Aster: Fixing the Android TEE Ecosystem with Arm CCA

Mark Kuhne,Supraja Sridhara,Andrin Bertschi,Nicolas Dutly,Srdjan Capkun,Shweta Shinde
2024-07-24
Abstract:The Android ecosystem relies on either TrustZone (e.g., OP-TEE, QTEE, Trusty) or trusted hypervisors (pKVM, Gunyah) to isolate security-sensitive services from malicious apps and Android bugs. TrustZone allows any secure world code to access the normal world that runs Android. Similarly, a trusted hypervisor has full access to Android running in one VM and security services in other VMs. In this paper, we motivate the need for mutual isolation, wherein Android, hypervisors, and the secure world are isolated from each other. Then, we propose a sandboxed service abstraction, such that a sandboxed execution cannot access any other sandbox, Android, hypervisor, or secure world memory. We present Aster which achieves these goals while ensuring that sandboxed execution can still communicate with Android to get inputs and provide outputs securely. Our main insight is to leverage the hardware isolation offered by Arm Confidential Computing Architecture (CCA). However, since CCA does not satisfy our sandboxing and mutual isolation requirements, Aster repurposes its hardware enforcement to meet its goals while addressing challenges such as secure interfaces, virtio, and protection against interrupts. We implement Aster to demonstrate its feasibility and assess its compatibility. We take three case studies, including one currently deployed on Android phones and insufficiently secured using a trusted hypervisor, to demonstrate that they can be protected by Aster.
Cryptography and Security
What problem does this paper attempt to address?
The paper aims to address security issues in the Android ecosystem, specifically proposing solutions to the deficiencies in TrustZone technology. Specifically, the paper points out the following: 1. **Over-privileged Secure World**: The current TrustZone architecture allows code in the secure world to access all memory in the normal world, leading to high privileges. This means that any trusted application (TA) running in the secure world can potentially threaten the security of the entire system. Since these TAs may have implementation errors or vulnerabilities, attackers can exploit these flaws to gain full access to the normal world. 2. **Insecure Interface Definition and Shared Memory Mechanism**: Many TAs in the secure world have design flaws, especially in terms of interface definition and shared memory management. This allows malicious applications to bypass isolation restrictions through shared buffers and read or modify the memory of the normal world. 3. **Lack of Hardware-level Attestation Mechanism**: TrustZone lacks hardware-level attestation functionality, making software-level attestation reports easy to tamper with, thus failing to ensure the authenticity and integrity of trusted application versions. To address these issues, the paper proposes a new framework called ASTER, which leverages the features of Arm Confidential Computing Architecture (CCA) to redesign the system architecture for stronger security isolation and sandbox mechanisms. The specific goals include: - **Mutual Isolation**: Ensuring isolation between Android, virtual machines, and the secure world, preventing any party from directly accessing the memory space of others. - **Sandboxed Services**: Ensuring that even if security-sensitive services are compromised, their impact is confined within their sandbox and does not affect other parts. - **Secure Interfaces**: Reducing the attack surface by restricting and standardizing interface access methods. - **Hardware Attestation**: Utilizing hardware-provided local and remote attestation functions to ensure that all sandboxed services are verified before they start. In summary, the core purpose of the paper is to overcome the limitations of the existing TrustZone solution and enhance the overall security of the Android ecosystem by redesigning the system architecture based on Arm CCA.