SatPolicy: 基於Trustzone的衛星政策執行系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：37

、訪客IP：18.222.110.189

姓名

黃宇帆(Yu-Fan Huang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

SatPolicy: 基於Trustzone的衛星政策執行系統
(SatPolicy: A TrustZone-based Policy Enforcement Mechanism on the Satellite)

相關論文

★ 基於OP-TEE的可信應用程式軟體生態系統	★ 在低軌道衛星無線通訊中的CSI預測方法
★ 為多流量低軌道衛星系統提出的動態換手策略	★ 基於Trustzone的智慧型設備語音隱私保護系統
★ 一種減輕LEO衛星網路干擾的方案	★ TruzGPS:基於TrustZone的位置隱私權保護系統
★ 衛星地面整合網路之隨機接入前導訊號設計與偵測	★ TruzMalloc: 基於TrustZone 的隱私資料保護系統
★ 衛星地面網路中基於物理層安全的CSI保護方法	★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸
★ 低軌道衛星地面網路中的DRX機制設計	★ 衛星地面整合網路之基於集合系統的前導訊號設計
★ 基於省電的低軌衛星網路路由演算法	★ 衛星上可重組化計算之安全FPGA動態部分可重組架構
★ 衛星網路之基於空間多樣性的前導訊號設計	★ TrustCS: 基於 Trusted Firmware-M 的安全 CubeSat 韌體更新機制

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

隨著衛星數量的顯著增加，在衛星上實現政策執行變得越來越重要。為了在衛星上執行政策，我們提出了衛星政策執行機制Sat- Policy。在SatPolicy 中，根據合法的行程間通訊(Inter-Process Commmunication( IPC)) 來指定強制性的策略。SatPolicy 的策略執行機制包括IPC 流驗證器和政策解析器，我們將這兩個模組實作在可信執行環境(Trusted Execution Environment(TEE)) 中，以避免來自豐富執行環境(Rich Execution Environment(REE)) 的攻擊並防止政策洩漏給攻擊者。此外，為了避免政策更新的風險，SatPolicy 將基於(Public Key Infrastructure(PKI)) 的安全軟體更新機制與TEE 軟體驗證機制結合。 SatPolicy 僅允許具有合法身份（即具合法證書的開發者）的軟體開發者將軟體佈署到衛星上。最後，我們在ARM 開發板上測量了我們實作的部分，我們也證明它的低開銷和有效性。

摘要(英)

With the significant increase in the number of satellites, satellite policy enforcement is becoming more and more important. In order to enforce policies on satellite, we present SatPolicy, a policy enforcement mechanism on satellites. In SatPolicy, mandatory policies are specified in terms of permitted inter-process communication. The policy enforcement mechanism of SatPolicy includes IPC flow verifier and policy parser, which are implemented in Trusted Execution Environment (TEE) to avoid attacks from the Rich Execution Environment (REE) and prevent policies leak to attackers. In addition, to avoid the risk of policy update, SatPolicy integrates PKI-based security software update mechanism with TEE software verification mechanism. Sat- Policy only allows software developers with legal identities (i.e. certificates) to deploy software to satellites. Finally we evaluate our implementation on ARM development board illustrating its low overhead and effectiveness.

關鍵字(中)

★ Policy Enforcement
★ 強制訪問控制
★ 公開金鑰基礎建設
★ 可信執行環境
★ ARM TrustZone

關鍵字(英)

★ Policy Enforcement
★ Mandatory Access Control
★ PKI
★ Trusted Execution Environment
★ ARM TrustZone

論文目次

Contents
中文摘要i
Abstract ii
致謝iii
Contents iv
List of Figures vii
List of Tables viii
1 Introduction 1
2 Related Work and Preliminary 5
2.1 Preliminary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Trusted Execution Environment . . . . . . . . . . . . . . . . . . 5
2.1.2 ARM Trustzone . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.3 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 Software Update Mechanism . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Mandatory Access Control Policy Enforcement . . . . . . . . . . 11
2.2.3 Policy Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . 12
3 System Model 13
3.1 Satellite Policy Enforcement System . . . . . . . . . . . . . . . . . . . . 13
3.2 Satellite OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4 Policy Enforcement 17
4.1 Policy Enforcement Components in Normal World . . . . . . . . . . . . 18
4.2 Policy Enforcement Components in Secure World . . . . . . . . . . . . . 19
4.3 Robustness of Policy Enforcement . . . . . . . . . . . . . . . . . . . . . 19
4.3.1 Security and Robust of IPC handler . . . . . . . . . . . . . . . . 20
4.3.2 Security of call sequence . . . . . . . . . . . . . . . . . . . . . . 20
4.4 Detail of Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . 21
4.4.1 Discussion of Implementation . . . . . . . . . . . . . . . . . . . 22
5 Secure Software Update 23
5.1 Policy update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2 PKI-based Trusted Application Update . . . . . . . . . . . . . . . . . . . 24
5.2.1 PKI service module . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.3 Detail of Control Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6 Evaluation 30
6.1 Performance Evaluation of Policy Enforcement . . . . . . . . . . . . . . 30
6.2 Software update overhead . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.3 Security Analysis of Software Update . . . . . . . . . . . . . . . . . . . 34
6.3.1 TA Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.4 Discussion of Open Challenges on Policy Enforcement System . . . . . . 34
7 Conclusion 36
Bibliography 37
Appendices 46
A Find Absolute Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
B Kernel Self-Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
C Policy Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
D Usage of mbed TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
E TA Update of OP-TEE . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
F Covert Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

