TruzMalloc: 基於TrustZone 的隱私資料保 護系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：16

、訪客IP：3.133.149.168

姓名

楊承翰(Cheng-Han Yang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

TruzMalloc: 基於TrustZone 的隱私資料保護系統
(TruzMalloc: A TrustZone-based Sensitive Data Protection System)

相關論文

★ 基於OP-TEE的可信應用程式軟體生態系統	★ 在低軌道衛星無線通訊中的CSI預測方法
★ 為多流量低軌道衛星系統提出的動態換手策略	★ 基於Trustzone的智慧型設備語音隱私保護系統
★ 一種減輕LEO衛星網路干擾的方案	★ TruzGPS:基於TrustZone的位置隱私權保護系統
★ 衛星地面整合網路之隨機接入前導訊號設計與偵測	★ SatPolicy: 基於Trustzone的衛星政策執行系統
★ 衛星地面網路中基於物理層安全的CSI保護方法	★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸
★ 低軌道衛星地面網路中的DRX機制設計	★ 衛星地面整合網路之基於集合系統的前導訊號設計
★ 基於省電的低軌衛星網路路由演算法	★ 衛星上可重組化計算之安全FPGA動態部分可重組架構
★ 衛星網路之基於空間多樣性的前導訊號設計	★ TrustCS: 基於 Trusted Firmware-M 的安全 CubeSat 韌體更新機制

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

隨著行動裝置的功能越來越強大，越來越多的應用程式會使用用
戶的敏感資料。為了保護這些敏感資料，許多程式開發者會把這些需
要使用敏感資料的應用程式放進可信執行環境執行(Trusted Execution
Environments(TEE))。過去這幾年，許多攻擊都是針對目前市面上正在
商業化使用的可信執行環境。這些不斷的攻擊事件不禁讓我們開始擔
心可信執行環境的安全性。可以造成隱私資料外洩的堆疊溢位攻擊
(Stack buffer overflow attack) 是最常見也是最危險的一種攻擊而且同樣
會對可信執行環境造成傷害。在我們的論文中，我們實作了一塊獨立
於安全世界(Secure World) 以及正常世界(Normal World) 的實體記憶體
體空間來抵抗堆疊溢位攻擊。在可信執行環境中執行的可信執行程式
(Trusted Applications (TAs)) 可以將敏感的資料存進我們的系統中來抵
抗堆疊溢位攻擊造成的敏感資料外洩。我們的系統不會對可信執行環
境造成過多的負擔而且可以有效的保護敏感資料。

摘要(英)

As the functions of mobile devices continue to be introduced, more and
more applications in mobile devices access the user＇s sensitive data. In order
to protect these sensitive data, many developers will put application that need
to access user＇s sensitive data into Trusted Execution Environments (TEEs)
for execution. In the past few years, many attack aimed at the commercial
TEE currently in use on the market. These endless attacks have made us
worry about whether the security of TEE will be challenged. Stack buffer
overflow attacks which makes sensitive data leakage is the most common and
arguably the most dangerous attack and this attack also caused considerable
damage to TEE. In this paper, we implemented an isolated physical memory
outside Secure World and Normal World to resist stack buffer overflow attack.
Trusted Applications (TAs) in TEE can seal their sensitive data in our system
to prevent Stack buffer overflow attacks which makes sensitive data leakage.
Our system will not cause too much overhead to TEE and can effectively
protect the sensitive data.

關鍵字(中)

★ 敏感資料
★ 防止資料外洩
★ 可信執行環境
★ ARM Trust- Zone

關鍵字(英)

★ Sensitive Data
★ Prevent Data Leakage
★ Trusted Execution Environment
★ ARM TrustZone

