Skip to main content
SpringerLink
Log in

TZ-IMA: Supporting Integrity Measurement for Applications with ARM TrustZone

  • Conference paper
  • First Online:
Information and Communications Security (ICICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13407))

Included in the following conference series:

Abstract

With the development of cloud computing and distributed systems, the computer system becomes increasingly complicated and open. To protect the integrity of applications, Integrity Measurement Architecture (IMA) is applied in the Linux kernel. However, traditional operating systems are complex and may contain many potential vulnerabilities. If the sensitive data used in IMA is leaked or modified, the protection mechanism will lose effectiveness. This paper proposes TZ-IMA, a security-enhanced solution to verify the integrity of applications based on ARM TrustZone technology. The system saves the encrypted reference hash value of applications and the encryption key in the normal world and in TrustZone, respectively. Before an application is executed, the integrity of application is checked by the secure world. Moreover, a vPCR module is constructed in TrustZone to protect the security of the measurement list. Based on the trusted anchor provided by TrustZone, TZ-IMA enables a challenger to prove that the attesting platform has sufficient integrity to be used. TZ-IMA is implemented on ARMv8 development board, and the evaluation results demonstrate that the overhead is only approximately 5% compared with the original system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Arm trustzone. https://developer.arm.com/ip-products/security-ip/trustzone

  2. An overview of the linux integrity subsystem. https://sourceforge.net/projects/linux-ima/files/linux-ima/Integrity_overview.pdf

  3. Amd opteron a1100 (2016). http://www.amd.com/en-gb/products/server/opteron-a-series

  4. Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 90–102 (2014)

    Google Scholar 

  5. Bohling, F., Mueller, T., Eckel, M., Lindemann, J.: Subverting linux’ integrity measurement architecture. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)

    Google Scholar 

  6. Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54 (2009)

    Google Scholar 

  7. Foley, M.J.: Windows server on arm: it’s happening. Website (2017). http://www.zdnet.com/article/windows-server-on-arm-its-happening/

  8. Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: enforcing kernel code integrity on the trustzone architecture. arXiv preprint arXiv:1410.7747 (2014)

  9. Guan, L., Liu, P., Xing, X., Ge, X., Zhang, S., Yu, M., Jaeger, T.: Trustshadow: Secure execution of unmodified applications with arm trustzone. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services, pp. 488–501 (2017)

    Google Scholar 

  10. Han, S., Park, J.: Shadow-box v2: the practical and omnipotent sandbox for arm. Slideshow at Blackhat Asia (2018)

    Google Scholar 

  11. Hashizume, K., Rosado, D.G., Fernández-Medina, E., Fernandez, E.B.: An analysis of security issues for cloud computing. J. Internet Serv. Appl. 4(1), 1–13 (2013)

    Article  Google Scholar 

  12. Hua, Z., Gu, J., Xia, Y., Chen, H., Zang, B., Guan, H.: vTZ: virtualizing ARM trustzone. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 541–556 (2017)

    Google Scholar 

  13. Hua, Z., Yu, Y., Gu, J., Xia, Y., Chen, H., Zang, B.: TZ-container: protecting container from untrusted OS with ARM trustzone. SCIENCE CHINA Inf. Sci. 64(9), 1–16 (2021)

    Article  Google Scholar 

  14. Li, W., Xia, Y., Chen, H.: Research on ARM trustzone. GetMobile Mob. Comput. Commun. 22(3), 17–22 (2019)

    Article  Google Scholar 

  15. Ling, Z., et al.: Secure boot, trusted boot and remote attestation for ARM trustzone-based IoT nodes. J. Syst. Architect. 119, 102240 (2021)

    Article  Google Scholar 

  16. Luo, W., Shen, Q., Xia, Y., Wu, Z.: Container-IMA: a privacy-preserving integrity measurement architecture for containers. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), pp. 487–500 (2019)

    Google Scholar 

  17. Machiry, A., et al.: Boomerang: exploiting the semantic gap in trusted execution environments. In: NDSS (2017)

    Google Scholar 

  18. McVoy, L.W., Staelin, C., et al.: LMbench: portable tools for performance analysis. In: USENIX Annual Technical Conference, San Diego, CA, USA, pp. 279–294 (1996)

    Google Scholar 

  19. Morgan, T.P.: ARM servers: Cavium is a contender with ThunderX (2015). https://www.nextplatform.com/2015/12/09/arm-servers-cavium-is-a-contender-with-thunderx/

  20. Ning, P.: Samsung Knox and enterprise mobile security. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, p. 1 (2014)

    Google Scholar 

  21. OP-TEE. https://github.com/OP-TEE/

  22. Perez, R., Sailer, R., van Doorn, L., et al.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, pp. 305–320 (2006)

    Google Scholar 

  23. Raj, H., et al.: fTPM: a software-only implementation of a TPM chip. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 841–856 (2016)

    Google Scholar 

  24. Sailer, R., Zhang, X., Jaeger, T., Van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: USENIX Security Symposium, vol. 13, pp. 223–238 (2004)

    Google Scholar 

  25. Santos, N., Raj, H., Saroiu, S., Wolman, A.: Using arm trustzone to build a trusted language runtime for mobile applications. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 67–80 (2014)

    Google Scholar 

  26. Son, J., et al.: Quantitative analysis of measurement overhead for integrity verification. In: Proceedings of the Symposium on Applied Computing, pp. 1528–1533 (2017)

    Google Scholar 

  27. UnixBench (2016). https://sourceforge.net/projects/unixbench5/

  28. US-CERT/NIST: CVE-2015-4421 in Huawei Mate7 (2015). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015- 4421

  29. Wang, Z., Zhuang, Y., Yan, Z.: TZ-MRAS: a remote attestation scheme for the mobile terminal based on arm trustzone. Secur. Commun. Netw. 2020, 1–16 (2020)

    Google Scholar 

  30. IMAI Wiki: https://sourceforge.net/p/linux-ima/wiki/Home/

  31. Zhang, D., You, S.: iFlask: isolate flask security system from dangerous execution environment by using ARM trustzone. Futur. Gener. Comput. Syst. 109, 531–537 (2020)

    Article  Google Scholar 

  32. Zhi, W.Y.Y.: Kernel integrity measurement architecture based on TPM 2.0. Comput. Eng. 44(3), 166–170 (2018)

    Google Scholar 

Download references

Acknowledgment

This work was supported by the National Natural Science Foundation of China [grant numbers U19A2060, 62172431].

Author information

Authors and Affiliations

  1. School of Computer, National University of Defence Technology, Changsha, China

    Liantao Song, Yan Ding, Pan Dong, Yong Guo & Chuang Wang

Authors
  1. Liantao Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yan Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pan Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yong Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Chuang Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yan Ding .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Cristina Alcaraz

  2. University of Surrey, Guildford, UK

    Liqun Chen

  3. University of Kent, Canterbury, UK

    Shujun Li

  4. University of Milan, Milan, Italy

    Pierangela Samarati

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Song, L., Ding, Y., Dong, P., Guo, Y., Wang, C. (2022). TZ-IMA: Supporting Integrity Measurement for Applications with ARM TrustZone. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15777-6_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15776-9

  • Online ISBN: 978-3-031-15777-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation