Saturday, December 6, 2014

ARM® TrustZone® technology - a Simple Example

Most of the consumer mobile phones on the market today are ARM Powered® products.
ARM Ltd. designs semiconductor IP blocks and then sells the license for the IP block to a semiconductor manufacturing company; i.e. Samsung, Apple, Nvidia, NXP, Freescale, etc. Some of these companies are fabless and some are not. ARM® TrustZone® technology is integrated into the ARM® Cortex®-A processor family. ARM® Cortex®-A-based microprocessors power many of today's smart phones.

The Smart Phone

Smart phones contain hardware components that enable them to communicate over computer networks to other people.  Bluetooth, cellular, and wi-fi are all examples of computer network technology.  For each of these types of networks, there is a dedicated piece of circuitry in the phone. For example, there is a bluetooth chip, there is a wi-fi chip, and there is a cellular modem chip. Sometimes these chips are combined into one, other times they are not.

Mobile phones also have hardware components such as cameras, speakers, microphones, and visual displays.  For each of these types of hardware components, there is a dedicated piece of circuitry in the phone.

Most people who have smart phones use their phone for taking pictures, playing music, and talking on the phone.  When the camera on the smart phone is used to take a picture, the camera application is opened.  Before the smart phone was purchased, the camera application was installed on the smart phone by the manufacturer.

When the camera button is clicked. the camera application talks to the operating system and the operating system talks to the camera circuitry and tells it to take a picture.  It is the operating system's responsibility to manage or mediate access to the camera circuitry.

When the dialer application is clicked on the phone, a phone number is typed and the call button is pressed.  The dialer application talks to the operating system and the operating system talks to the cellular modem, microphone, and speaker.

When the browser button is pressed on the phone, the browser application appears on the display. The browser application runs on top of the operating system.  The operating system is responsible for all of the system resources that the browser application uses. The operating system is also responsible for rendering the visual display on the screen of the smart phone so that when the browser button is clicked, the screen displays a window where the Web site address can be typed.

Keyboard Input

Lets say that you open the browser and visit your favorite retail site. You select an item for purchase and proceed to the checkout page. The checkout page then prompts you to enter your personal information and your credit card number.  A keyboard screen pops up and you begin to type in your credit card number.  At this point, it is important to remember the following.  You are typing in your credit card information inside of an application.  The application just happens to be the browser.  Continuing with the example, you proceed with typing in the additional information that is requested on the checkout page; the credit card expiration date, security code, zip code, and any other information requested. You then click the submit button and a message tells you that your payment has been accepted.

Drilling down one level into the detail, here is what is happening. Please note, this is intentionally very high-level.  I have left out all of technical jargon related to hardware interrupts, software interrupts, and operating system internals.  When you are typing information on the credit card payment page, each time that you press a letter or number on the keyboard, the hardware (touch display) tells the operating system that a character is available.  The operating system receives the character from the touch display hardware.  The operating system then takes the character and sends it to the application. This process repeats for every single character that you enter.  When you are done inputting the information, you hit the submit button, and your information is sent back to the operating system by the browser application.  The operating system packs your information up and then sends it to the network hardware.  This whole process involves copying your personal information between locations in physical memory on your phone; albeit, quite a few different memory locations.  This process also involves transferring your personal information over the circuitry in the phone.  You may ask, but wait, the browser says it uses HTTPS?  HTTPS secures the connection between your phone and the Web site where you are paying for your product.  The HTTPS protocol also attempts to provide a mechanism by which you can validate the authenticity of the Web site you are purchasing your product from.  But that is about it. It does not secure all of the important internals of memory-to-memory copies, application execution space, inter-process communication, and the storage of your personal information on the phone - should you choose to save this information on your phone.

Security 101

Operating systems such as Linux and FreeBSD (and its derivatives), and the embedded hardware that they reside on, are not designed for safely handling the input, storage, and transmission of credit card and personal information.  Additions have been made to these operating systems to make things more secure; but these additions are not and have not been sufficient.  The physical circuitry in and around the microprocessor is not secure.  The operating system software is not hardened or secured. The application software is not hardened or secured.  The keyboard input mechanism, which involves the hardware, the operating system, and the application, is not secured.   Various types of additions and enhancements have been made to make these things more secure, but they have not worked.  To fully secure an operating system and all of the application software that is running on it, is extremely expensive and is something that is not seen in the consumer market.

The entire keyboard input process which I described above in the paragraph about the credit card payment page is broken in terms of security.  There are physical vulnerabilities in the hardware circuitry - including but not limited to, the safe storage of your personal information in non-volatile storage, the transfer and copy of your personal information over the physical bus on the printed circuit board, and the transfer and storage of your personal information within volatile computer memory and last but least, the transfer of your personal information to and from the main processor on the printed circuit board in the phone.  In a nutshell, there are remote and local attack vectors, both at the hardware and software levels.  The attack vector space is not limited to keyboard input.  It involves everything that goes on in your phone.


