W&M ScholarWorks W&M ScholarWorks
Arts & Sciences Articles Arts and Sciences
2016
CaSE: Cache-Assisted Secure Execution on ARM Processors CaSE: Cache-Assisted Secure Execution on ARM Processors
Ning Zhang
Virginia Polytech Inst & State Univ, Blacksburg, VA 24061 USA;
Wenjing Lou
Virginia Polytech Inst & State Univ, Blacksburg, VA 24061 USA;
Y. Thomas Hou
Virginia Polytech Inst & State Univ, Blacksburg, VA 24061 USA;
Kun Sun
Coll William & Mary, Dept Comp Sci, Williamsburg, VA 23185 USA
Follow this and additional works at: https://scholarworks.wm.edu/aspubs
Recommended Citation Recommended Citation
Zhang, N., Sun, K., Lou, W., & Hou, Y. T. (2016, May). Case: Cache-assisted secure execution on arm
processors. In 2016 IEEE Symposium on Security and Privacy (SP) (pp. 72-90). IEEE.
This Article is brought to you for free and open access by the Arts and Sciences at W&M ScholarWorks. It has been
accepted for inclusion in Arts & Sciences Articles by an authorized administrator of W&M ScholarWorks. For more
information, please contact scholarworks@wm.edu.
CaSE: Cache-Assisted Secure Execution on ARM Processors
Ning Zhang
∗
, Kun Sun
†
, Wenjing Lou
∗
, Y. Thomas Hou
∗
∗
Virginia Polytechnic Institute and State University, VA
†
Department of Computer Science, College of William and Mary, Williamsburg, VA
Abstract—Recognizing the pressing demands to secure em-
bedded applications, ARM TrustZone has been adopted in
both academic research and commercial products to protect
sensitive code and data in a privileged, isolated execution
environment. However, the design of TrustZone cannot prevent
physical memory disclosure attacks such as cold boot attack
from gaining unrestricted read access to the sensitive contents
in the dynamic random access memory (DRAM). A number
of system-on-chip (SoC) bound execution solutions have been
proposed to thaw the cold boot attack by storing sensitive data
only in CPU registers, CPU cache or internal RAM. However,
when the operating system, which is responsible for creating
and maintaining the SoC-bound execution environment, is
compromised, all the sensitive data is leaked.
In this paper, we present the design and development of
a cache-assisted secure execution framework, called CaSE, on
ARM processors to defend against sophisticated attackers who
can launch multi-vector attacks including software attacks and
hardware memory disclosure attacks. CaSE utilizes TrustZone
and Cache-as-RAM technique to create a cache-based isolated
execution environment, which can protect both code and data
of security-sensitive applications against the compromised OS
and the cold boot attack. To protect the sensitive code and
data against cold boot attack, applications are encrypted in
memory and decrypted only within the processor for execution.
The memory separation and the cache separation provided by
TrustZone are used to protect the cached applications against
compromised OS.
We implement a prototype of CaSE on the i.MX53 running
ARM Cortex-A8 processor. The experimental results show
that CaSE incurs small impacts on system performance when
executing cryptographic algorithms including AES, RSA, and
SHA1.
Keywords-TrustZone; Cache; Memory Encryption
I. INTRODUCTION
Smart devices are playing an increasingly important role
in our daily life. As the most widely deployed CPU in
mobile devices, ARM family processors have been used
in 4.5 billion mobile phones to process and store sensitive
data [1], [2]. For instance, around 51% of U.S. adults bank
online and 35% of them use mobile phones to perform
online transactions [3]. Meanwhile, fueled by the lucrative
black market for mobile malware, an increasing number of
system vulnerabilities have been identified and exploited to
compromise the mobile OS [4]. McAfee Lab reported a 24%
increase in the unique number of mobile malware in Q4
2015 [5].
To enhance the security of embedded systems, ARM
provides a hardware security extension named TrustZone to
protect sensitive code and data of applications in an isolated
execution environment against a potentially compromised
OS [6]. TrustZone has been widely adopted not only in
academic research projects [7], [8], [9], [10], [11], [12],
but also in commercial products [13], [14], [15]. However,
the design of TrustZone cannot prevent physical memory
disclosure attacks such as cold boot attacks [16], [17],
[18], [19]. Since mobile phones are frequently stolen, when
attackers have physical access to the mobile devices, they
can gain unrestricted access to the contents in the DRAM.
Unfortunately, TrustZone does not enforce encryption of
memory in the privileged environment like SGX [20], [21].
As a result, sensitive information, such as cryptographic key
material, is not secured even if it is stored in TrustZone
protected physical memory when adversaries have physical
access to the mobile device.
To protect against physical memory disclosure attacks,
SoC-bound execution solutions have been proposed to move
sensitive data out of DRAM and save them in proces-
sor registers [22], [23], [24], processor cache [25], [26],
[27], [18] or internal RAM [18]. All these SoC-bound
execution solutions can effectively thaw physical memory
attacks under a strong assumption that the OS, which is
responsible for creating and maintaining the SoC-bound
execution environment, can be trusted. The justification for
this design assumption is that when the OS is compromised,
there is no need for attackers to launch a cold boot attack,
because the OS can directly access the entire DRAM.
