TrustBUF：實作於TF-M的共享緩衝區溝通方法

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：79

、訪客IP：3.141.31.108

姓名

黃浩洋(Hao-Yang Huang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

TrustBUF：實作於TF-M的共享緩衝區溝通方法
(TrustBUF: A Secure Shared Buffer Communication Method on TF-M)

相關論文

★ 基於OP-TEE的可信應用程式軟體生態系統	★ SeFence: 基於安全感測的可信任周邊存取控制
★ 高解析度二維地理影像的三維建模：旋轉變換投影與傳統方法的比較研究	★ 在低軌道衛星無線通訊中的CSI預測方法
★ 為多流量低軌道衛星系統提出的動態換手策略	★ 基於Trustzone的智慧型設備語音隱私保護系統
★ 一種減輕LEO衛星網路干擾的方案	★ TruzGPS:基於TrustZone的位置隱私權保護系統
★ 衛星地面整合網路之隨機接入前導訊號設計與偵測	★ SatPolicy: 基於Trustzone的衛星政策執行系統
★ TruzMalloc: 基於TrustZone 的隱私資料保護系統	★ 衛星地面網路中基於物理層安全的CSI保護方法
★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸	★ 低軌道衛星地面網路中的DRX機制設計
★ 衛星地面整合網路之基於集合系統的前導訊號設計	★ 基於省電的低軌衛星網路路由演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

隨著生活、工業環境的需求下，Internet of Things（IoT）設備數量正以飛快的速度成長。但也因為IoT的影響與日俱增，現在許多的IoT設備服務需要處理包含安全性敏感的資訊，吸引了攻擊者針對IoT的安全進行破壞。在近年來，Trusted Execution Environment（TEE）安全概念也應用在IoT設備的系統上，其概念是透過將系統區分成安全與非安全兩個世界並將敏感的資訊儲存在安全世界的服務中如加密服務來防止外界的存取。ARM官方將TEE的概念實作在TrustZone-M（TZ-M）並將該功能置入應用於IoT設備的Armv8-M系列處理器中。基於TZ-M，為了提供一個認證的安全標準給更多的微控制器開發者，Trusted Firmware-M（TF-M）架構被引入作為Armv8-M系列處理器的IoT設備提供一定程度的保護。儘管如此，研究人員發現TF-M中存在由非安全世界中的程式傳遞惡意參數到安全世界的服務而導致的軟體漏洞可能會洩露機密。藉由分析相關的安全議題文獻，我們認為這個問題源自於TEE在將系統分成兩個世界後無法完全掌握來自非安全世界的服務呼叫者的性質。因此我們提出了TrustBUF，一種由安全世界處理的共享緩衝區通訊方法來確保兩個世界之間通訊的安全性，同時解決因TEE分割環境的特性所帶來的安全疑慮。為了展示TrustBUF的實用性，我們將系統的雛型實作在搭配了Arm Cortex-M33的STM32L562E-DK開發板上。

摘要(英)

With the growing demand in living and industrial environments, the production of Internet of Things (IoT) devices is rapidly increasing. However, numerous IoT devices are now required to process security-related information, attracting attackers who exploit IoT security vulnerabilities. In recent years, the security concept of Trusted Execution Environment (TEE) has also been applied to IoT devices. TEE prevents external access by dividing the system into the Secure World and Normal World, and storing sensitive security information in the Secure World′s service such as the crypto service. ARM implements the TEE concept on TrustZone-M (TZ-M), integrated into the Armv8-M processors widely adopted in IoT devices. On top of the TZ-M, to provide a certified security standard for border MCU developers, the Trusted Firmware-M (TF-M) architecture is introduced as a certain level of protection for IoT devices in the Armv8-M chips family. Despite this, researchers have found software vulnerabilities in TF-M caused by programs in Normal World passing malicious arguments into Secure World′s service that can result in revealing the secret. By analyzing related security issue literature, we found this result originates from TEE′s inability to fully grasp the nature of the service caller from Normal World after dividing the system into two worlds. Therefore, we propose the TrustBUF, a shared buffer communication method handled by Secure World to ensure secure communication between the two worlds while addressing the security issue caused by the TEE intrinsic of dividing the processing environments. To demonstrate the practicality of TrustBUF, we implement the prototype system on the STM32L562E-DK development board with Arm Cortex-M33.

