CVTEE: A Compatible Verified TEE Architecture With Enhanced Security

Sensitive resources in Trusted Execution Environment (TEE) have suffered serious security threats in recent years. Previous protection approaches either lack a strong assurance of TEE security properties or are limited to a single platform. We propose a compatible verified TEE architecture, called C...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2023-01, Vol.20 (1), p.377-391
Main Authors: Miao, Xinliang, Chang, Rui, Zhao, Jianhong, Zhao, Yongwang, Cao, Shuang, Wei, Tao, Jiang, Liehui, Ren, Kui
Format: Article
Language:English
Subjects:
Access control
Computer architecture
Flow control
formal verification
functional specification
Information flow
Kernel
Microprogramming
Monitoring
Runtime
Security
Security management
security monitor
Theorems
Trusted execution environment
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Sensitive resources in Trusted Execution Environment (TEE) have suffered serious security threats in recent years. Previous protection approaches either lack a strong assurance of TEE security properties or are limited to a single platform. We propose a compatible verified TEE architecture, called CVTEE , which delegates a security monitor to manage TEE resources securely. This architecture has two key advantages: i) its functional correctness and security are guaranteed by a machine-checkable proof of security objectives of Trusted Application (TA) isolation, runtime confidentiality, and runtime integrity, and ii) it is applicable to different TEE platforms and implementation-independent due to its high level of abstraction and non-determinism of data types. Note that access control policy and information flow control policy are the core for security management of resources. After formally specifying the security attributes of TEE resources, we develop these policies based on Common Criteria (CC) in the security monitor and provide atomic interfaces. CVTEE is formally verified with 386 lemmas/theorems and \sim ∼ 10,000 LOC of Isabelle/HOL. In addition, we implement a proof of concept for the access control module of Teaclave, and prove that the constructed access control model meets the security requirements through 5 theorems.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2021.3133576