TY - GEN
T1 - TEEVseL4
T2 - 29th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2023
AU - Blazevic, Borna
AU - Peter, Michael
AU - Hamad, Mohammad
AU - Steinhorst, Sebastian
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - The growing computing power of embedded systems has led to an increase in the use of general-purpose Operating Systems (OSs) such as Linux. However, the substantial attack surface arising from their complexity makes them unsuitable for safety and security-critical use cases. Addressing this issue requires isolating the security-critical functionalities into separate execution environments and protecting them from the untrusted OS. Arm TrustZone applies this approach by providing hardware-based partitioning of the system into a secure and non-secure world, facilitating a Trusted Execution environment for the protection of security-critical functionality in the secure world. TrustZone, however, falls short when dealing with systems that virtualize multiple operating systems. Another approach to isolate functionality is employing a microkernel, such as the formally proven correct seL4 kernel, especially if it also offers virtualization functions. While current seL4-based virtualization systems offer good security and safety properties, they do not provide TrustZone-compatible security services to their virtualized guests. In this paper, we propose TEEVseL4, a TrustZone-compatible virtualization system leveraging the strengths of the seL4 microkernel, that can provide security services to the Linux guests based on the dynamic, scalable and flexible Trusted Computing Base of an seL4 system. A high-level performance benchmarking shows that TEEVseL4 can provide security services with acceptable overheads (less than 20%) when compared to a native TrustZone system, making it an attractive option for platforms with multiple, mutually-distrustful virtualized guests.
AB - The growing computing power of embedded systems has led to an increase in the use of general-purpose Operating Systems (OSs) such as Linux. However, the substantial attack surface arising from their complexity makes them unsuitable for safety and security-critical use cases. Addressing this issue requires isolating the security-critical functionalities into separate execution environments and protecting them from the untrusted OS. Arm TrustZone applies this approach by providing hardware-based partitioning of the system into a secure and non-secure world, facilitating a Trusted Execution environment for the protection of security-critical functionality in the secure world. TrustZone, however, falls short when dealing with systems that virtualize multiple operating systems. Another approach to isolate functionality is employing a microkernel, such as the formally proven correct seL4 kernel, especially if it also offers virtualization functions. While current seL4-based virtualization systems offer good security and safety properties, they do not provide TrustZone-compatible security services to their virtualized guests. In this paper, we propose TEEVseL4, a TrustZone-compatible virtualization system leveraging the strengths of the seL4 microkernel, that can provide security services to the Linux guests based on the dynamic, scalable and flexible Trusted Computing Base of an seL4 system. A high-level performance benchmarking shows that TEEVseL4 can provide security services with acceptable overheads (less than 20%) when compared to a native TrustZone system, making it an attractive option for platforms with multiple, mutually-distrustful virtualized guests.
KW - Arm TrustZone
KW - Security
KW - TEE
KW - Virtualization
KW - seL4
UR - http://www.scopus.com/inward/record.url?scp=85178063366&partnerID=8YFLogxK
U2 - 10.1109/RTCSA58653.2023.00017
DO - 10.1109/RTCSA58653.2023.00017
M3 - Conference contribution
AN - SCOPUS:85178063366
T3 - Proceedings - 2023 IEEE 29th International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2023
SP - 67
EP - 76
BT - Proceedings - 2023 IEEE 29th International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2023
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 30 August 2023 through 1 September 2023
ER -