TEE-Watchdog: Mitigating Unauthorized Activities within Trusted Execution Environments in ARM-Based Low-Power IoT Devices

Abstract

Trusted execution environments (TEEs) are on the rise in devices all around us ranging from large-scale cloud-based solutions to resource-constrained embedded devices. With the introduction of ARM TrustZone-M, hardware-assisted trusted execution is now supported in IoT nodes. TrustZone-M provides isolated execution of security-critical operations and sensitive data-generating peripherals. However, TrustZone-M, like all other TEEs, does not provide a mechanism to monitor operations in the trusted areas of the device and software in the secure areas of an IoT device has access to the entire secure and nonsecure software stack. This is crucial due to the diversity of device manufacturers and component suppliers in the market, which manifests trust issues, especially when third-party peripherals are incorporated into a TEE. Compromised TEEs can be misused for industrial espionage, data exfiltration through system backdoors, and illegal data sharing. It is of utmost importance here that system peripheral behaviour in terms of resource access is in accordance with their intended usage that is specified during integration. We propose TEE-Watchdog, a lightweight framework that establishes MPU protections for secure system peripherals in TrustZone-enabled low-end IoT devices. TEE-Watchdog ensures blocking unauthorized peripheral accesses and logging of application misbehaviour running in the TEE based on a manifest file. We define lightweight specifications and structure for the application manifest file enlisting permissions for critical system peripherals using concise binary object representation (CBOR). We implement and evaluate TEE-Watchdog using a Musca-A2 test chipboard. Our microbenchmark evaluations on CPU time and RAM usage demonstrated the practicality of TEE-Watchdog. Securing the system peripherals using TEE-Watchdog protections induced a 1.4% overhead on the latency of peripheral accesses, which was 61 microseconds on our test board. Our optimized CBOR-encoded manifest file template also showed a decrease in manifest file size by 40% as compared to the standard file formats, e.g., JSON.