ARM® TrustZone® technology is a system-wide approach to security.  So let's take the example where you were typing in your credit card and personal information into the browser application. The browser application and everything related to it all run on the operating system.  This includes the system level software frameworks for handling keyboard input, the system level code that is responsible for copying your personal information between memory locations in both the application's memory execution space and the operating system's memory space, ...the list goes on.

Here's what TrustZone can do.  Going back to the point in time where you open the browser application on the phone. After which, you type in the Web site address of the online store, and then click on the product that you are going to purchase, you are taken to the checkout page.  You then click on the little white box with a label above it that says
Credit Card Number - VISA/MasterCard/American Express

Upon clicking on that little white box below the label, a keyboard pops up. You click on the numerical key that corresponds to the first character in your credit card number. The touch display hardware notices that you pressed a key. Rather than sending that key to the operating system that manages the browser application, the touch display hardware sends that key to another operating system. Every key that you press while typing in your credit card number is handled by a different operating system and a different application. The browser application that you clicked on when you opened the browser, and the familiar items that you see on your phone when you turn the power on, cannot see your credit card number. A special operating system, this other operating system, and a special application are triggered when you click on the white box below the credit card payment label on the Web page.

This special operating system and special application run in a different world - sort of like a parallel universe. This special operating system and special application run in what is called secure world.
 The first example that I gave above, where I said the process is broken, well, that example highlights what happens when everything runs in normal world and secure world does not exist or is not being used if it does exist.  However; this new example where the special application running in the special world gathers your credit card information and then stores it somewhere, means that the ARM chip running in this phone has TrustZone support. What does this mean?  It means that there is a physically separate area inside of the processor that handles and stores your credit card information.  When its time to send your credit card information over the network, well, there is another special application inside of the special operating system that handles that.  The benefit?  Secure world has been physically secured on the printed circuit board and inside of the ARM chip.  By design, it is not susceptible to advanced light based attacks, timing attacks, x-ray analysis of the circuit, and the list goes on.  The memory space that the special application is executing inside of, within secure world, is physically and logically isolated.  The bus fabric that holds your personal information as it is transferred between hardware components, is isolated and secure.  All of this runs at the same time the browser application runs; its execution is interleaved in time - on very small time intervals.

In addition, everything going on in Secure World cannot be seen from normal world.  When you power on your phone, the operating system starts up in normal world. With TrustZone, the special operating system also starts up in parallel, within secure world.  As the operating system starts up in secure world, each piece of it is validated. This is important as it will be handling your personal information so we need to be sure that we know exactly where it came from, who developed it, their particular set of certifications, etc. etc.  This is known as a hardware initiated chain of trust.  As a consumer, I would like to know where and how the software that is running in secure world was validated.  The software running in normal world - my apps, and the stuff that came installed when I bought my phone, seems to work fine for now.  I don't think we will ever be able to validate the integrity of every single software component in normal world; however, if software running in secure world can be utilized to protect my personal information and credit card number, then by all means, the validation of that software should be straightforward.

Last but not least, software running in the secure world can access all of the hardware and all of the software that is running in the normal world. However; software running in the normal world cannot access software that is running in the secure world.

And finally, after you complete the input of your PIN number, your PIN number can be stored in a physically secure area of the chip that is protected by cryptographic keys.

This is one single, simple example of TrustZone.  There are variations and derivations. TrustZone encompasses different semiconductor IP blocks.  Just because a phone has an ARM processor with TrustZone, does not mean that a special operating system is running on TrustZone in secure world. As you can see, there are substantial benefits that can be gained from utilizing TrustZone and TEE for mobile payments.

So what does TrustZone accomplish?  These bullet points are straight from the ARM Web site
  • Secured PIN entry for enhanced user authentication in mobile payments & banking
  • Protection against trojans, phishing and APT (Advanced Persistent Threats)
  • Enable deployment and consumption of high-value media (DRM)
  • BYOD (Bring your own device) device persons and application separation
  • Software license management
  • Loyalty-based applications
  • Access control of cloud-based documents
  • e-Ticketing Mobile TV
This was a high-level overview of TrustZone and how its benefits can be realized in the context of keypad entry on a mobile phone.

ARM and Cortex are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.  ARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.  ARM and SecurCore are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C-Ware, the Energy Efficient Solutions logo, Kinetis, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert, QorIQ, QorIQ Qonverge, Qorivva, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid and Xtrinsic are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off.

No comments:

Post a Comment