Ginseng: Keeping Secrets in Registers When You Distrust the Operating System

Yun, Min Hong; Lin, Zhouchen

doi:10.14722/ndss.2019.23327

Cited by 23 publications

(9 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Therefore, we do not protect against physical attacks. However, if the program does not use any I/O devices, it can use on-chip computation and memory encryption to protect its secrets against physical attacks [87][88][89]. These are orthogonal to our design and hence can simply be added to our machine.…”

Section: Security Analysismentioning

confidence: 99%

A Personal Computer for a Distrustful World

Yao¹,

Talebi²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

Personal computer owners often want to be able to run security-critical programs on the same machine as other untrusted and potentially malicious programs. While ostensibly trivial, this requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced. Our goal is to minimize the number and complexity of hardware and software components that a computer owner needs to trust to withstand adversarial inputs. We present a hardware design, called the split-trust machine model, which is composed of statically-partitioned, physically-isolated trust domains. We introduce a few simple, formally-verified hardware components to enable a program to gain provably exclusive and simultaneous access to both computation and I/O on a temporary basis. To manage this hardware, we present OctopOS, an OS composed of mutually distrustful subsystems.We present a prototype of this machine (hardware and OS) on a CPU-FPGA board and show that it incurs a small hardware cost compared to modern SoCs. For security-critical programs, we show that this machine significantly reduces the required trust compared to mainstream TEEs, and for normal programs, we show that it achieves similar performance as a legacy machine.

show abstract

Section: Security Analysismentioning

confidence: 99%

A Personal Computer for a Distrustful World

Yao¹,

Talebi²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…TEEv [78] PrOS [79] SANCTUARY [80] Ginseng [81] K. Ryan [61] Table VIII Examples of representative papers that contribute with relevant defense techniques (Dxx) for overcoming reported TrustZone-assisted TEE issues. For architectural issues, filled circle in attack surface, world isolation, memory protection, or trust bootstrapping: the paper proposes D01, D02, D03, D04, respectively.…”

Section: Defenses For Trustzone-assisted Teesmentioning

confidence: 99%

“…To bridge this gap, CaSE [71] allows TAs to run entirely from the cache and ensures that their state is encrypted while written back to main memory. Along the same vein, Ginseng [81] protects variables tagged by the application programmer as "sensitive", by allocating them on CPU registers and encrypting them at runtime before saving them in memory.…”

Section: D01 Multi-isolated Environmentsmentioning

confidence: 99%

“…Given that Rust provides memory and thread-safety, RustZone can help prevent validation bugs and some concurrency bugs responsible for crippling TA software (see I11). The Rust programming language has also been used in Ginseng [81] for implementing a large part of the software that runs in monitor mode, i.e., the GService (see I10). D07.…”

Section: B Implementation Defensesmentioning

confidence: 99%

See 1 more Smart Citation

SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems

Cerdeira

Santos

Fonseca

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

117

View full text Add to dashboard Cite

Hundreds of millions of mobile devices worldwide rely on Trusted Execution Environments (TEEs) built with Arm TrustZone for the protection of security-critical applications (e.g., DRM) and operating system (OS) components (e.g., Android keystore). TEEs are often assumed to be highly secure; however, over the past years, TEEs have been successfully attacked multiple times, with highly damaging impact across various platforms. Unfortunately, these attacks have been possible by the presence of security flaws in TEE systems. In this paper, we aim to understand which types of vulnerabilities and limitations affect existing TrustZone-assisted TEE systems, what are the main challenges to build them correctly, and what contributions can be borrowed from the research community to overcome them. To this end, we present a security analysis of popular TrustZone-assisted TEE systems (targeting Cortex-A processors) developed by Qualcomm, Trustonic, Huawei, Nvidia, and Linaro. By studying publicly documented exploits and vulnerabilities as well as by reverse engineering the TEE firmware, we identified several critical vulnerabilities across existing systems which makes it legitimate to raise reasonable concerns about the security of commercial TEE implementations.

show abstract

“…第 2 种方式的代表性方案是 CaSE [36] , 该方案使用 TrustZone 和缓存作为 RAM 的技术创建了一个基于缓存的执行环境, 解决了 TrustZone 无法抵御冷启动攻击的问题. 其他方案还有 Ginseng [37] , 其思路与前者类似. 现有的这些方案可以解决 TCB 过大的问题, 但并没有考虑受保护应用如何安全地调用不可信 REE 系统服务的问题, 实用性方面存在较大缺陷.…”

Section: 移动可信计算体系结构unclassified