基於OP-TEE的可信應用程式軟體生態系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：29

、訪客IP：3.128.171.149

姓名

邱振玠(Chen-Chieh Chiu) 查詢紙本館藏

畢業系所

資訊工程學系在職專班

論文名稱

基於OP-TEE的可信應用程式軟體生態系統
(TAMS:An Trusted Application Ecosystem base on OP-TEE)

相關論文

★ SeFence: 基於安全感測的可信任周邊存取控制	★ 高解析度二維地理影像的三維建模：旋轉變換投影與傳統方法的比較研究
★ 在低軌道衛星無線通訊中的CSI預測方法	★ 為多流量低軌道衛星系統提出的動態換手策略
★ 基於Trustzone的智慧型設備語音隱私保護系統	★ 一種減輕LEO衛星網路干擾的方案
★ TruzGPS:基於TrustZone的位置隱私權保護系統	★ 衛星地面整合網路之隨機接入前導訊號設計與偵測
★ SatPolicy: 基於Trustzone的衛星政策執行系統	★ TruzMalloc: 基於TrustZone 的隱私資料保護系統
★ 衛星地面網路中基於物理層安全的CSI保護方法	★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸
★ 低軌道衛星地面網路中的DRX機制設計	★ 衛星地面整合網路之基於集合系統的前導訊號設計
★ 基於省電的低軌衛星網路路由演算法	★ 衛星上可重組化計算之安全FPGA動態部分可重組架構

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

半導體技術的進步，嵌入式平台的計算能力愈來愈強大，加上5G
超高速、低延時通訊技術，使得物聯網應用正快速發展，物聯網安全
也越趨重要。為了提昇物聯網安全性，各大處理器廠商都在自家處理
器加上可信執行環境(Trust Execution Environment) 技術，讓有隱私或
安全議題的應用程式在可信執行環境中執行以保護其安全性，而且置
放於可信執行環境中執行的應用程式亦必須是可信的應用程式(Trusted
Application)。當設備製造商開始使用可信執行環境在來作為開發平台
時，如何建構出一個同時兼顧安全性與開放性的平台軟體生態圈讓第
三方進來開發可信應用程式，是必然會面臨到的問題與挑戰。本論文
中完善OPTEE
中所欠缺的針對第三方所開發的可信應用程式的來源
驗證機制，同時提供了一個具體而微的實作範例。

摘要(英)

The Internet of Things (IoT) is rapidly evolving in recent years. IoT devices
will be able to generate large amounts of securityand
privacysensitive
data. In order to enhance the security of the Internet of Things, processor
manufacturers have added Trusted Execution Environment (TEE) to their processors
to enhance the security of the Internet of Things. Building the TEE
software ecosystem is the important thing for device manufacturers, software
vendor, cloud service provider and customers. To building TEE software
ecosystem will be facing a problem which most secure operating system in
TEE like OPTEE,
by default all Trusted Applications (TA) are signed with
the single RSA key (private key). Device manufacturers need to provide the
same private key to many software vendors for TA signing. However, ask all
software vendors to protect the same private key safely is difficultly. In this
paper, we implement third parties the trusted application verify mechanism
of OPTEE.
It solves problem of the OPTEE
only support a single key and
reduce loading of private key management in device manufacturers .

關鍵字(中)

★ OP-TEE
★ IoT

關鍵字(英)

