An Active Discovering and Secure Using Method of Hardware Cryptographic Resources Based on TrustZone

doi:10.3969/j.issn.1671-1122.2020.08.006

Abstract

Abstract:

In order to solve the problems that various cryptographic equipment providers are independent, the workload of security maintenance is large and the development of security applications is inconvenient, the researchers set up a cryptographic service framework at the operating system level to unify all kinds of hardware and software cryptographic resources. However, on the one hand, existing cryptographic service frameworks do not have the ability to actively discover and apply the hardware cryptographic resources, and users still need to manually load the cryptographic device and mount the cryptographic resources into the cryptographic service framework before they can be invoked and used in the security applications. On the other hand, high level security hardware cryptographic devices may be unauthorized accessed and used. In order to solve the above problems, this paper proposes a method of active discovery and secure use of hardware cryptographic resources based on TrustZone, which extends the cryptographic service framework through the secure isolation computing environment provided by TrustZone, and makes the cryptographic service framework have the ability to actively detect and securely load the system hardware cryptographic resources through the interaction with the operating system kernel. The prototype system is implemented on FT-2000/4 processer platform. The test results show that the proposed method can successfully realize the active discovery and secure use of hardware cryptographic resources.

Key words: cryptographic service framework, hardware cryptographic resource, active discovering, secure using

CLC Number:

TP309

YUAN Lu, HUANG Chenlin, LI Yun, CHENG Hua. An Active Discovering and Secure Using Method of Hardware Cryptographic Resources Based on TrustZone[J]. Netinfo Security, 2020, 20(8): 47-54.

Figures/Tables 8

References 17

[1]	STINSON D R, PATERSON M. Cryptography: Theory and Practice[M]. Boca Raton: CRC Press, 2018.
[2]	LÜ Yao, LI Dongge. Interpretation and Impact Analysis of the Cryptography Law[J]. Cyberspace Security, 2019,10(11):74-78.
	吕尧, 李东格. 《密码法》解读及影响分析[J]. 网络空间安全, 2019,10(11):74-78.
[3]	PINTO S, SANTOS N. Demystifying Arm TrustZone: A Comprehensive Survey[J]. ACM Computing Surveys (CSUR), 2019,51(6):1-36.
[4]	LE A V, MATYAS S M, JOHNSON D B J, et al. A Public Key Extension to the Common Cryptographic Architecture[J]. IBM Systens Journal, 1993,32(3):461-485.
[5]	LIN A, BROWN R. The Application of Security Policy to Role-based Access Control and the Common Data Security Architecture[J]. Computer Communications, 2000,23(17):1584-1593. doi: 10.1016/S0140-3664(00)00244-9 URL
[6]	DELAUNE S, KREMER S, STEEL G. Formal analysis of PKCS# 11[C]// IEEE. 21st IEEE Computer Security Foundations Symposium, June 23-25, 2008, Pittsburgh, PA, USA. Piscataway: IEEE, 2008: 331-344.
[7]	TAN Anfen, JIANG Jianguo. A Case Analyse of Security Architecture[J]. Network Security Technology & Application, 2004,9:13.
	谭安芬, 姜建国. 安全体系架构的一个实例分析[J]. 网络安全技术与应用, 2004,9:13.
[8]	WANG Yuzhu, LÜ Shuwang, WANG Ting. Intel’s CDSA and Microsoft’s CAPI[J]. Application Research of Computers, 2001,18(5):72-74.
	王玉柱, 吕述望, 王挺. Intel的CDSA和Microsoft的CAPI[J]. 计算机应用研究, 2001,18(5):72-74.
[9]	MENG Zhimin, LIU Jun. Research and Implementation of Key Management Mechanism Based on PKCS11[J]. Computer Security, 2012(12):50-53.
	蒙智敏, 刘军. PKCS11 标准下的密钥管理方式研究与实现[J]. 计算机安全, 2012(12):50-53.
[10]	ZHAO Shijun, ZHANG Qianying, QIN Yu, et al. SecTEE: A Software-based Approach to Secure Enclave Architecture Using TEE[C]// ACM. The 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, UK. New York: ACM, 2019: 1723-1740.
[11]	SEBASTIAN D J, AGRAWAL U, TAMIMI A, et al. DER-TEE: Secure Distributed Energy Resource Operations through Trusted Execution Environments[J]. IEEE Internet of Things Journal, 2019,6(4):6476-6486.
[12]	RUBINOV K, ROSCULETE L, MITRA T, et al. Automated Partitioning of Android Applications for Trusted Execution Environments[C]// ACM. The 38th International Conference on Software Engineering (ICSE’16), May 14-22, 2016, Austin, TX, USA. New York: ACM, 2016: 923-934.
[13]	AZAB A M, NING P, SHAH J, et al. Hypervision Across Worlds: Real-time Kernel Protection from the Arm Trustzone Secure World[C]// ACM. The 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14), November 3-7, 2014, Scottsdale, Arizona, USA. New York: ACM, 2014: 90-102.
[14]	GE Xinyang, VIJAYAKUMAR H, JAEGER T. Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture[J]. Computer Science, 2014,25(6):1793-1795.
[15]	CHEN Haogang, MAO Yandong, WANG Xi, et al. Linux Kernel Vulnerabilities: State-of-the-art Defenses and Open Problems[C]// ACM. The Second Asia-Pacific Workshop on Systems (APSys’11), July 11-12, 2011, Shanghai, China. New York: ACM, 2014: 1-5.
[16]	GUO Hui, WANG Yongyi, PAN Zulie, et al. Research on Detecting Windows Vulnerabilities Based on Security Patch Comparison[C]// IEEE. Sixth International Conference on Instrumentation & Measurement, July 21-23, 2016, Harbin, China. Piscataway: IEEE, 2016: 366-369.
[17]	NEHAL A, AHLAWAT P. Securing IoT Applications with OP-TEE from Hardware Level OS[C]// IEEE. 3rd International Conference on Electronics, Communication and Aerospace Technology (ICECA), June 12-14, 2019, Coimbatore, India. Piscataway: IEEE, 2019: 1441-1444.

序列	测试项目	测试结果
1	管理员登录与退出	成功
2	非管理员试图登录密码服务框架	失败
3	对策略进行增删改操作	成功
4	设置冲突策略	失败并提示

序列	挂载策略	测试结果
1	只允许公开密码设备挂载到普通世界	符合预期
2	只允许公开和秘密级的密码设备挂载到普通世界	符合预期
3	允许所有设备挂载到普通世界	符合预期
4	不允许任何设备挂载到普通世界	符合预期
5	只允许机密级设备挂载到安全世界	符合预期
6	只允许机密级和秘密级设备挂载到安全世界	符合预期
7	允许任何设备挂载到安全世界	符合预期
8	不允许任何设备挂载到安全世界	符合预期
9	普通世界只能挂载公开密码设备、安全世界只能挂载秘密级以上设备	符合预期