T-MAC: Protecting Mandatory Access Control System Integrity from Malicious Execution Environment on ARM-Based Mobile Devices

  • Diming ZhangEmail author
  • Liangqiang Chen
  • Fei Xue
  • Hao Wu
  • Hao HuangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10599)


Mobile security has become increasingly important in mobile computing, hence mandatory access control (MAC) systems have been widely used to protect it. However, malicious code in the mobile system may have significantly impact to the integrity of these MAC systems by forcing them to make the wrong access control decision, because they are running on the same privilege level and memory address space. Therefore, for a trusted MAC system, it is desired to be isolated from the malicious mobile system at runtime. In this paper, we propose a trusted MAC isolation framework called T-MAC to solve this problem. T-Mac puts the MAC system into the enclave provided by the ARM TrustZone so as to avert the direct impact of the malicious code on the access decision process. In the meanwhile, T-MAC provides a MAC supplicant client which runs in the mobile system kernel to effectively lookup policy decisions made by the back-end MAC service in the enclave and to enforce these rules on the system with trustworthy behaviors. Moreover, to protect T-MAC components that are not in the enclave, we not only provide a protection mechanism that enables TrustZone to protect the specific memory region from the compromised system, but establish a secure communication channel between the mobile system and the enclave as well. The prototype is based on SELinux, which is the widely used MAC system, and the base of SEAndroid. The experimental results show that SELinux receives enough protection, and the performance degradation that ranges between 0.53% to 7.34% compared to the original by employing T-MAC.


Trust Mandatory access control Isolation ARM TrustZone 



This work was supported by the National Science Foundation of China grants No. 61321491, and in part by Commission of Economy and Information Technology grants the project of the security protection foundation of operating system based on hardware resource isolation mechanism.


  1. 1.
    Arm, A.: Security technology-building a secure system using TrustZone technology. ARM Technical White Paper (2009)Google Scholar
  2. 2.
    Azab, A.M., Ning, P., Shah, J., Chen, Q., Bhutkar, R., Ganesh, G., Ma, J., Shen, W.: Hypervision across worlds: real-time kernel protection from the ARM TrustZone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 90–102. ACM (2014)Google Scholar
  3. 3.
    Bugiel, S., Heuser, S., Sadeghi, A.R.: Towards a framework for android security modules: extending SE android type enforcement to android middleware. Cased. nr. Technical report, TUD-CS-2012-0231, 05 December 2012Google Scholar
  4. 4.
    Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In: USENIX Security, pp. 131–146 (2013)Google Scholar
  5. 5.
    Carbone, R., Bean, C., Salois, M.: An in-depth analysis of the cold boot attack. DRDC Valcartier, Defence Research and Development, Canada, Technical report (2011)Google Scholar
  6. 6.
    Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H., et al.: ROPecker: a generic and practical approach for defending against ROP attack (2014)Google Scholar
  7. 7.
    Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: complete control-flow integrity for commodity operating system kernels. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 292–307. IEEE (2014)Google Scholar
  8. 8.
    Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on Smartphones. In: NDSS, vol. 2, p. 27 (2012)Google Scholar
  9. 9.
    Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: enforcing kernel code integrity on the TrustZone architecture. arXiv preprint arXiv:1410.7747 (2014)
  10. 10.
    Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 575–589. IEEE (2014)Google Scholar
  11. 11.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  12. 12.
    Hund, R.: Return-oriented rootkits. In: SPRING-SIDAR Graduierten-Workshop über Reaktive Sicherheit, 14–15 September 2009, Stuttgart, Deutschland (2010)Google Scholar
  13. 13.
    Lee, S.M., Suh, S.B., Jeong, B., Mo, S.: A multi-layer mandatory access control mechanism for mobile devices based on virtualization. In: 2008 5th IEEE Consumer Communications and Networking Conference, CCNC 2008, pp. 251–256. IEEE (2008)Google Scholar
  14. 14.
    Li, W., Li, H., Chen, H., Xia, Y.: AdAttester: secure online mobile advertisement attestation using TrustZone. In: Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, pp. 75–88. ACM (2015)Google Scholar
  15. 15.
    Pirker, M., Slamanig, D.: A framework for privacy-preserving mobile payment on security enhanced ARM TrustZone platforms. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1155–1160. IEEE (2012)Google Scholar
  16. 16.
    Ray, S., Stephen, S., Peter, L., Mike, H., Dave, A., Jay, L.: The flask security architecture: system support for diverse security policies, pp. 123–140 (1999)Google Scholar
  17. 17.
    Reineh, A.A., Petracca, G., Uusilehto, J., Martin, A.: Enabling secure and usable mobile application: revealing the nuts and bolts of software TPM in todays mobile devices. arXiv preprint arXiv:1606.02995 (2016)
  18. 18.
    Rosenberg, D.: QSEE TrustZone kernel integer over flow vulnerability. In: Black Hat Conference (2014)Google Scholar
  19. 19.
    Sadeghi, A.R.: Mobile security and privacy: the quest for the mighty access control. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, pp. 1–2. ACM (2013)Google Scholar
  20. 20.
    Santos, N., Raj, H., Saroiu, S., Wolman, A.: Using ARM TrustZone to build a trusted language runtime for mobile applications. In: ACM SIGARCH Computer Architecture News, vol. 42, pp. 67–80. ACM (2014)Google Scholar
  21. 21.
    Shen, D.: Exploiting TrustZone on Android. Black Hat US (2015)Google Scholar
  22. 22.
    Smalley, S., Craig, R.: Security enhanced (SE) Android: bringing flexible MAC to Android. In: NDSS, vol. 310, pp. 20–38 (2013)Google Scholar
  23. 23.
    Sun, H., Sun, K., Wang, Y., Jing, J.: TrustOTP: transforming Smartphones into secure one-time password tokens. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 976–988. ACM (2015)Google Scholar
  24. 24.
    Sun, H., Sun, K., Wang, Y., Jing, J., Wang, H.: TrustICE: hardware-assisted isolated computing environments on mobile devices. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 367–378. IEEE (2015)Google Scholar
  25. 25.
    Vogl, S., Pfoh, J., Kittel, T., Eckert, C.: Persistent data-only malware: function hooks without code. In: NDSS (2014)Google Scholar
  26. 26.
    Yang, B., Yang, K., Qin, Y., Zhang, Z., Feng, D.: DAA-TZ: an efficient DAA scheme for mobile devices using ARM TrustZone. In: Conti, M., Schunter, M., Askoxylakis, I. (eds.) Trust 2015. LNCS, vol. 9229, pp. 209–227. Springer, Cham (2015). doi: 10.1007/978-3-319-22846-4_13 CrossRefGoogle Scholar
  27. 27.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573. IEEE (2013)Google Scholar
  28. 28.
    Zhang, N., Sun, H., Sun, K., Lou, W., Hou, Y.T.: CacheKit: evading memory introspection using cache incoherence. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 337–352. IEEE (2016)Google Scholar
  29. 29.
    Zhang, N., Sun, K., Lou, W., Hou, Y.T.: Case: cache-assisted secure execution on ARM processors. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 72–90. IEEE (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Computer Science and TechnologyNanjing UniversityNanjingChina
  2. 2.School of Computer Science and EngineeringJiangsu University of Science and TechnologyZhenjiangChina

Personalised recommendations