However, it is not true for ARM processors with TrustZone
support. Though TrustZone can prevent a malicious OS
from accessing protected secure memory, it cannot defend
against cold boot attacks. Thus, it is critical to protect mobile
systems against multi-vector attacks [28] including software
attacks and physical memory disclosure attacks.
In this paper, we propose a cache-assisted secure exe-
cution system called CaSE that can protect against both
software attacks and physical memory disclosure attacks on
ARM-based devices. The basic idea is to create a secure
environment in the CPU cache and use TrustZone to prevent
the potentially compromised OS from accessing the secure
environment. Thus, CaSE can protect both confidentiality
and integrity of the application’s code and data against both
software attacks and physical memory disclosure attacks.
To protect against physical memory disclosure attacks,
CaSE creates an execution environment inside the ARM pro-
2016 IEEE Symposium on Security and Privacy
2375-1207/16 $31.00 © 2016 IEEE
DOI 10.1109/SP.2016.13
72
2016 IEEE Symposium on Security and Privacy
© 2016, Ning Zhang. Under license to IEEE.
DOI 10.1109/SP.2016.13
72
cessor by loading and executing an application completely
within the CPU cache. Cache is designed to be a hardware
mechanism that is transparent to the system software except
for a small number of maintenance instructions. Therefore,
we solve several challenges to create a cache-assisted exe-
cution environment.
First, to make computation SoC-bound, the application
code, data, stack and heap have to be stored in and only
in the cache. The memory for each component in the
application address space has to be allocated carefully to
eliminate cache contention. Unfortunately, none of the pub-
licly available ARM documents details the mapping from
memory addresses to cache line indexes. In order to correctly
place and optimize application memory in the cache, we
design and perform experiments to obtain cache mapping
schemes of the targeted hardware platform.
Second, once the application is loaded in the cache, we
make use of the hardware-assisted cache locking function
to pin down portions of the cache, without significantly im-
pacting the system performance. With the ability to control
eviction policy on cache lines that store the sensitive data, it
is possible to enable context switching between the protected
application and the rest of the system without concerning
the execution of other programs will cause eviction of the
sensitive contents from cache to DRAM.
Third, since the application is still encrypted when loaded
into DRAM, it needs to be decrypted completely within
cache before being executed. In many processor architec-
tures, including ARM, instruction cache and data cache are
not guaranteed to be coherent. When an application decrypts
its own code back into the process address space, instruction
cache and data cache become incoherent. Such issue of
incoherent cache caused by self-modifying programs is often
resolved by flushing the cache. In CaSE, flushing the cache
fails our efforts of running applications entirely inside the
SoC. To solve this problem, we synchronize the incoherent
data cache and instruction cache by utilizing the unified last
level cache in the processor.
TrustZone is used to protect the cache-assisted isola-
tion environment against an untrusted OS. Cache lines in
TrustZone-enabled ARM processors are built with an extra
non-secure (NS) bit to indicate whether the line belongs to
the secure world or the normal world. Therefore, the rich
OS in the normal world cannot access or manipulate the
cache lines used by the secure world. The secret key to
decrypt the application is saved in the secure world cache.
Without the key, a compromised rich OS cannot decrypt
the application code, which may be misused by attackers
to reverse engineer proprietary algorithms or find potential
vulnerabilities. CaSE offers two running modes depending
on whether secure world cache or normal world cache is
used to create the environment for the SoC-bound execution.
These two modes provide a trade-off between the system
security and the run-time performance.
We implement a prototype of CaSE on the i.MX53 run-
ning ARM Cortex-A8 processor. Using the CaSE, we show
that it is possible to execute a kernel integrity checker and a
suite of cryptographic algorithms including AES, RSA, and
SHA1 in the cache with small performance impacts.
In summary, we make the following contributions,
• We propose a secure cache-assisted SoC-bound exe-
cution framework that can protect sensitive code and
data of applications against both software attacks from a
compromised rich OS and physical memory disclosure
attacks that can gain unrestricted access to the DRAM.
• We present a systematic study on designing and secur-
ing our cache-assisted SoC-bound execution environ-
ment on ARM platforms. We demonstrate the appli-
cability of our system by prototyping several popular
cryptographic algorithms along with a kernel integrity
checker.
• We implement a prototype on the i.MX53 running
ARM Cortex-A8 processors. The experimental results
show that CaSE has small impacts on the system
performance.
The remainder of the paper is organized as follows.
Section II introduces background knowledge. Section III
presents the threat model and assumptions. The CaSE ar-
chitecture is presented in Section IV. The prototype is
detailed in Section V. Section VI provides discussion on the
experimental results. The extensions of CaSE are discussed
in VIII. Related works are presented in Section IX. Finally,
Section X provides the conclusion of the paper.
II. B
ACKGROUND
We first introduce the ARM TrustZone hardware security
extension. Then we discuss the generic ARM cache archi-
tecture along with the changes in the cache design due to
the addition of TrustZone.
