Skip to main content
SpringerLink
Log in

AppBastion: Protection from Untrusted Apps and OSes on ARM

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13555))

Included in the following conference series:

  • 1609 Accesses

Abstract

ARM-based (mobile) devices are more popular than ever. They are used to access, process, and store confidential information and participate in sensitive authentication protocols, making them extremely attractive targets. Many attacks focus on compromising the primary operating system – for example, by convincing the user to download OS rootkits concealed within seemingly innocent apps. To partially mitigate the impact, device manufacturers responded by offering hardware-rooted trusted environments (TEEs). Yet, making use of TEEs (e.g., by securely porting existing apps) is not easy. Only a small number of security-critical applications make use of TEEs, leaving all others to run on a potentially vulnerable OS, under the control of users that all too often fall prey to cleverly disguised malware.

AppBastion is a general-purpose platform that leverages the now ubiquitous ARM TrustZone TEE to secure application data from untrusted OSes. AppBastion enables applications to maintain confidential data in memory regions protected even from a compromised OS. Only approved, signed applications can access their associated protected memory regions. Data never leaves protected regions unencrypted and applications can communicate or declassify protected data only through explicit AppBastion channels. AppBastion ensures that application confidential data cannot be accessed, spoofed, or leaked by the OS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The Thumb instruction set. https://developer.arm.com/documentation/den0013/d/Introduction-to-Assembly-Language/The-ARM-instruction-sets?lang=en

  2. A thorough introduction to ebpf. https://lwn.net/Articles/740157/ (2007)

  3. ARM: Bulding a secure system using trustzone technology. ARM Technical White Paper (2009)

    Google Scholar 

  4. Arnautov, S., et al.: SCONE: Secure linux containers with intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16) pp. 689–703, USENIX Association, Savannah, GA (2016)

    Google Scholar 

  5. Azab, A., et al.: SKEE: A lightweight secure kernel-level execution environment for ARM. In: Proceedings 2016 Network and Distributed System Security Symposium. Internet Society (2016)

    Google Scholar 

  6. Azab, A.M., et al.: Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 90–102. CCS ’14, ACM, New York, NY, USA (2014)

    Google Scholar 

  7. Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: Preventing disclosure exploits in executable code. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1342–1353 (2014)

    Google Scholar 

  8. Baumann, A., Peinado, M., Hunt, G.: ACM Trans. Comput. Syst. Shielding applications from an untrusted cloud with haven 33(3), 1–26 (2015)

    Google Scholar 

  9. Brasser, F., Gens, D., Jauernig, P., Sadeghi, A.R., Stapf, E.: SANCTUARY: ARMing TrustZone with user-space enclaves. In: Proceedings 2019 Network and Distributed System Security Symposium. Internet Society (2019)

    Google Scholar 

  10. Chen, X., et al.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. SIGPLAN Not. 43(3), 2–13 (2008)

    Article  Google Scholar 

  11. Cho, Y., Kwon, D., Yi, H., Paek, Y.: Dynamic virtual address range adjustment for intra-level privilege separation on ARM. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society (2017)

    Google Scholar 

  12. Costan, V., Devadas, S.: Intel sgx explained. IACR Cryptology ePrint (2016)

    Google Scholar 

  13. Criswell, J., Dautenhahn, N., Adve, V.: Virtual ghost: Protecting applications from hostile operating systems. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 81–96. ASPLOS ’14, ACM, New York, NY, USA (2014)

    Google Scholar 

  14. Dashjr, L.: Bitcoin knots. https://bitcoinknots.org/ (2011)

  15. Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., Adve, V.: Nested kernel. In: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS (2015)

    Google Scholar 

  16. Davis, D.L.: Secure boot , US Patent 5,937,063 (1999)

    Google Scholar 

  17. Denk, W., et al.: Das u-boot-the universal boot loader. https://www.denx.de/wiki/U-Boot (2013)

  18. Ge, X., Vijayakumar, H., Jaeger, T.: Sprobes: Enforcing kernel code integrity on the trustzone architecture. CoRR (2014), arxiv.org/abs/1410.7747

  19. Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: Inktag: Secure applications on an untrusted operating system. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems. pp. 265–278. ASPLOS ’13, ACM, New York, NY, USA (2013)

