Abstract
With the development of cloud computing and distributed systems, the computer system becomes increasingly complicated and open. To protect the integrity of applications, Integrity Measurement Architecture (IMA) is applied in the Linux kernel. However, traditional operating systems are complex and may contain many potential vulnerabilities. If the sensitive data used in IMA is leaked or modified, the protection mechanism will lose effectiveness. This paper proposes TZ-IMA, a security-enhanced solution to verify the integrity of applications based on ARM TrustZone technology. The system saves the encrypted reference hash value of applications and the encryption key in the normal world and in TrustZone, respectively. Before an application is executed, the integrity of application is checked by the secure world. Moreover, a vPCR module is constructed in TrustZone to protect the security of the measurement list. Based on the trusted anchor provided by TrustZone, TZ-IMA enables a challenger to prove that the attesting platform has sufficient integrity to be used. TZ-IMA is implemented on ARMv8 development board, and the evaluation results demonstrate that the overhead is only approximately 5% compared with the original system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arm trustzone. https://developer.arm.com/ip-products/security-ip/trustzone
An overview of the linux integrity subsystem. https://sourceforge.net/projects/linux-ima/files/linux-ima/Integrity_overview.pdf
Amd opteron a1100 (2016). http://www.amd.com/en-gb/products/server/opteron-a-series
Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 90–102 (2014)
Bohling, F., Mueller, T., Eckel, M., Lindemann, J.: Subverting linux’ integrity measurement architecture. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)
Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54 (2009)
Foley, M.J.: Windows server on arm: it’s happening. Website (2017). http://www.zdnet.com/article/windows-server-on-arm-its-happening/
Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: enforcing kernel code integrity on the trustzone architecture. arXiv preprint arXiv:1410.7747 (2014)
Guan, L., Liu, P., Xing, X., Ge, X., Zhang, S., Yu, M., Jaeger, T.: Trustshadow: Secure execution of unmodified applications with arm trustzone. In: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services, pp. 488–501 (2017)
Han, S., Park, J.: Shadow-box v2: the practical and omnipotent sandbox for arm. Slideshow at Blackhat Asia (2018)
Hashizume, K., Rosado, D.G., Fernández-Medina, E., Fernandez, E.B.: An analysis of security issues for cloud computing. J. Internet Serv. Appl. 4(1), 1–13 (2013)
Hua, Z., Gu, J., Xia, Y., Chen, H., Zang, B., Guan, H.: vTZ: virtualizing ARM trustzone. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 541–556 (2017)
Hua, Z., Yu, Y., Gu, J., Xia, Y., Chen, H., Zang, B.: TZ-container: protecting container from untrusted OS with ARM trustzone. SCIENCE CHINA Inf. Sci. 64(9), 1–16 (2021)
Li, W., Xia, Y., Chen, H.: Research on ARM trustzone. GetMobile Mob. Comput. Commun. 22(3), 17–22 (2019)
Ling, Z., et al.: Secure boot, trusted boot and remote attestation for ARM trustzone-based IoT nodes. J. Syst. Architect. 119, 102240 (2021)
Luo, W., Shen, Q., Xia, Y., Wu, Z.: Container-IMA: a privacy-preserving integrity measurement architecture for containers. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), pp. 487–500 (2019)
Machiry, A., et al.: Boomerang: exploiting the semantic gap in trusted execution environments. In: NDSS (2017)
McVoy, L.W., Staelin, C., et al.: LMbench: portable tools for performance analysis. In: USENIX Annual Technical Conference, San Diego, CA, USA, pp. 279–294 (1996)
Morgan, T.P.: ARM servers: Cavium is a contender with ThunderX (2015). https://www.nextplatform.com/2015/12/09/arm-servers-cavium-is-a-contender-with-thunderx/
Ning, P.: Samsung Knox and enterprise mobile security. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, p. 1 (2014)
OP-TEE. https://github.com/OP-TEE/
Perez, R., Sailer, R., van Doorn, L., et al.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, pp. 305–320 (2006)
Raj, H., et al.: fTPM: a software-only implementation of a TPM chip. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 841–856 (2016)
Sailer, R., Zhang, X., Jaeger, T., Van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: USENIX Security Symposium, vol. 13, pp. 223–238 (2004)
Santos, N., Raj, H., Saroiu, S., Wolman, A.: Using arm trustzone to build a trusted language runtime for mobile applications. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 67–80 (2014)
Son, J., et al.: Quantitative analysis of measurement overhead for integrity verification. In: Proceedings of the Symposium on Applied Computing, pp. 1528–1533 (2017)
UnixBench (2016). https://sourceforge.net/projects/unixbench5/
US-CERT/NIST: CVE-2015-4421 in Huawei Mate7 (2015). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015- 4421
Wang, Z., Zhuang, Y., Yan, Z.: TZ-MRAS: a remote attestation scheme for the mobile terminal based on arm trustzone. Secur. Commun. Netw. 2020, 1–16 (2020)
Zhang, D., You, S.: iFlask: isolate flask security system from dangerous execution environment by using ARM trustzone. Futur. Gener. Comput. Syst. 109, 531–537 (2020)
Zhi, W.Y.Y.: Kernel integrity measurement architecture based on TPM 2.0. Comput. Eng. 44(3), 166–170 (2018)
Acknowledgment
This work was supported by the National Natural Science Foundation of China [grant numbers U19A2060, 62172431].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Song, L., Ding, Y., Dong, P., Guo, Y., Wang, C. (2022). TZ-IMA: Supporting Integrity Measurement for Applications with ARM TrustZone. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-15777-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15776-9
Online ISBN: 978-3-031-15777-6
eBook Packages: Computer ScienceComputer Science (R0)