TY - GEN
T1 - Minimizing a Smartphone's TCB for Security-Critical Programs with Exclusively-Used, Physically-Isolated, Statically-Partitioned Hardware
AU - Yao, Zhihao
AU - Seyed Talebi, Seyed Mohammadjavad
AU - Chen, Mingyi
AU - Amiri Sani, Ardalan
AU - Anderson, Thomas
N1 - Publisher Copyright:
© 2023 Owner/Author(s).
PY - 2023/6/18
Y1 - 2023/6/18
N2 - Smartphone owners often need to run security-critical programs on the same device as other untrusted and potentially malicious programs. This requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced. Our goal is to minimize the number and complexity of hardware and software components that a smartphone owner needs to trust. We present a split-trust hardware design composed of statically-partitioned, physically-isolated trust domains. We introduce a few simple, formally-verified hardware components to enable a program to gain provably exclusive and simultaneous access to both computation and I/O on a temporary basis. To manage this hardware, we present OctopOS, an OS composed of mutually distrustful subsystems. We present a prototype of this machine (hardware and OS) on a CPU-FPGA board and show that it incurs a small hardware cost compared to modern smartphone SoCs. For security-critical programs, we show that this machine significantly reduces the required trust compared to mainstream TEEs while achieving usable performance. For normal programs, performance is similar to a legacy machine.
AB - Smartphone owners often need to run security-critical programs on the same device as other untrusted and potentially malicious programs. This requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced. Our goal is to minimize the number and complexity of hardware and software components that a smartphone owner needs to trust. We present a split-trust hardware design composed of statically-partitioned, physically-isolated trust domains. We introduce a few simple, formally-verified hardware components to enable a program to gain provably exclusive and simultaneous access to both computation and I/O on a temporary basis. To manage this hardware, we present OctopOS, an OS composed of mutually distrustful subsystems. We present a prototype of this machine (hardware and OS) on a CPU-FPGA board and show that it incurs a small hardware cost compared to modern smartphone SoCs. For security-critical programs, we show that this machine significantly reduces the required trust compared to mainstream TEEs while achieving usable performance. For normal programs, performance is similar to a legacy machine.
KW - exclusive use
KW - physical isolation
KW - static partitioning
UR - http://www.scopus.com/inward/record.url?scp=85165533177&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85165533177&partnerID=8YFLogxK
U2 - 10.1145/3581791.3596864
DO - 10.1145/3581791.3596864
M3 - Conference contribution
AN - SCOPUS:85165533177
T3 - MobiSys 2023 - Proceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services
SP - 233
EP - 246
BT - MobiSys 2023 - Proceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services
PB - Association for Computing Machinery, Inc
T2 - 21st Annual International Conference on Mobile Systems, Applications and Services, MobiSys 2023
Y2 - 18 June 2023 through 22 June 2023
ER -