    Google Scholar 

  20. Hua, Z., Gu, J., Xia, Y., Chen, H., Zang, B., Guan, H.: vTZ: Virtualizing ARM trustzone. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 541–556, USENIX Association, Vancouver, BC (2017)

    Google Scholar 

  21. Jang, J., et al.: PrivateZone: Providing a private execution environment using ARM TrustZone. IEEE Transactions on Dependable and Secure Computing (2018)

    Google Scholar 

  22. McVoy, L.W., Staelin, C., et al.: lmbench: Portable tools for performance analysis. In: USENIX annual technical conference, pp. 279–294, San Diego, CA, USA (1996)

    Google Scholar 

  23. MITRE: Cve-2015-6639. https://nvd.nist.gov/vuln/detail/CVE-2015-6639 (2016)

  24. MITRE: Cve-2016-2431. https://nvd.nist.gov/vuln/detail/CVE-2016-2431 (2016)

  25. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. Cryptography Mailing list at https://www.metzdowd.com (2009)

  26. Özkan, S.: Cve details. https://www.cvedetails.com/ (2010)

  27. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy, pp. 601–615, IEEE (2012)

    Google Scholar 

  28. Phoronix: Phoronix test suite. Online at https://www.phoronix-test-suite.com/

  29. PrimateLabs: Geekbench. Online at http://primatelabs.ca/geekbench/index.html

  30. Rippleweb: VMware vs KVM. http://www.rippleweb.com/vmware-vs-kvm/ (2017)

  31. Song, C., Lee, B., Lu, K., Harris, W., Kim, T., Lee, W.: Enforcing kernel security invariants with data flow integrity. In: Proceedings 2016 Network and Distributed System Security Symposium. Internet Society (2016)

    Google Scholar 

  32. Suciu, D., McLaughlin, S., Simon, L., Sion, R.: Horizontal privilege escalation in trusted applications. In: 29th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 20) (2020)

    Google Scholar 

  33. che Tsai, C., Porter, D.E., Vij, M.: Graphene-SGX: A practical library OS for unmodified applications on SGX. In: 2017 USENIX Annual Technical Conference (USENIX ATC 17), pp. 645–658, USENIX Association, Santa Clara, CA (2017)

    Google Scholar 

  34. Walters, B.: VMware virtual platform. Linux journal (1999)

    Google Scholar 

  35. Zhao, S., Zhang, Q., Qin, Y., Feng, W., Feng, D.: SectEE: A software-based approach to secure enclave architecture using tEE. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1723–1740, CCS ’19, Association for Computing Machinery, New York, NY, USA (2019)

    Google Scholar 

Download references

Acknowledgments

We would like to thank our anonymous reviewers for their helpful feedback. This work has been supported in part through NSF award 2052951 and ONR award N000142112407.

Author information

Authors and Affiliations

  1. Stony Brook University, Stony Brook, NY, 11794, USA

    Darius Suciu, Radu Sion & Michael Ferdman

Authors
  1. Darius Suciu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Radu Sion
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Ferdman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Darius Suciu .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Appendices

Appendix 1 Remote Communication Protocol

AppBastion allows Shielded Apps to exchange confidential information with trusted remote servers. In this Appendix we first describe and discuss the process through which a shared encryption key can be setup ( through an authenticated Diffie-Hellman key exchange) between a remote server and the AppBastion monitor and show how it enables confidential data transfers between the server and Shielded App.

Establishing Connections. The key exchange protocol contains three parties: the remote server, the Shielded App and the AppBastion monitor. In the key exchange context, the Shielded App only initiates the connection to the remote server and forwards messages between the monitor and respective server.

First, the Remote Server sends its certificate alongside a nonce to the monitor when a Shielded App initiates a connection. Once the monitor receives a server certificate, it first verifies it against its list of trusted server certificates. If the verification passes, it constructs an attestation proof. This proof consists of cryptographic hashes of the code belonging to the Shielded App, Normal World OS and the monitor itself. The proof is signed using a device private key. This key is burned by the manufacturer in an e-fuse available only to the Secure World. The manufacturer also publishes a certificate containing the public counterpart to the respective key.

Next, the monitor builds a response to the server by encrypting the signed proof alongside the received nonce and public components of a Diffie-Hellman key exchange (e.g., public key “A”, modulus “p” and base “g”). The monitor encrypts its response using the public key included in the certificate provided by the server and sends the encrypted response through the Shielded App.

