SHELTER: Extending Arm CCA with Isolation in User Space

Zhang, Yiming1,2,3; Hu, Yuxin1,2; Ning, Zhenyu1,4; Zhang, Fengwei1,2; Luo, Xiapu3; Huang, Haoyang1,2; Yan, Shoumeng5; He, Zhengyu5

2023

32nd USENIX Security Symposium

PROCEEDINGS OF THE 32ND USENIX SECURITY SYMPOSIUM

AUG 09-11, 2023

null,Anaheim,CA

SUITE 215, 2560 NINTH ST, BERKELEY, CA 94710 USA

USENIX ASSOC

["The increasing adoption of confidential computing is providing individual users with a more seamless interaction with numerous mobile and server devices. TrustZone is a promising security technology for the use of partitioning sensitive private data into a trusted execution environment (TEE). Unfortunately, third-party developers have limited accessibility to TrustZone. This is because TEE vendors need to validate such security applications to preserve their security rigorously. Moreover, TrustZone-based systems suffer from vulnerabilities affecting Trusted App and trusted OS, possibly causing the entire system to be compromised.","Advanced virtualization-based TEE introduced in the recently new concept of Confidential Compute Architecture (CCA) creates a new physical address space called Realm world for confidential computing to protect the data confidentiality and integrity. The current version of CCA primarily targets the VM level in the Realm world and does not provide user-level isolated environments. To fill up this gap, we present SHELTER, which is a complement to CCA's primary Realm VM-style architecture. SHELTER allows thirdparty developers to deploy their applications with isolation in userspace. SHELTER is designed by cooperating with Arm CCA hardware primitive available in Armv9.2 to provide hardware-based isolation while removing the need for software workloads to trust their data to a Host OS, hypervisor, or privileged software (e.g., trusted OS, Secure/Realm hypervisor). We have implemented and evaluated SHELTER, and the results demonstrated that SHELTER guarantees the security of applications with a modest performance overhead (<15%) on real-world workloads."]

第一 ; 通讯

英语

EI ; CPCI-S

National Natural Science Foundation of China["62002151","62102175"] ; Shenzhen Science and Technology Program["SGDX20201103095408029","ZDSYS20210623092007023"] ; PolyU Grant[ZVG0] ; Hong Kong RGC Project[PolyU15222320]

Computer Science

Computer Science, Information Systems ; Computer Science, Interdisciplinary Applications ; Computer Science, Theory & Methods

WOS:001066451506026

Web of Science

1.Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, China
2.Department of Computer Science and Engineering, Southern University of Science and Technology, China
3.Department of Computing, The Hong Kong Polytechnic University, Hong Kong
4.College of Computer Science and Electronic Engineering, Hunan University, China
5.Ant Group

Zhang, Yiming,Hu, Yuxin,Ning, Zhenyu,et al. SHELTER: Extending Arm CCA with Isolation in User Space[C]. SUITE 215, 2560 NINTH ST, BERKELEY, CA 94710 USA:USENIX ASSOC,2023.