SeCloak:ARM TrustZone-based

Mobile Peripheral ControlMatthew Lentz, Rijurekha Sen,

Peter Druschel, Bobby Bhattacharjee

Control Over Your DevicesPowerful sensing and communication capabilities But can be misused by malicious software!

Consider important scenarios: Journalists use airplane mode while meeting with source Turn off microphone to prevent snooping

Sensing CommunicationCamera

Microphone Location

Motion Orientation

…

NFC Bluetooth WiFi Cellular …

Users Have Limited ControlThere are two fundamental issues: Incomplete settings e.g., Motion sensors on Android No assurance that settings are enforced Platform shown to be hard to secure as a whole

Problem Statement

What is minimally required to give users secure control over their devices?

affecting usability or stability

changes to existing software

Without

SeCloak - “Secure Cloak”

What is minimally required to give users secure control over their devices?

Sensing CommunicationCamera

Microphone Location

Motion Orientation

…

NFC Bluetooth WiFi Cellular

SeCloak provides secure “virtual” switches to users

SeCloak - “Secure Cloak”

What is minimally required to give users secure control over their devices?

Sensing CommunicationCamera

Microphone Location

Motion Orientation

…

NFC Bluetooth WiFi Cellular

SeCloak provides secure “virtual” switches to users

Untrusted Apps & OS

SeCloak Enforcement

SeCloak Design

SeKernelSeCloakSettings App

Trusted

Untrusted

SeCloak DesignTrusted

Untrusted

SeKernelSeCloakSettings App

Provides UI similar to traditional settings menus

Communicates policy settings to SeKernel

Policy

SeCloak DesignTrusted

Untrusted

SeKernelSeCloakSettings App

Provides UI similar to traditional settings menus

Communicates policy settings to SeKernel

Secure (re)display and user confirmation of policy

Configure HW protections to disable untrusted access

Handle access faults to enforce user policy

Policy

SeCloak on ARM TrustZone

Kernel(e.g., Linux) SeKernel

SeCloakSettings App

Trusted

Untrusted

ARM TrustZone supports two “worlds” Isolates SeKernel from untrusted kernel and apps Allows SeKernel to configure hardware protections

Non-Secure (NS)World

Secure (S)World

Policy

SMC

Hardware Protections

Kernel(e.g., Linux) SeKernel

SeCloakSettings App

Trusted

Untrusted

SMC

IRQ Controller

IRQ

Set IRQ owner to Kernel or SeKernel

1

1

Hardware Protections

Kernel(e.g., Linux) SeKernel

SeCloakSettings App

Trusted

Untrusted

SMC

IRQ Controller

MMIO IRQ

Dev

System Bus

Firewall

DevSet IRQ owner to Kernel or SeKernel

1

2

1

Configure to deny accesses made by Kernel Reports access faults to SeKernel2

…

Hardware Protections

Kernel(e.g., Linux) SeKernel

SeCloakSettings App

Trusted

Untrusted

SMC

IRQ Controller

MMIO IRQ

Dev

System Bus

Firewall

DevSet IRQ owner to Kernel or SeKernel

1

2

1

Configure to deny accesses made by Kernel Reports access faults to SeKernel2

…

How do we securely identify theseprotection domains for devices?

Device Tree (DT)soc

aips2

uart3

bt

Bus

Peripheral

InterruptController

MMIO = <Addr, Size> IRQ = <28>

MMIO = <Addr, Size>

Device Tree specifies embedded hardware Each node represents a device

Nodes contain configuration properties

intc

DT with SeCloak Properties

Added Security and Class properties Security corresponds to HW firewall configuration Class associates a known setting name with a device

SeKernel verifies and parses a signed DT

Bus

Peripheral

InterruptController

Class = “Bluetooth”

soc

aips2

uart3

bt

MMIO = <Addr, Size> IRQ = <28> Security = <70>

MMIO = <Addr, Size>intc

Application Functionality

SeCloakSettings App

Example: Disabling Bluetooth

Kernel(e.g., Linux) SeKernel

SeCloakSettings App

SMC

Bluetooth DisabledCLOAK_SET([010…0])

Example: Disabling Bluetooth

Kernel(e.g., Linux) SeKernel

SeCloakSettings App

SMC

Bluetooth DisabledCLOAK_SET([010…0])

Policy could be modified bymalicious software!

