application through micro-architectural events

of hardware (Figure 8, referred to as Vulnerability-2), and

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

� � �

Attacker makes link to security critical application through di-

rectly probing hardware (Figure 9, referred to as Vulnerability-

3).

OS

App App

Hardware

RL 3

RL 0

Enclave – code that require trusted execution

environment �

Code that manage page table for enclave��

Data structures manged by hardware for security

checks

RL Ring level

App Application

OS Operating System

Fig. 5. Intel SGX software stack.

PRM

DRAM

Enclave

Application’s

Virtual address

space

Page table

managed by OS

PRM

4 kB page

4 kB page

4 kB page

EPCM

processor managed

metadata regarding pages

metadata entry

metadata entry

metadata entry

EPCM

Fig. 6. Intel SGX trusted storage.

Compromised OS

Malicious App App

Hardware

Fig. 7. Vulnerability 1: Malicious application makes link to other application’s secure data through privileged software.

OS

Malicious App App

Hardware

Fig. 8. Vulnerability 2: Malicious application makes link to other application’s secure data through micro-architecture events of hardware

A. Vulnerability -1

The attacker uses system software privilege to make a link

to secure data of an application. This privilege the attacker

to modify the page tables and TLBs, unauthorized DMA

transfer and Denial of service (DoS). The attacker cannot

Compromised OS

App App

Hardware

Lab Equipment

Fig. 9. Vulnerability 3: Malicious application makes link to other application’s secure data by directly probing the hardware

able to modify page tables and TLBs in TrustZone and SGX.

TrustZone page tables and TLBs are managed by secure

world operating systems and stored in the secure memory

region, which is not accessed by untrusted system software.

Moreover, TrustZone has also divided the TLBs for secure

and normal world. Intel SGX protects the modification of

page tables by encrypting it and placing it in PRM, which

cannot be accessed by system software. Intel SGX flushes TLB

on exiting from enclave and applies security checks before

storing address translation into TLB. These both reasons make

the untrusted modification in TLB difficult. Direct memory

accesses are also bounced back in TrustZone and SGX, which

makes these architectures secure from DAM based attacks.

DoS in SGX can easily be launched as compared to TrustZone

because secure application page table and TLB management

is the responsibility of untrusted operating system whereas in

TrustZone trusted operating system manages the page tables

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.