ARM TrustZone is one of the most widely deployed security architecture providing Trusted Execution Environments (TEEs). Unfortunately, its usage and potential benefits for application developers and end users are largely limited due to restricted deployment policies imposed by device vendors. Restriction is enforced since every Trusted App (TA) increases the TEE's attack surface: any vulnerable or malicious TA can compromise the system's security. Hence, deploying a TA requires mutual trust between device vendor and application developer, incurring high costs for both. Vendors work around this by offering interfaces to selected TEE functionalities, however, these are not sufficient to securely implement advanced mobile services like banking. Extensive discussion of Intel's SGX technology in academia and industry has unveiled the demand for an unrestricted use of TEEs, yet no comparable security architecture for mobile devices exists to this day. We propose SANCTUARY, the first security architecture which allows unconstrained use of TEEs in the TrustZone ecosystem without relying on virtualization. SANCTUARY enables execution of security-sensitive apps within strongly isolated compartments in TrustZone's normal world comparable to SGX's user-space enclaves. In particular, we leverage TrustZone's versatile Address-Space Controller available in current ARM System-on-Chip reference designs, to enforce two-way hardware-level isolation: (i) security-sensitive apps are shielded against a compromised normal-world OS, while (ii) the system is also protected from potentially malicious apps in isolated compartments. Moreover, moving security-sensitive apps from the TrustZone's secure world to isolated compartments minimizes the TEE's attack surface. Thus, mutual trust relationships between device vendors and developers become obsolete: the full potential of TEEs can be leveraged. We demonstrate practicality and real-world benefits of SANCTUARY by thoroughly evaluating our prototype on a HiKey 960 development board with microbenchmarks and a use case for one-time password generation in two-factor authentication.
Nonsurgical management of blunt splenic injury in children is a well-established method to salvage splenic function; however, nonsurgical management of adult blunt splenic trauma remains controversial. To assess the value of preoperative abdominal CT in predicting the outcome of blunt splenic injury in adults, a CT-based injury-severity score consisting of four grades was devised and applied in 39 adult patients with blunt splenic injury as the sole or predominant intraperitoneal injury detected with preoperative CT. While patients with high grades of splenic injury generally required early surgery, eight (35%) of 23 patients with initial grade 3 or 4 injury were treated successfully without surgery, and four (29%) of 15 patients with grade 1 or 2 injury initially treated nonsurgically required delayed celiotomy (n = 3) or emergency rehospitalization. Results show that while CT remains an accurate method of identifying and quantifying initial splenic injury, as well as documenting progression or healing of critical injury, CT cannot reliably help predict the outcome of blunt splenic injury in adults. Treatment choices should therefore be based on the hemodynamic status of the patient and results of serial laboratory and bedside assessments.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.