關鍵字(中)

★ IoT 安全
★ 可信執行環境
★ TrustZone-M
★ Trusted Firmware-M
★ 電腦安全

關鍵字(英)

★ IoT Security
★ Trusted Execution Environment
★ TrustZone-M
★ Trusted Firmware-M
★ Computer Security

論文目次

中文摘要 i
Abstract ii
致謝 iii
Contents iv
List of Figures vii
List of Tables viii
1 Introduction 1
2 Background 4
2.1 Trusted Execution Environment . . . . . . . . . . . . . . . . . . . . . . 4
2.2 ARM TrustZone-M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Trusted Firmware-M . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 ARM-based Memory Protection Unit . . . . . . . . . . . . . . . . . . . 8
2.5 Stack-based Buffer Overflow Attack . . . . . . . . . . . . . . . . . . . . 10
2.6 Semantic Gap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Related Works 13
3.1 General World Switch Communication Vulnerability . . . . . . . . . . . . 13
3.2 TrustZone-M World Switch Communication Vulnerability . . . . . . . . . 14
4 Threat Model 16
4.1 Comparison of the Official Threat Model Mitigation . . . . . . . . . . . 17
4.2 The Issue of the Buffer Tampering Mitigation . . . . . . . . . . . . . . . 17
4.3 Refining the Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . 18
5 System Design 20
5.1 Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.2 TrustBUF Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.3 Vault Manager Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.4 Shared Vault Pool Isolation Design . . . . . . . . . . . . . . . . . . . . . 24
5.5 Context Switch Modification . . . . . . . . . . . . . . . . . . . . . . . . 25
6 Implementation 26
6.1 The Shared Vault Pool Isolation Method . . . . . . . . . . . . . . . . . . 27
6.2 MPU Protection on the Shared Vault Pool . . . . . . . . . . . . . . . . . 29
6.3 The Vault Manager Vault Operations . . . . . . . . . . . . . . . . . . . . 30
7 Evaluation 34
7.1 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.1.1 TF-M World Switch Communication Threat Model . . . . . . . . 34
7.1.2 World Switch Communication Comparison . . . . . . . . . . . . 35
7.1.3 Prevention of the BOF Attack . . . . . . . . . . . . . . . . . . . 37
7.2 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7.2.1 Communication Setup Performance . . . . . . . . . . . . . . . . 38
7.2.2 Multi-times Communication Performance . . . . . . . . . . . . . 38
7.2.3 Context Switch Overhead . . . . . . . . . . . . . . . . . . . . . 39
8 Conclusion 41
Bibliography 42
Appendices 47
A TF-M World Switch Communication Sequence . . . . . . . . . . . . . . 48
B MPU Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
B.1 MPU enabling . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
B.2 MPU disabling . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