★ OP-TEE
★ IoT

論文目次

Contents
中文摘要i
Abstract ii
Contents iii
List of Figures vi
List of Tables viii
1 緒論1
2 文獻探討4
2.1 可信執行環境與TrustZone . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 物聯網裝置的可信執行環境軟體生態系統. . . . . . . . . . . . . . . 6
2.2.1 豐富執行環境的軟體、韌體更新機制. . . . . . . . . . . . . . 6
2.2.2 豐富執行環境的軟體、韌體更新機制. . . . . . . . . . . . . . 7
2.2.3 裝置管理. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 背景知識10
3.1 安全威脅. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.1 豐富執行環境面對的威脅. . . . . . . . . . . . . . . . . . . . 10
3.1.2 可信執行環境面對的威脅. . . . . . . . . . . . . . . . . . . . 11
3.2 物聯網軟體開發生態系之軟體佈署與更新. . . . . . . . . . . . . . . 11
4 方法13
4.1 主要想法. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 修改OPTEE
環境之可信應用程式載入機制. . . . . . . . . . . . . . 15
4.3 OPTEE
環境之可信應用程式檔案格式. . . . . . . . . . . . . . . . . 16
5 OPTEE
核心程式修改實作18
5.1 將中介憑證放在OPTEE
的程式碼. . . . . . . . . . . . . . . . . . . . 18
5.2 OPTEE
中新增公開金鑰基礎建設之程式碼. . . . . . . . . . . . . . . 19
5.3 修改OPTEE
載入可信應用程式機制之程式碼. . . . . . . . . . . . . 20
5.4 OPTEE
核心讀取可信應用程式檔案. . . . . . . . . . . . . . . . . . . 22
6 軟體推播更新實作23
7 效能分析與評估26
7.1 實驗場景. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.2 實驗環境設置. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.3 實驗. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
8 結論33
Bibliography 34
A TAMS 38
A.1 伺服器端. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.2 裝置端. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.3 應用程式開發者端. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
B TAMS Client Manager 43
C 伺服器端44
C.1 TAMS Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
C.2 TAMS Server Push Manager . . . . . . . . . . . . . . . . . . . . . . . . 44
D 開發者端45
D.1 TAMS Publisher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

