File:OWASP Security Tapas - TrustZone, TEE and Mobile Security final.pdf

Trusted Execution Environment, TrustZone and Mobile Security

OWASP Göteborg: Security Tapas, Oct-20, 2015 Peter Gullberg, Principal Engineer - Digital Banking, Gemalto

"TEE allows Applications to execute, process, protect and store sensitive data in an isolated, trusted environment."

Trusted Execution Environment (TEE)

TEE - Use Cases 5 Content Protection • IP streaming • DRM • Key protection • Content protection Mobile Financial Services • mBanking • Online payments • User authentication • Transaction validation Corporate/government • Secure networking • Secure email • BYOD • User authentication • Data encryption

Example of TEE enabled devices

Architectural ways of achieving a TEE

ARM TrustZone TrustZone enables the development of separate environments Rich Operating System - Normal domain Trusted Execution - Secure domain Both domains have the same capabilities Operate in a separate memory space Enables a single physical processor core to execute from both the Normal world and the Secure world Normal world components cannot access secure world resources Cortex-A Processors

How TrustZone works 10 Uses a “33rd bit”, signaling whether in secure mode This bit is also propagated outside the system on chip (SoC) Peripherals and memory are configured during startup which side to belong to (normal/secure)

ARM TrustZone: Non Secure bit 11 The memory is split in Secure and Non-secure regions Non-secure (NS) bit Determines if the program execution is in the Secure or Nonsecure world AMBA AXI bus propagates the NS bit Shared memory between two worlds Possible to secure peripherals Screen, crypto blocks Protected against software attacks

ARM TrustZone: transition management 12 Switch between normal and secure domain Monitor Gatekeeper that controls migration between Normal and Secure world In normal world, have both user mode and privileges mode. Same for Secure world Secure device drivers typically run in user mode Cannot switch the NS bit in user mode Secure Monitor Call SMC

CPU boots in "secure kernel mode" in ROM ROM Boot loader verifies signature of TEE OS TEE verifies signature of RichOS and starts it

Example on use case securebitcoin.net

BitCoin - example 16 SecureBitCoin.net Secure management of Master Secret PIN-entry to access the Master Secret Use secure crypto provided by TEE Master Secret is kept secure at all time Malware cannot steal data, or modify transactions

Trusted User Interface

App Deployment "secure BitCoin" App

Global Platform