論文目次

中文摘要 i
Abstract ii
致謝 iii
Contents iv
List of Figures vii
List of Tables ix
1 Introduction 1
1.1 Problem of TrustZone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 ARM Memory Tagging Extension . . . . . . . . . . . . . . . . . . . . . 2
1.3 Control-Flow Integrity (CFI) . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Problem of CFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Related Work and Preliminary 8
2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 Environment Isolation . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 Protection of sensitive data . . . . . . . . . . . . . . . . . . . . . 9
2.2 Preliminary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Trusted Execution Environment . . . . . . . . . . . . . . . . . . 9
2.2.2 ARM Trustzone . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 TrustZone Address Space Controller(TZASC) . . . . . . . . . . . 11
3 System Model and Assumptions 16
3.1 Memory layout and Architecture of a mobile device system . . . . . . . . 16
3.2 System Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Threat Model 19
4.1 Details of reading parameters . . . . . . . . . . . . . . . . . . . . . . . . 20
5 TruzMalloc System Design 22
5.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6 TruzMalloc System Implementation 24
6.1 Modification of TA＇s control flow . . . . . . . . . . . . . . . . . . . . 25
6.2 Modification of Trusted Firmware . . . . . . . . . . . . . . . . . . . . . 27
6.3 Modification of Trusted OS . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.4 Modification of U-boot and Rich OS . . . . . . . . . . . . . . . . . . . . 28
7 Evaluation 30
7.1 Security Analysis of TruzMalloc . . . . . . . . . . . . . . . . . . . . . . 30
7.1.1 Data isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.1.2 Interface protection . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.1.3 Control Flow protection . . . . . . . . . . . . . . . . . . . . . . 31
7.2 Microbenchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.2.1 TruzMalloc Communication . . . . . . . . . . . . . . . . . . . . 32
7.2.2 compare the performance of TruzMalloc with Secure storage . . . 33
7.3 Use-Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7.3.1 Scenario Description . . . . . . . . . . . . . . . . . . . . . . . . 35
7.3.2 Provision Secret Key . . . . . . . . . . . . . . . . . . . . . . . . 35
7.3.3 Generate OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
7.3.4 GenOTP Performance . . . . . . . . . . . . . . . . . . . . . . . 37
8 Conclusion 39
Bibliography 40
Appendices 44
A Modified of TA＇s control flow . . . . . . . . . . . . . . . . . . . . . . 45
B Modified of Trusted Firmware . . . . . . . . . . . . . . . . . . . . . . . 46
C Modified of Trusted OS . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
D Modified of U-boot and Rich OS . . . . . . . . . . . . . . . . . . . . . . 50
E U-boot reserved region with no-map property . . . . . . . . . . . . . . . 50