Finally, The server uses its private key to decrypts the monitor response. The response is then processed by using the device public key located in the certificate it already has to decrypt the signed attestation proof and verify it alongside the received nonce. If the verifications succeed, the server finishes the key exchange by sending its signed public key “B”. Once “B” is received and verified, a shared symmetric encryption key can derived on both sides, completing the Diffie-Hellman key exchange.

Exchanging Data. On each completed key exchange, the monitor and server end up with a shared symmetric key. In order to enable confidential data key exchange under this key, the monitor first has to decrypt the data from under the existing Shielded App key and re-encrypt it under new one shared with the Server. Confidential data can only be exchanged after it is moved under the new key.

For data transfers, lets assume first a Shielded App requests data from the server. First it needs to send a nonce to the server (to detect replay attacks). In response, the server encrypts data alongside the received nonce using the Shielded App key. The resulting ciphertext is then provided to the Shielded App. However, the Shielded App does not have the key required for decryption. Instead, it can only rely on the monitor. Thus, in order to decrypt the received ciphertext, the Shielded App must copy it first into confidential data pages. Then, an SMC can be issued to the monitor in order to request its decryption. Finally, the Shielded App can verify the freshness of received data using the included nonce. Note, the monitor only decrypts data located inside confidential data pages. This ensures that at no point the exchanged data and nonce can be accessed in clear text by untrusted Normal World software.

The Shielded App can also leverage the monitor in order to send its own confidential data to the server. There exist two scenarios, based on the confidential data state. (a) public pages are writable and confidential data is already encrypted by the monitor. In this case, the Shielded App only needs to provide the encrypted data to the server. (b) Public pages are read-only and confidential data is not encrypted. In this case, the Shielded App must first copy the data into public pages (which are read-only). This triggers a page fault, which arrives at the monitor. At this point, the monitor encrypts data using the key shared with the server, restoring the write permissions to public pages. Finally, similar the Shielded App can sent the encrypted data to the server.

Appendix 2 Confidential Data Disclosure

Declassification Request. Shielded Apps can only declassify contents from confidential code pages using the following AppBastion provided steps:

  1. (i)

    The Shielded App must issue a new declassification request by sending an SMC to the monitor, through the Normal World OS. This SMC forwards to the monitor the address of a 64-bit empty space inside a confidential page. Upon receiving such a request, the monitor first verifies if the address provided is located inside a confidential data page. Then, a unique 64-bit number (nonce) is generated by the monitor and written at the respective address. This nonce is also maintained inside Secure World and associated with the Shielded App. At this point the execution returns to the Shielded App.

  2. (ii)

    The Shielded App must construct a special declassification header inside its confidential data pages. The nonce received from the monitor must be copied inside this header. The header must also specify the location of the confidential data ciphertext that requires declassification. This location must be inside public memory, otherwise the request is denied (in order to not disrupt the automatic process used for protecting confidential data).

  3. (iii)

    The Shielded app must copy the confidential data to declassify into the public range specified inside the declassification header. This data is automatically encrypted by the monitor, as per Sect. 4.3.

  4. (iv)

    Finally, Shielded App can start sending the declassification header to the monitor. This header can only be sent by first copying it into a public page and passing the resulting ciphertext to the monitor through another SMC. Note, the header is automatically encrypted by the monitor when it is copied into the public page. Thus, the untrusted OS can not change the parameters located inside (e.g., locations, nonces, etc.).

Declassification. Upon receiving an SMC containing declassification request, the monitor will first decrypt it using the encryption key of the Shielded App. This key is already maintained inside Secure World by the monitor. Next the monitor will check against replay attacks by verifying the unique number freshness. The check is performed by comparing against value maintained inside Secure World. If the verification passes, the monitor will then decrypt the content inside indicated public pages using the Shielded App’s encryption key.

In order to simplify subsequent declassification requests, the monitor monotonically increases the nonce maintained inside Secure World after each declassification request. In turn the Shielded App must also increase its provided nonce. This allows future declassification to proceed only using steps (ii-iv).

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Suciu, D., Sion, R., Ferdman, M. (2022). AppBastion: Protection from Untrusted Apps and OSes on ARM. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17146-8_34

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation