Pearl-TEE: Supporting Untrusted Applications in TrustZone

ABSTRACTRising concerns about mobile security have motivated the use of architectural features such as ARM TrustZone to protect sensitive applications from compromise by malicious applications or a compromised OS. However, many TEE OSes (which run in TrustZone) currently assume all applications in TrustZone are trusted, and thus do not provide strong isolation guarantees between them. The benefit of this is that TEE OSes can be simple, allowing them to provide a high-assurance trusted computing base (TCB). However, unlike how arbitrary third-party mobile applications can be installed onto a smartphone, the need for mutual trust among all applications running inside TrustZone prevents the installation of 3rd party applications on the TEE OS. In this paper, we identify the key properties that define application code that may wish to use TrustZone and show that a standard TEE OS can be extended to support multiple, mutually distrusting applications in TrustZone with less than a 3% increase in the TCB. We realize our ideas in Pearl-TEE, a novel TEE OS prototype we have implemented that can provide mechanisms specific to the needs of TrustZone applications, including isolation for execution, secure persistent storage, and support for network communication. We find that Pearl-TEE imposes less than 20% performance overhead on applications.