參考文獻

[1] ARM, Arm TrustZone Technology, 2008. [Online]. Available: https://developer.
arm.com/ip-products/security-ip/trustzone
[2] Microsoft, 70 percent of all security bugs are memory safety issues, 2019.
[Online]. Available: https://www.zdnet.com/article/microsoft-70-percent-of-allsecurity-bugs-are-memory-safety-issues/
[3] Kostya Serebryany, AddressSanitizerUseAfterReturn, 2018. [Online]. Available:
https://github.com/google/sanitizers/wiki/AddressSanitizerUseAfterReturn
[4] M. Prasad and T. Chiueh, “A binary rewriting defense against stack based buffer
overflow attacks,” USENIX Security, 2003.
[5] Arm, Arm A-Profile Architecture Developments 2018: Armv8.5-A, 2018. [Online]. Available: https://community.arm.com/developer/ip-products/processors/b/
processors-ip-blog/posts/arm-a-profile-architecture-2018-developments-armv85a
[6] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity principles,
implementations, and applications,” ACM Transactions on Information and System
Security, vol. 13, pp. 1–40, 2009.
[7] H. Hu, C. Qian, C. Yagemann, S. Chung, W. Harris, T. Kim, and W. Lee, “Enforcing
unique code target property for control-flow integrity,” ACM SIGSAC Conference
on Computer and Communications Security, 2018.
[8] B. Niu and G. Tan, “Modular control-flow integrity,” ACM SIGPLAN Conference on
Programming Language Design and Implementation, 2014.
[9] B. Niu and G. Tan, “Per-input control-flow integrity,” ACM SIGSAC Conference on
Computer and Communications Security, 2015.
[10] M. Khandaker, W. Liu, A. Naser, Z. Wang, and J. Yang, “Origin-sensitive control
flow integrity,” USENIX Security, 2019.
[11] M. Khandaker, W. Liu, A. Naser, Z. Wang, and Y. Cheng, “Adaptive call-site sensitive control flow integrity,” IEEE European Symposium on Security and Privacy,
2019.
[12] V. Lionel Sambuc, D. Asia Slowinska, E. Herbert Bos, and B. Cristiano Giuffrida,
“Practical context-sensitive cfi,” ACM SIGSAC Conference on Computer and Communications Security, 2015.
[13] K. Donghyun, S. Jiwon, C. Yeongpil, L. Byoungyoung, and P. Yunheung, “Pros:
Light-weight privatized se cure oses in arm trustzone,” IEEE Transactions on Mobile
Computing, vol. 19, no. 6, pp. 1434–1447, 2020.
[14] J. Jinsoo, C. Changho, L. Jaehyuk, K. Nohyun, L. Seongman, C. Yeseul, and K. Brent
Byunghoon, “Privatezone: Providing a private execution environment using arm
trustzone,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5,
pp. 797–810, 2018.
[15] Wikipedia, Hyperjacking, 2015. [Online]. Available: https://en.wikipedia.org/wiki/
Hyperjacking
[16] F. Brasser, D. Gens, P. Jauernig, A. Sadeghi, and E. Stapf, “Sanctuary: Arming trustzone with user-space enclaves,” Network and Distributed Systems Security (NDSS)
Symposium, 2019.
[17] J. Reardon, A. Feal, P. Wijesekera, A. Elazari Bar On, N. Vallina-Rodriguez, and
S. Egelman, “50 ways to leak your data: An exploration of apps’ circumvention of
the android permissions system,” USENIX Security, 2019.
[18] Common Vulnerabilities and Exposures, CVE in Android, 2020. [Online]. Available:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Android
[19] CVE Details, Google’s Android Vulnerability Statistics, 2020. [Online]. Available:
https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224
[20] CVE Details, Linux Kernel Vulnerability Statistics, 2020. [Online]. Available:
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
[21] OMTP.org, OMTP Advanced Trusted Environment OMTP TR1 v1.1, 2020. [Online]. Available: http://www.omtp.org/OMTP_Advanced_Trusted_Environment_
OMTP_TR1_v1_1.pdf
[22] GlobalPlatform.org, 2020. [Online]. Available: https://globalplatform.org/
[23] GlobalPlatform, TEE System Architecture v1.2, 2018. [Online]. Available: https:
//globalplatform.org/specs-library/tee-system-architecture-v1-2/
[24] GlobalPlatform, TEE Client API Specification v1.0, 2010. [Online]. Available:
https://globalplatform.org/specs-library/tee-client-api-specification/
[25] GlobalPlatform, TEE Internal Core API Specification v1.2.1, 2019. [Online]. Available: https://globalplatform.org/specs-library/tee-internal-core-api-specificationv1-2/
[26] Arm, ARM CoreLink TZC-400 TrustZone Address Space Controller, 2013. [Online].
Available: https://developer.arm.com/documentation/ddi0504/c/
[27] Wikipedia, C standard library, 2015. [Online]. Available: https://en.wikipedia.org/
wiki/C_standard_library
[28] Kellep Charles, Mitigating Buffer Overflow Attacks in Linux/Unix, 2018.
[Online]. Available: https://securityboulevard.com/2018/11/mitigating-bufferoverflow-attacks-in-linux-unix
[29] Wikipedia, Stack buffer overflow, 2018. [Online]. Available: https://en.wikipedia.
org/wiki/Stack_buffer_overflow
[30] Wikipedia, Bounds checking, 2012. [Online]. Available: https://en.wikipedia.org/
wiki/Bounds_checking
[31] Linaro, TA Header. [Online]. Available: https://github.com/OP-TEE/optee_os/blob/
master/ta/arch/arm/user_ta_header.c
[32] G.Beniamini, Trust issues: Exploiting trustzone tees., 2017. [Online].
Available: https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploitingtrustzone-tees.html
[33] Linaro, TSK. [Online]. Available: https://github.com/OP-TEE/optee_os/blob/
master/core/tee/tee_fs_key_manager.c
[34] Linaro, Open Portable Trusted Execution Environment, 2013. [Online]. Available:
https://www.op-tee.org/
[35] ARM-software, arm-trusted-firmware, 2020. [Online]. Available: https://github.
com/ARM-software/arm-trusted-firmware
[36] stackoverflow.com, cache attributes in MMU page table in arm linux. [Online]. Available: https://stackoverflow.com/questions/27908172/cache-attributesin-mmu-page-table-in-arm-linux
[37] Wikipedia, HMAC-based one-time password, 2020. [Online]. Available: https:
//en.wikipedia.org/wiki/HMAC-based_one-time_password
[38] Patrick Delaunay, stm32mp: update MMU config before the relocation, 2021. [Online]. Available: http://patchwork.ozlabs.org/project/uboot/patch/20210205135332.
1.Id05ed63c4c424d0307d757026ab2f22621b5481b@changeid/
[39] Patrick Delaunay, don’t map reserved region with no-map property, 2021. [Online].
Available: http://patchwork.ozlabs.org/project/uboot/list/?series=228543&state=*

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2021-8-30

推文