Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

An Efficient Trustzone-Based In-application Isolation Schema for Mobile Authenticators

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_30,
        author={Yingjun Zhang and Yu Qin and Dengguo Feng and Bo Yang and Weijin Wang},
        title={An Efficient Trustzone-Based In-application Isolation Schema for Mobile Authenticators},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Mobile authentication Trustzone Small TCB In-application isolation},
        doi={10.1007/978-3-319-78813-5_30}
    }
    
  • Yingjun Zhang
    Yu Qin
    Dengguo Feng
    Bo Yang
    Weijin Wang
    Year: 2018
    An Efficient Trustzone-Based In-application Isolation Schema for Mobile Authenticators
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_30
Yingjun Zhang,*, Yu Qin1, Dengguo Feng1, Bo Yang1, Weijin Wang1
  • 1: Chinese Academy of Sciences
*Contact email: zhangyingjun@tca.iscas.ac.cn

Abstract

Mobile devices have been widely used as convenient authenticators for sensitive transactions and user login. It’s a challenge to protect authentication secrets and code from malicious mobile operating systems. Although protecting them using hardware privilege isolation like Trustzone and virtualization is a promising countermeasure, existing approaches either have large TCBs with lots of applications and services installed in the privileged software, or provide only coarse-grained isolation unable to prevent intra-domain attacks, or require excessive intervention from the privileged software. We propose a novel mobile authentication schema called TAuth, which creates isolation execution environments in Trustzone normal world, so the system TCB in the secure world remains small and unchanged regardless of the amount of installed authentication applications. The isolation is also fine-grained which only protects the security-sensitive components of an authentication program, thus could defense not only a malicious OS, but also vulnerability threats inside the same program. Designed closely integrated with the intrinsic property of user authentication, TAuth solves two significant technique challenges, including efficient normal world isolation without excessive intervention into the secure world, and securely using of untrusted external functions from inside the isolated environment. Finally, we implement the prototype system on real TrustZone devices. The evaluation shows that TAuth can prevent both in-application attacks like HeartBleed and kernel-level rootkits. It also shows that TAuth achieves much higher system performance than previous Trustzone normal world isolation solutions.