SeKernel: Confirming Policy

1

2

3

4

Acquire the display and input devicesTurn on the LED to notify user that SeKernel is active

(Re)Display settings to user

Wait for user confirmation for whether to apply settings…

SeKernel CLOAK_SET([010…0])

SeKernel: Applying Policy

Class = “Bluetooth”

soc

aips2

uart3

bt

Bus

Peripheral

InterruptController

intc

i2c3

ft5x06Class = “Touchscreen”

CLOAK_SET([010…0])

Security = <70>Security = <25>

SeKernel: Applying Policy

Class = “Bluetooth”

soc

aips2

Bus

Peripheral

InterruptController

Security = <25>

intc

i2c3

ft5x06Class = “Touchscreen”

CLOAK_SET([010…0])

Security = <70>uart3

bt

Security = <25>

SeKernel: Applying Policy

Class = “Bluetooth”bt

Bus

Peripheral

InterruptController

intc

i2c3

ft5x06Class = “Touchscreen”

CLOAK_SET([010…0])

Security = <70>uart3

soc

aips2

Security = <25>

SeKernel: Applying Policy

Class = “Bluetooth”bt

Bus

Peripheral

InterruptController

intc

i2c3

ft5x06Class = “Touchscreen”

CLOAK_SET([010…0])

Security = <70>uart3

soc

aips2

SeKernel: Applying Policy

For all devices in the subtree: Secure and disable IRQs Configure firewall protections Setup fault handler for MMIO accesses

Bus

Peripheral

InterruptController

Class = “Bluetooth”

soc

aips2

bt

intc

i2c3

ft5x06Class = “Touchscreen”

Security = <25> uart3MMIO = <Addr, Size>IRQ = <28>Security = <70>

SeKernel: Fault Handling

Kernel(e.g., Linux)

SeKernel

MMIO

BT

System Bus

Firewall

Access Fault

What happens if the Kernel accesses a protected device?

SeKernel: Fault Handling

Kernel(e.g., Linux)

SeKernel

MMIO

BT

System Bus

Firewall

Access Fault

1 Determine instruction and data address

(LDR|STR) Reg, [Address]

From disassembling the instruction

From CPU fault information

SeKernel: Fault Handling

Kernel(e.g., Linux)

SeKernel

MMIO

BT

System Bus

Firewall

Access Fault

1 Determine instruction and data address

(LDR|STR) Reg, [Address]

From disassembling the instruction

From CPU fault information

2 Lookup and enforce policy for address

Allow

Deny

Issue LDR/STR & Optionally modify value

Discard STR / Return 0 for LDR

Set of devices with common security group (or) Device shared between NS/S worlds

EvaluationPrototype for Nitrogen6X board i.MX6 SoC with ARM Cortex A9 (1GHz)

SeKernel implemented in <15k LoC Based on pared-down OP-TEE OS Includes drivers for CSU, Framebuffer, GPIO, and Keypad

Benchmarks demonstrate reasonable overhead:

Instruction Time (µs)Execution Load (LDR) Store (STR)Baseline 0.11 0.29Emulated 1.14 1.19

Repeated accesses to WiFi controller register

Summary

Source code is available at:www.cs.umd.edu/projects/secureio

SeCloak enforces user-specified on/off control policiessmall enforcement kernel runs alongside any OS

Camera Microphone

Location Motion

Orientation …

NFC Bluetooth WiFi Cellular

Untrusted Apps & OS

SeCloak Enforcement

Backup Slides

SeKernel: LoC Breakdown

Micro: Emulated LDR/STRs

Macro: Emulated Wi-Fi

SeKernel: Emulation Details