參考文獻

[1] Arm trustzone technology. [Online]. Available: https://developer.arm.com/ipproducts/
securityip/
trustzone
[2] Aws iot device management. [Online]. Available: https://aws.amazon.com/tw/iotdevicemanagement/
[3] Azure iot 中心. [Online]. Available: https://azure.microsoft.com/zhtw/
services/iothub/
[4] Broadband forum. [Online]. Available: https://www.broadbandforum.
org/
[5] Certificate revocation lists. [Online]. Available: https://tools.ietf.org/html/rfc3280
[6] 什麼是惡意程式、病毒、間諜程式與cookie? [Online].
Available: https://www.websecurity.digicert.com/zh/hk/securitytopics/
whataremalwarevirusesspywareandcookiesandwhatdifferentiatesthem
[7] Global platform. [Online]. Available: https://globalplatform.org
[8] Heap overflow. [Online]. Available: https://resources.infosecinstitute.com/heapoverflowvulnerabilityandheapinternalsexplained/
[9] Libtomcrypt. [Online]. Available: https://www.libtom.net/LibTomCrypt/
[10] Mbedtls. [Online]. Available: https://tls.mbed.org
[11] mosquitto api. [Online]. Available: https://mosquitto.org/api/files/mosquittoh.
html
[12] Online certificate status protocol. [Online]. Available: https://tools.ietf.org/html/
rfc6960
34
[13] Optee.
[Online]. Available: https://www.optee.
org
[14] Opkg package manager. [Online]. Available: https://oldwiki.archive.openwrt.org/
doc/techref/opkg
[15] Software updates for internet of things. [Online]. Available: https://datatracker.ietf.
org/doc/draftietfsuitarchitecture/
[16] Stack overflow. [Online]. Available: https://www.gnu.org/software/guile/manual/
html_node/StackOverflow.
html
[17] Tee management framework: Open trust protocol (otrp) profile v1.0. [Online]. Available:
https://globalplatform.org/specslibrary/
teemanagementframeworkopentrustprotocol/
[18] Teep protocol. [Online]. Available: https://datatracker.ietf.org/doc/draftietfteepprotocol/
[19] Trusty tee. [Online]. Available: https://source.android.com/security/trusty
[20] (2007, apr) Simple object access protocol (soap) 1.2. [Online]. Available:
https://www.w3.org/TR/soap12/
[21] (2007, dec) Tr069
cpe wan management protocol v1.1. [Online]. Available:
https://www.broadbandforum.
org/download/TR069_
Amendment2.
pdf
[22] (2019, mar) Mqtt version 5.0. [Online]. Available: https://docs.oasisopen.
org/mqtt/
mqtt/v5.0/mqttv5.0.
html
[23] N. AYEB, E. RUTTEN, S. BOLLE, T. COUPAYE, and M. DOUET, “Towards
an autonomic and distributed device management for the internet of things,” 2019
IEEE 4th International Workshops on Foundations and Applications of Self* Systems
(FAS*W), 2019.
[24] D. Beattie. (2018, sep) What are subordinate cas and why would you want
your own? [Online]. Available: https://www.globalsign.com/en/blog/whatisanintermediateorsubordinatecertificateauthority
[25] R. Dhobi, S. Gajjar, D. Parmar, and T. Vaghela, “Secure firmware update over the air
using trustzone,” 2019 Innovations in Power and Advanced Computing Technologies
(iPACT),
vol. 1, pp. 1–4, 2019.
[26] A. K. Einav Zilberstein. (2017, jul) A detailed overview of the different
security methods one can use in an e.mmc storage device. [Online]. Available:
https://documents.westerndigital.com/content/dam/doclibrary/
en_us/assets/
public/westerndigital/
collateral/whitepaper/
whitepaperemmcsecurity.
pdf
[27] L. Encrypt. (2020, feb) Chain of trust. [Online]. Available: https://letsencrypt.org/
certificates/#rootcertificates
[28] I. Ijaz, “Design and implementation of pki (for multi domain environment),” International
Journal of Computer Theory and Engineering, pp. 505–509, 2012.
[29] S. Jansen and M. Cusumano, “Defining software ecosystems: A survey of software
platforms and business network governance,” Software Ecosystems: Analyzing and
Managing Business Networks in the Software Industry, vol. 879, 01 2013.
[30] I. JSON. [Online]. Available: https://www.json.org/jsonen.
html
[31] A. Kolehmainen, “Secure firmware updates for iot: A survey,” 2018 IEEE International
Conference on Internet of Things (iThings) and IEEE Green Computing
and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing
(CPSCom) and IEEE Smart Data (SmartData), pp. 112–117, 2018.
[32] O. Limited. (2009, may) Open mobile terminal platform (omtp) in the
advanced trusted environment: Omtp tr1 version 1.1 standard. [Online].
Available: https://www.gsma.com/newsroom/wpcontent/
uploads/2012/03/
omtpadvancedtrustedenvironmentomtptr1v11.pdf
[33] D. K. Nilsson, L. Sun, and T. Nakajima, “A framework for selfverification
of
firmware updates over the air in vehicle ecus,” 2008 IEEE Globecom Workshops,
2008.
[34] A. Rosiello. The basics of shellcoding. [Online]. Available: http:
//www.infosecwriters.com/text_resources/pdf/basics_of_shellcoding.pdf
[35] C. S. C. Services. (2019, feb) Cisco root ca 2048 certificate policy. [Online].
Available: https://www.cisco.com/security/pki/policies/CiscoRootCA2048CP.
pdf
[36] N. Tarate, “Using arm trustzone to implement downloadable cas framework and secure
media pipeline in iptv client devices,” 2018 IEEE International Symposium on
Broadband Multimedia Systems and Broadcasting (BMSB), pp. 1–11, 2018.
[37] C. Teng, J. Gong, Y. Wang, C. Chuang, and M. Chen, “Firmware over the air for
home cybersecurity in the internet of things,” 2017 19th AsiaPacific
Network Operations
and Management Symposium (APNOMS), pp. 123–128, 2017.
[38] P. Thakur, V. Bodade, A. Achary, M. Addagatla, N. Kumar, and Y. Pingle, “Universal
firmware upgrade overtheair
for iot devices with security,” 2019 6th International
Conference on Computing for Sustainable Global Development (INDIACom), pp.
27–30, 2019.
[39] Y. Yang, J. Moon, K. Jung, and J. Kim, “Downloadable trusted applications on tizen
™ tv: Trustware™extension: As a downloadable application framework,” 2018
IEEE International Conference on Consumer Electronics (ICCE), pp. 1–4, 2018.

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2020-8-20

推文