參考文獻

[1] R. R. Beck, A. Vijeev, and V. Ganapathy, “Privaros: A framework for privacycompliant
delivery drones,” ACM SIGSAC Conference on Computer and Communications
Security, 2020.
[2] Information flow control. [Online]. Available: https://en.wikipedia.org/
wikiInformation_flow_(information_theory)
[3] M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris,
“Information flow control for standard os abstractions,” ACM SIGOPS Symposium
on Operating Systems Principles, pp. 321––334, 2007.
[4] N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières, “Making information
flow explicit in histar,” Commun. ACM, vol. 54, no. 11, pp. 93––101, 2011.
[5] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. Mc-
Daniel, and A. N. Sheth, “Taintdroid: An information-flow tracking system for realtime
privacy monitoring on smartphones,” ACM Trans. Comput. Syst., vol. 32, no. 2,
Jun. 2014.
[6] A. Nadkarni, B. Andow, W. Enck, and S. Jha, “Practical DIFC enforcement on android,”
USENIX Security Symposium (USENIX Security 16), pp. 1119–1136, 2016.
[7] Y. Xu and E. Witchel, “Maxoid: Transparently confining mobile applications with
custom views of state,” European Conference on Computer Systems, 2015.
[8] Mandatory Access Control. [Online]. Available: https://en.wikipedia.org/wiki/
Mandatory_access_control
[9] Discretionary Access Control. [Online]. Available: https://en.wikipedia.org/wiki/
Discretionary_access_control
[10] CentOS.org, “Security-enhanced linux,” 2021. [Online]. Available: https://wiki.
centos.org/HowTos/SELinux
[11] Apparmor.org, “An effective and easy-to-use linux application security system,”
2021. [Online]. Available: https://gitlab.com/apparmor/apparmor/-/wikis/home
[12] R. Wang, A. M. Azab, W. Enck, N. Li, P. Ning, X. Chen, W. Shen, and Y. Cheng,
“Spoke: Scalable knowledge collection and attack surface analysis of access control
policy for security enhanced android,” ACM on Asia Conference on Computer and
Communications Security, pp. 612––624, 2017.
[13] R. Wang, W. Enck, D. Reeves, X. Zhang, P. Ning, D. Xu, W. Zhou, and A. M.
Azab, “Easeandroid: Automatic policy analysis and refinement for security enhanced
android via large-scale semi-supervised learning,” USENIX Security Symposium
(USENIX Security 15), pp. 351–366, 2015.
[14] S. Bugiel, S. Heuser, and A.-R. Sadeghi, “Flexible and fine-grained mandatory access
control on android for diverse security and privacy policies,” USENIX Security
Symposium (USENIX Security 13), pp. 131–146, 2013.
[15] F. Roesner, D. Molnar, A. Moshchuk, T. Kohno, and H. J. Wang, “World-driven
access control for continuous sensing,” ACM SIGSAC Conference on Computer and
Communications Security, pp. 1169––1181, 2014.
[16] Trusted Execution Environment. [Online]. Available: https://en.wikipedia.org/wiki/
Trusted_execution_environment
[17] Intel SGX. [Online]. Available: https://en.wikipedia.org/wiki/Trusted_execution_
environment
[18] ARM.org, “Arm trustzone technology,” 2021. [Online]. Available: https:
//developer.arm.com/ip-products/security-ip/trustzone
[19] Qualcomm.org, “Qualcomm＇s “secure world＂,” 2021. [Online]. Available:
https://www.qualcomm.com/media/documents/files/guard-your-data-withthe-
qualcomm-snapdragon-mobile-platform.pdf
[20] OP-TEE.org, “Open portable trusted execution environment,” 2021. [Online].
Available: https://www.optee.org
[21] Paul W. Frields, “Infrastructure report,” 2008. [Online]. Available: https:
//listman.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
[22] RedHat.org, “Critical: openssh security update,” 2008. [Online]. Available:
http://rhn.redhat.com/errata/RHSA-2008-0855.html
[23] CERT/CC, “Cert advisory ca-2000-09 flaw in pgp 5.0 key generation,” 2000.
[Online]. Available: http://www.cert.org/advisories/CA-2000-09.html
[24] Werner Koch, “[announce] gnupg＇s elgamal signing keys compromised,” 2003. [Online].
