Newsroom
Research News
Software-based Method to Prevent Newly Raised Practical Threats against Mobile Devices and Cloud Platforms
|
Print
Recently, some kinds of practical attacks are developed by hackers to steal information in mobile devices and cloud platforms. The typical attacks are board-level physical attacks and memory-based side-channel attacks.
Existing methods to prevent the newly raised attacks require integrating specialized security hardware into the CPU. However, how to prevent these attacks for off-the-shelf devices, especially for ARM devices that dominate mobile markets and have increasing momentum in cloud markets but are not equipped with any security mechanisms?
A research team led by ZHAO Shijun from the Institute of Software of the Chinese Academy of Sciences (ISCAS) designed a new secure enclave architecture called SecTEE to prevent these attacks for ARM devices.
The related research entitled "SecTEE: A Software-based Approach to Secure Enclave Architecture Using TEE" was presented in the 26th ACM Conference on Computer and Communications Security, one of the Top4 conferences in information security field.
SecTEE only requires a small memory chip called on-chip memory (OCM), which is a common block in all chips. It implements a small kernel running on the OCM, and the kernel takes OCM as the only working memory and encrypts all the data/code outside the chip, i.e., DRAM, to prevent physical attacks.
Besides, it leverages the cache coloring mechanism and cache locking mechanism to guarantee that malicious software attackers cannot learn the memory access patterns of trusted applications by manipulating the cache.
SecTEE also provides rich trusted computing features, by which users can attest security status and identities of the applications, which is a basic security requirement for cloud platforms.
The proposed countermeasure can be applied to all ARM A-series devices and other devices with a hardware separation mechanism, such as RISC-V devices with MultiZone Security.
Fig. 1. All existing methods require to modify the CPU hardware. (a) Intel SGX for x86 CPUs. (b). Sanctum for RISC-V CPUs. (c). Komodo requires hardware memory encryption engine which does not exist on ARM CPUs. (Image by ZHAO Shijun)
Fig. 2. The architecture of SecTEE. (Image by ZHAO Shijun)
Contact
