低軌道衛星(LEO)因應用多樣化與子系統整合複雜度提高,面臨嚴峻的安全與可靠性挑戰。本論文提出 SaTEE,一個為低軌道衛星平台設計的子系統存取權限管理與酬載程式執行隔離架構,結合ARM Confidential Compute Architecture (CCA) 的硬體原語與 SHELTER user-space enclave 框架,在無需硬體修改的前提下實現:(1) 酬載程式隔離:將第三方載荷應用程式執行於硬體隔離的 enclave;(2) 子系統存取控制:提供對於子系統接口的有效管理,確保只有經過衛星維運者審批的載荷應用程式能夠存取被保護的子系統接口;(3) 載荷完整性驗證:確保不會有損毀、過時、或被竄改的載荷應用程式對子系統進行存取,進而影響任務的穩定性與安全性。SaTEE 的原型於 ARM’s Fixed Virtual Platform (FVP) 上實作,與 SHELTER 原始軟體堆疊加總後,TCB 總計約 2,600 行程式碼 (SLoC)。我們基於低軌道衛星的使用場景提出威脅模型並以此進行安全分析,結果表明,SaTEE 能從多種攻擊形式中保護子系統,避免可能的機密外洩或惡意操控,我們並於基於 AMD Xilinx Zynq UltraScale+ MPSoC 的性能原型測試中,模擬測量了實現 SaTEE 帶來的性能開銷,結果顯示,其性能開銷是可以接受的。;Low Earth Orbit (LEO) satellites face stringent security and reliability challenges due to the proliferation of diverse applications and the increasing complexity of subsystem integration. This paper presents SaTEE, a subsystem access-rights management and payload-execution isolation framework tailored for LEO satellite platforms. Without requiring any hardware modifications, SaTEE combines hardware primitives from the ARM Confidential Compute Architecture (CCA) with the SHELTER user-space enclave frame work to achieve: (1) Payload isolation: executing third-party payload applications inside hardware-isolated enclaves; (2) Subsystem access control: enforcing strict management of subsystem interfaces so that only operator approved payloads may interact with protected subsystems; (3) Payload integrity verification: preventing corrupted, outdated, or tampered payloads from accessing subsystems and compromising mission stability and security. We implement a prototype of SaTEE on ARM’s Fixed Virtual Platform (FVP). Combined with the original SHELTER stack, the Trusted Computing Base (TCB) totals approximately 2,600 source lines of code (SLoC). We conduct comprehensive security analyses, demonstrating that SaTEE protects critical subsystems against multiple attack vectors and prevents potential data leakage or malicious manipulation. Performance evaluations on an AMD Xilinx Zynq UltraScale+ MPSoC-based performance prototype show that the runtime overhead introduced by SaTEE is minimal and acceptable.
