Linked by Thom Holwerda on Thu 10th Apr 2014 20:05 UTC, submitted by nfeske
Hardware, Embedded Systems

Behind the term TrustZone lies a security technology that is almost omnipresent in ARM-based devices, ranging from low-cost development boards to most mobile phones. Yet, there hardly exists a public body of knowledge around it. This prompted the Genode developers to investigate. Today, they published their findings in the form of a comprehensive article and an demonstration video.

In contrast to TPMs, which were designed as fixed-function devices with a predefined feature set, TrustZone represented a much more flexible approach by leveraging the CPU as a freely programmable trusted platform module. To do that, ARM introduced a special CPU mode called "secure mode" in addition to the regular normal mode, thereby establishing the notions of a "secure world" and a "normal world". The distinction between both worlds is completely orthogonal to the normal ring protection between user-level and kernel-level code and hidden from the operating system running in the normal world. Furthermore, it is not limited to the CPU but propagated over the system bus to peripheral devices and memory controllers. This way, ARM-based platforms become effectively kind of a split personality. When secure mode is active, the software running on the CPU has a different view on the whole system than software running in non-secure mode.

The Genode team is nothing short of amazing. Not only are they developing unique software, they're also doing stuff like this. Much respect for these women and men.

Order by: Score:
tempting?
by project_2501 on Thu 10th Apr 2014 22:11 UTC
project_2501
Member since:
2006-03-20

The thing with TPM is that it does a very small number of things, and how it does them stands more chance of being verified.

This thing does a lot, and intentionally so. It's a highly programmable highly privileged turning machine.

So if it's broken that's a really bad thing.

Phrases like " the functionality of the secure world is defined by system software instead of being hard-wired" and "not limited to the CPU but propagated over the system bus to peripheral devices and memory controllers." scare me, not reassure me.

Have I misunderstood?

Reply Score: 3

RE: tempting?
by CapEnt on Fri 11th Apr 2014 03:57 UTC in reply to "tempting?"
CapEnt Member since:
2005-12-18

No, you don't.

In effect, this thing can run a whole parallel operating system if used, and this operating system would have the power to capture in real time everything that the other OS in the "normal world" is doing, down to the bus traffic and can continually scan and parse the whole content of the RAM if it wants. Heck, it can even monitor the "normal world" processing at register level. It can go even as far to hiding hardware pieces from the "normal world" OS.

It is a privacy nightmare lying in wait.

Reply Score: 4

RE[2]: tempting?
by WereCatf on Fri 11th Apr 2014 04:03 UTC in reply to "RE: tempting?"
WereCatf Member since:
2006-02-15

It is a privacy nightmare lying in wait.


It's funny how you see a privacy nightmare and I see very interesting technology that could be used e.g. for researching some of the higher-end malware and bots. Of course, I'm not saying it couldn't be used for the things you fear, but that's not what I first think of when reading about this stuff.

Reply Score: 2

RE[3]: tempting?
by Alfman on Fri 11th Apr 2014 06:42 UTC in reply to "RE[2]: tempting?"
Alfman Member since:
2011-01-28

WereCatf,

Of course, I'm not saying it couldn't be used for the things you fear, but that's not what I first think of when reading about this stuff.


Of course there would be some cool applications, but honestly my first thought was DRM, such that the owner only has control over the "normal world" portion, while someone else controls the "secure world" in order to impose content restrictions.

Reply Score: 4

RE[4]: tempting?
by WereCatf on Fri 11th Apr 2014 06:45 UTC in reply to "RE[3]: tempting?"
WereCatf Member since:
2006-02-15

That's what I was saying; we have so different kinds of first reactions to something like this and I found it rather funny.

Reply Score: 2

RE[5]: tempting?
by nfeske on Fri 11th Apr 2014 08:28 UTC in reply to "RE[4]: tempting?"
nfeske Member since:
2009-05-27

I think the mechanism per se is not harmful. But the question of who is in control of the secure world is important to assess the security and privacy implications of using of a device.