Available: https://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.
html
[25] Florian Weimer, “[security] [dsa 1571-1] new openssl packages fix predictable
random number generator,” 2008. [Online]. Available: https://lists.debian.org/
debian-security-announce/2008/msg00152.html
[26] M. M. E. A. Mahmoud, J. Misic, and X. Shen, “Efficient public-key certificate revocation
schemes for smart grid,” IEEE Global Communications Conference (GLOBECOM),
pp. 778–783, 2013.
[27] J. Samuel, N. Mathewson, J. Cappos, and R. Dingledine, “Survivable key compromise
in software update systems,” ACM Conference on Computer and Communications
Security, pp. 61––72, 2010.
[28] K. Suzaki, A. Tsukamoto, A. Green, and M. Mannan, “Reboot-oriented iot: Life
cycle management in trusted execution environment for disposable iot devices,” Annual
Computer Security Applications Conference, pp. 428––441, 2020.
[29] J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman,
“50 ways to leak your data: An exploration of apps’ circumvention of the
android permissions system,” USENIX Security Symposium (USENIX Security 19),
pp. 603–620, 2019.
[30] Common Vulnerabilities and Exposures, “Cve in android,” 2021. [Online].
Available: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Android
[31] CVE Details, “Google＇s android vulnerability statistics,” 2021. [Online]. Available:
https://www.cvedetails.com/product/19997/Google-Android.html?vendorid=1224
[32] CVE Details, “Linux kernel vulnerability statistics,” 2021. [Online]. Available:
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendorid=33
[33] OMTP.org, “Omtp advanced trusted environment omtp tr1 v1.1,” 2021. [Online].
Available: http://www.omtp.org/OMTP_Advanced_Trusted_Environment_
OMTP_TR1_v1_1.pdf
[34] GlobalPlatform.org, 2021. [Online]. Available: https://globalplatform.org/
[35] GlobalPlatform.org, “Tee system architecture v1.2,” 2018. [Online]. Available:
https://globalplatform.org/specs-library/tee-system-architecture-v1-2/
[36] GlobalPlatform.org, “Tee client api specification v1.0,” 2010. [Online]. Available:
https://globalplatform.org/specs-library/tee-client-api-specification/
[37] GlobalPlatform.org, “Tee internal core api specification v1.2.1,” 2019. [Online].
Available: https://globalplatform.org/specs-library/tee-internal-core-apispecification-
v1-2/
[38] V. Costan and S. Devadas, “Intel sgx explainedm.”
[39] David Kaplanm Jeremy Powell, and Tom Wollerg, “Amd memory encryption,”
2016. [Online]. Available: https://developer.amd.com/wordpress/media/2013/12/
AMDMemoryEncryptionWhitepaperv7-Public.pdf
[40] ARM Limited, “Arm trustzone technology,” 2021. [Online]. Available: https:
//developer.arm.com/ip-products/security-ip/trustzone
[41] ARM Limited, “Building a secure system using trustzone technology,” 2009,
[Online; accessed 20-July-2021]. [Online]. Available: https://static.docs.arm.com/
genc009492/c/PRD29-GENC-009492Ctrustzonesecuritywhitepaper.pdf
[42] ARM Limited, “Smc calling convention system software on arm platforms,” 2016.
[Online]. Available: https://developer.arm.com/documentation/den0028/b/
[43] Certificate revocation lists, 2016. [Online]. Available: https://tools.ietf.org/html/
rfc3280
[44] A. Kolehmainen, “Secure firmware updates for iot: a survey,” IEEE International
Conference on Internet of Things (iThings) and IEEE Green Computing and Communications
(GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom)
and IEEE Smart Data (SmartData), pp. 112–117, 2018.
[45] Software updates for internet of things, 2021. [Online]. Available: https:
//datatracker.ietf.org/doc/rfc9019/
[46] D. K. Nilsson, L. Sun, and T. Nakajima, “A framework for self-verification of
firmware updates over the air in vehicle ecus,” IEEE Globecom Workshops, pp. 1–5,
2008.