參考文獻

[1] L. Tawalbeh, F. Muheidat, M. Tawalbeh, and M. Quwaider, “Iot privacy and security: Challenges and solutions,” Applied Sciences, vol. 10, no. 12, p. 4102, 2020.
[2] Microsoft, “Exposed and vulnerable: Recent attacks highlight critical need to protect internet-exposed ot devices,” 2024, [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/05/30/exposed-and-vulnerable-recent-attacks-highlight-critical-need-to-protect-internet-exposed-ot-devices/
[3] “Psa certified 2021 report,” 2021, [Online; accessed 10-Jul-2024]. [Online]. Available: https://report.psacertified.org/?utm_source=Arm&utm_medium=referral&utm_campaign=2021-report
[4] “Confidence to create advisory paper,” 2022, [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.psacertified.org/app/uploads/2022/08/Confidence_to_Create_Advisory_Paper_PSA_Certified-1-compressed.pdf
[5] “A history of iot security,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.psacertified.org/blog/a-history-of-iot-security/
[6] T. Firmware, “Trusted firmware-m introduction,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.trustedfirmware.org/projects/tf-m/
[7] P. Certified, “Introduction to psa certified,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.psacertified.org/
[8] “Tf-m security advisories,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://tf-m-user-guide.trustedfirmware.org/security/security_advisories/index.html
[9] “Generic threat model,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://tf-m-user-guide.trustedfirmware.org/security/threat_models/generic_threat_model.html
[10] A. Machiry, E. Gustafson, C. Spensky, C. Salls, N. Stephens, R. Wang, A. Bianchi, Y. R. Choe, C. Kruegel, and G. Vigna, “Boomerang: Exploiting the semantic gap in trusted execution environments.” in NDSS, 2017.
[11] “Buffer overflow vulnerability in secure processing environment,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://tf-m-user-guide.trustedfirmware.org/security/security_advisories/fwu_write_vulnerability.html
[12] “Omtp advanced trusted environment: Omtp tr1 v1.1,” [Online; accessed 10- Jul-2024]. [Online]. Available: http://www.omtp.org/OMTP_Advanced_Trusted_Environment_OMTP_TR1_v1_1.pdf
[13] Intel, “Intel software guard extensions (sgx),” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html
[14] AMD, “Amd secure encrypted virtualization (sev),” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.amd.com/en/developer/sev.html
[15] ARM, “Trustzone for cortex-a,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.arm.com/technologies/trustzone-for-cortex-a
[16] ——, “Trustzone for cortex-m,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.arm.com/technologies/trustzone-for-cortex-m
[17] Intel, “Intel sgx developer reference for linux 2.13 open source,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://download.01.org/intel-sgx/sgx-linux/2.13/docs/Intel_SGX_Developer_Reference_Linux_2.13_Open_Source.pdf
[18] “Gpd tee internal core api specification v1.3.1,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://globalplatform.org/wp-content/uploads/2021/03/GPD_TEE_Internal_Core_API_Specification_v1.3.1_PublicRelease_CC.pdf
[19] ARM, “Psa functional api certification for m-profile,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.arm.com/architecture/security-features/platform-security
[20] ——, “Arm cortex-m profile,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.arm.com/en/architecture/cpu/m-profile
[21] S. Labs, “Which arm cortex core is right for your application?” [Online; accessed 10- Jul-2024]. [Online]. Available: https://www.silabs.com/documents/public/white-papers/Which-ARM-Cortex-Core-Is-Right-for-Your-Application.pdf
[22] ARM, “Armv8-m architecture documentation,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://developer.arm.com/documentation/100690/latest/
[23] Wikipedia, “Real-time operating system,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://en.wikipedia.org/wiki/Real-time_operating_system
[24] P. Certified, “Getting certified: Functional api certification,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://www.psacertified.org/getting-certified/functional-api-certification/
[25] ARM, “Armv8-m memory model guide,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://developer.arm.com/documentation/107565/latest/
[26] Wikipedia, “Buffer overflow,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://en.wikipedia.org/wiki/Buffer_overflow
[27] C. Ebert and C. Jones, “Embedded software: Facts, figures, and future,” Computer, vol. 42, no. 4, pp. 42–52, 2009.
[28] N. Hardy, “The confused deputy: (or why capabilities might have been invented),” ACM SIGOPS Operating Systems Review, vol. 22, no. 4, pp. 36–38, 1988.
[29] Z. Ma et al., “Return-to-non-secure vulnerabilities on arm cortex-m trustzone: Attack and defense,” in 2023 60th ACM/IEEE Design Automation Conference (DAC). IEEE, 2023, pp. 1–6.
[30] D. Suciu et al., “Horizontal privilege escalation in trusted applications,” in 29th USENIX Security Symposium (USENIX Security 20), 2020.
[31] ARM, “Cmse support,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://developer.arm.com/documentation/100720/0200/CMSE-support
[32] J. V. Bulck et al., “A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1741–1758.
[33] D. Lee et al., “Keystone: An open framework for architecting trusted execution environments,” in Proceedings of the Fifteenth European Conference on Computer Systems, 2020, pp. 1–16.
[34] J. Noorman et al., “Sancus 2.0: A low-cost security architecture for iot devices,” ACM Transactions on Privacy and Security (TOPS), vol. 20, no. 3, pp. 1–33, 2017.
[35] NVD, “Cve-2019-1370,” 2019, [Online; accessed 10-Jul-2024]. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2019-1370
[36] Google, “Asylo: An open and flexible framework for enclave applications,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://github.com/google/asylo/blob/e4810bdbac/asylo/platform/primitives/sgx/trusted_sgx.cc#L98
[37] L. Luo et al., “On runtime software security of trustzone-m based iot devices,” in GLOBECOM 2020-2020 IEEE Global Communications Conference. IEEE, 2020, pp. 1–7.
[38] A. Khurshid et al., “Shield: Shielding cross-zone communication within limited resourced iot devices running vulnerable software stack,” IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 2, pp. 1031–1047, 2022.
[39] A. K. Iannillo et al., “An ree-independent approach to identify callers of tees in trustzone-enabled cortex-m devices,” in Proceedings of the 8th ACM on Cyber-Physical System Security Workshop, 2022, pp. 85–94.
[40] ARM, “Armv8-m exception model guide,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://developer.arm.com/documentation/107706/latest/
[41] Z. Project, “Zephyr and tf-m integration overview,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://docs.zephyrproject.org/latest/services/tfm/overview.html
[42] STMicroelectronics, “Stm32cubel5,” [Online; accessed 10-Jul-2024]. [Online]. Available: https://github.com/STMicroelectronics/STM32CubeL5

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2024-7-26

推文