If the user has a chance to place security functions in the secure world, e.g., the cryptographic functions that need access to the user's private key, such credentials could be hidden from the normal world. So an exploit of the normal world never leak the user's private key.

On the other hand, if the platform vendor controls the secure world, TrustZone may actually be a mechanism to protect the platform from the end user. Naturally, DRM comes into mind. Also if you look closely into low-cost dev boards like the Pandaboard, you will find that the secure world is fixed with predefined firmware. What this firmware does is only known to the vendor. On the Pandaboard, it is used (among potentially other things) to work around certain hardware bugs such as erratas of the cache controller.

On consumer devices, the secure world is generally not accessible to the end user. Even if you install an alternative version of Android (like Replicant) on the device, the secure world remains unaffected. Ultimately, the proprietary software running in the secure world is just another potential risk for the privacy of the end user. Referring to Thom's recent posting

http://www.osnews.com/story/27416/The_second_operating_system_hidin...

the secure-world software stack is a third "OS" running on the device. You have to be faithful in your device vendor.

Reply Score: 4

RE[3]: tempting?
by przemo_li on Fri 11th Apr 2014 08:16 UTC in reply to "RE[2]: tempting?"
przemo_li Member since:
2010-06-01

Funny thing to assume that it will not be used by malware in the first place...

Want such solution? DIY, and not put it in every computer out there for really bad people to use.

Reply Score: 2

RE[2]: tempting?
by agentj on Fri 11th Apr 2014 04:05 UTC in reply to "RE: tempting?"
agentj Member since:
2005-08-19

Hahaha. O rly ?

Reply Score: 2

RE: tempting?
by Kochise on Fri 11th Apr 2014 10:19 UTC in reply to "tempting?"
Kochise Member since:
2006-03-03

Hypervisor ?

Kochise

Reply Score: 3

RE[2]: tempting?
by agentj on Sat 12th Apr 2014 06:28 UTC in reply to "RE: tempting?"
agentj Member since:
2005-08-19

No. HYP mode in ARM is different kind from TrustZone.

Reply Score: 3

Amazing Work!
by Pro-Competition on Fri 11th Apr 2014 01:32 UTC
Pro-Competition
Member since:
2007-08-20

The Genode team is nothing short of amazing. Not only are they developing unique software, they're also doing stuff like this. Much respect for these women and men.


I would have said the same thing if you hadn't!

Reply Score: 2

Schizophrenic?!?
by Megol on Fri 11th Apr 2014 15:51 UTC
Megol
Member since:
2011-04-11

Like in seeing/hearing things that doesn't exist?

Reply Score: 2

RE: Schizophrenic?!?
by gus3 on Fri 11th Apr 2014 19:48 UTC in reply to "Schizophrenic?!?"
gus3 Member since:
2010-09-02

I would describe it as "multiply-minded," the sub-conscious mind perceptibly affecting the conscious mind. At least that's how my schizophrenic best friend described it to me.

Reply Score: 2

RE[2]: Schizophrenic?!?
by Megol on Sat 12th Apr 2014 10:38 UTC in reply to "RE: Schizophrenic?!?"
Megol Member since:
2011-04-11

The problem with the description in the linked article is that it promotes the completely wrong idea that schizophrenic = split personality disorder. It isn't even though that is often how media presents (or at least have presented) it.

Reply Score: 2

RE[3]: Schizophrenic?!?
by nfeske on Sat 12th Apr 2014 11:56 UTC in reply to "RE[2]: Schizophrenic?!?"
nfeske Member since:
2009-05-27

Thank you very much for the notice. I changed the text in the article accordingly.

Reply Score: 2

RE: Schizophrenic?!?
by Thom_Holwerda on Sat 12th Apr 2014 12:19 UTC in reply to "Schizophrenic?!?"
Thom_Holwerda Member since:
2005-06-29

Technically, schizophrenic can be used in that way just fine, as schizophrenic implies a split between reality and the patient's consciousness.

Reply Score: 2