[47] P. Thakur, V. Bodade, A. Achary, M. Addagatla, N. Kumar, and Y. Pingle, “Universal
firmware upgrade over-the-air for iot devices with security,” International
Conference on Computing for Sustainable Global Development (INDIACom), pp.
27–30, 2019.
[48] R. Dhobi, S. Gajjar, D. Parmar, and T. Vaghela, “Secure firmware update over the
air using trustzone,” Innovations in Power and Advanced Computing Technologies
(i-PACT), vol. 1, pp. 1–4, 2019.
[49] Stack overflow. [Online]. Available: https://en.wikipedia.org/wiki/Stack_Overflow
[50] Heap Overflow. [Online]. Available: https://en.wikipedia.org/wiki/Heap_overflow
[51] Shellcode. [Online]. Available: https://en.wikipedia.org/wiki/Shellcode
[52] Y. Yang, J. Moon, K. Jung, and J. Kim, “Downloadable trusted applications on tizen
™ tv: Trustware™ extension: As a downloadable application framework,” IEEE
International Conference on Consumer Electronics (ICCE), pp. 1–4, 2018.
[53] N. Tarate, “Using arm trustzone to implement downloadable cas framework and secure
media pipeline in iptv client devices,” IEEE International Symposium on Broadband
Multimedia Systems and Broadcasting (BMSB), pp. 1–11, 2018.
[54] Teep protocol. [Online]. Available: https://datatracker.ietf.org/doc/draft-ietf-teepprotocol
[55] I. JSON. [Online]. Available: https://www.json.org/jsonen.html
[56] T. Yamauchi, Y. Akao, R. Yoshitani, Y. Nakamura, and M. Hashimoto, “Additional
kernel observer: privilege escalation attack prevention mechanism focusing on system
call privilege changes,” International Journal of Information Security, pp. 1–13,
2020.
[57] LSM vulnerability. [Online]. Available: http://blog.siphos.be/2013/05/looking-atthe-
local-linux-kernel-privilegeescalation/
[58] J. Morris, S. Smalley, and G. Kroah-Hartman, “Linux security modules: General security
support for the linux kernel,” USENIX Security Symposium, pp. 17–31, 2002.
[59] J. Wei and C. Pu, “Tocttou vulnerabilities in unix-style file systems: An anatomical
study.” FAST, vol. 5, pp. 12–12, 2005.
[60] X. Cai, Y. Gui, and R. Johnson, “Exploiting unix file-system races via algorithmic
complexity attacks,” IEEE Symposium on Security and Privacy, pp. 27–41, 2009.
[61] S. Parkinson, V. Somaraki, and R. Ward, “Auditing file system permissions using
association rule mining,” Expert Systems with Applications, vol. 55, pp. 274–283,
2016.
[62] H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek, “Linux
kernel vulnerabilities: State-of-the-art defenses and open problems,” Asia-Pacific
Workshop on Systems, pp. 1–5, 2011.
[63] IPC method. [Online]. Available: https://tutorialspoint.dev/computer-science/
operating-systems/interprocess-communication-methods
[64] Absolute path. [Online]. Available: https://www.linux.com/training-tutorials/
absolute-path-vs-relative-path-linuxunix
[65] Covert channel. [Online]. Available: https://en.wikipedia.org/wiki/Covert_channel
[66] Buffer overflow. [Online]. Available: https://en.wikipedia.org/wiki/Buffer_
overflow
[67] Kernel Self-Protection. [Online]. Available: https://www.kernel.org/doc/html/latest/
security/self-protection.html
[68] Shared memory. [Online]. Available: https://optee.readthedocs.io/en/latest/
architecture/core.html#noncontiguous-shared-buffers
[69] OP-TEE development keypair. [Online]. Available: https://optee.readthedocs.io/en/
latest/architecture/porting_guidelines.html
[70] Mbed TLS. [Online]. Available: https://tls.mbed.org/api
[71] STMicroelectronics. [Online]. Available: https://www.st.com/content/st_com/en.
html
[72] OP-TEE example. [Online]. Available: https://optee.readthedocs.io/en/latest/
building/gits/optee_examples/optee_examples.html
[73] OP-TEE File Encryption Key. [Online]. Available: https://optee.readthedocs.io/en/
latest/architecture/secure_storage.html

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2021-8-30

推文