PrOS: Light-weight Privatized Secure OSes in ARM TrustZone

Abstract

TrustZone is a hardware security technique in ARM mobile devices. Using TrustZone, software components running within the secure world can be completely isolated from the normal world. In order to support multiple trusted applications, TrustZone runs its own operating system, called the secure OS, within the secure world. Unfortunately, as all trusted applications are running on the same secure OS instance, compromising the secure OS leads to compromising all trusted applications. This paper presents PrOS, our mechanism to privatize secure OSes through direct virtualization of TrustZone. PrOS allows each trusted application to run with its own secure OS such that the secure OS is no longer a single point of security failure. One particular challenge for PrOS lies in how efficiently to implement software-only virtualization for TrustZone for a practical deployment in real systems despite the condition that the current ARM architectures do not support hardware-assisted virtualization for TrustZone. Fortunately, we have found several common design features inherent in the secure OS to leverage for optimally tailoring the TrustZone virtualization scheme. According to our evaluation, PrOS incurs 0.02% and 1.18% performance overheads on average in the normal and secure worlds, respectively, demonstrating its effectiveness in field.