A. ARM TrustZone
TrustZone is a set of hardware security extensions, con-
sisting of modifications to the processor, memory, and
peripherals [6]. It has been supported since ARMv6, and
most of the recent ARM system-on-chip processors support
this security extension. The main purpose of TrustZone is
to provide an end-to-end, complete system isolation for
secure code execution. The isolated environment provided
by TrustZone is often referred to as the secure world, while
the traditional operational environment is often referred to
as the normal world, the non-secure world,ortherich OS.
Based on the world that the processor is in, different
system resources can be accessed. The security configuration
register (SCR) in the CP15 coprocessor is one of the registers
that can only be accessed while the processor is in the secure
world. SCR contains an NS (non-secure) bit that governs the
security context of the processor. When NS bit is cleared,
the processor is in the secure world. When NS bit is set,
7373
Figure 1: Cache Architecture in ARM TrustZone
the processor is in the normal world. The only exception is
when the processor is in the monitor mode, which can be
triggered by either interrupts or secure monitor call (SMC)
instruction.
B. Cache Architecture in ARM Processors
Cache is considered to be the first level memory system
in ARM. It is usually constructed with a fast and expensive
static random access memory (SRAM). Most of the current
processors have multiple levels of cache, including level one
(L1) cache, level two cache (L2), and translation lookaside
buffer (TLB). Modern high-end processors typically have 32
KB to 1 MB L1 cache, and the size of L2 ranges from 256
KB to 2 MB. Since cache is small compared to the total
amount of addressable memory, N-way set associative table
is often used to organize the cache.
A typical 4-way set associative table is shown in Figure. 1.
A physical memory address is indexed into k cache lines,
where k is the set size. As there are four tables of size k,
the way number is four. Therefore, for any given memory
address, it can be in k
th
set entry of any way. For each cache
line, there is a tag carrying the hash value of the index along
with the status bits. With the introduction of TrustZone in
the ARM architecture, all levels of cache have been extended
with an additional NS tag bit, which records the security state
of the transaction that accesses the memory [6]. It eliminates
the need for a cache flush when switching between the two
worlds, significantly improving the system performance. The
content of the caches, with regard to the security state, is
dynamic. Any cache line can be evicted to make space for
new data, regardless of its security state. In other words, it
is possible for a secure cache line fill to evict a non-secure
cache line, and vice versa.
III. T
HREAT MODEL AND ASSUMPTIONS
A. Threat Model
Sophisticated cyber attacks nowadays involve multi-stage,
multi-vector attacks [28]. We assume that attackers can
use both software attacks and physical memory disclosure
attacks to obtain sensitive information in the DRAM.
1) Software Attack: Due to the increasing complexity of
the mobile OS kernel, attackers can often exploit various
kernel vulnerabilities to compromise the mobile OS. There-
fore, we assume that successful software attacks can lead to
the compromise of the OS and thus gain unrestricted access
to not only DRAM but also the CPU cache and registers.
It is well known that an adversary can use direct memory
access (DMA) attacks [29] to gain arbitrary access to phys-
ical memory on desktop computers through DMA channels
such as FireWire, Thunderbolt, and PCI Express. Though
DMA ports are not commonly available on current mobile
devices and USB ports are not DMA capable, it is still
possible for the attacker to misuse built-in DMA capable I/O
devices such as LCD controller and storage controller [4].
Therefore, we consider DMA attack as an attack vector
available to the compromised OS.
2) Physical Memory Disclosure Attack: With physical
access to the mobile devices, there are many types of
physical attacks, and it is hard to anticipate all of them.
For example, if the JTAG interface is enabled on production
systems, the attacker can connect a JTAG debugger to
manipulate system states of the normal world. Fortunately,
the secure world is protected from JTAG with the built-in
protections from TrustZone. Instead, the attacker can use
other advanced hardware to examine SoC internals or change
DRAM state [30].
In this work, we focus on physical memory disclosure
attacks, such as cold boot attacks [16], [17], [31], which
exploit the remanence effect of physical memory to gain
unrestricted read access to system memory. In general, there
are two types of cold boot attacks: (1) resetting the computer
to load a malicious OS from the attacker, and (2) unplugging
and placing DRAM chips into another machine controlled
by the attacker. Moreover, attackers can use bus snooping
attacks [32] to capture the sensitive data when it is being
loaded from or written to the DRAM. Note that though
TrustZone can be used to protect secure code execution
against the compromised rich OS in the normal world, the
DRAM used by the secure world is still vulnerable to a
physical memory disclosure attack since no encryption is
enforced on the DRAM.
B. Assumptions
We assume the ARM platform supports the TrustZone
hardware security extension. The high assurance boot (HAB)
and system isolation between the two worlds provided by
TrustZone can be trusted. We assume the secure application
running in the secure world can be trusted and will not
leak its information deliberately. The attackers can launch
various software attacks and physical memory disclosure
attacks in order to freely access the sensitive data in DRAM
memory. Moreover, after gaining the root privilege in the
normal world through software attacks, the attacker can also
access the CPU cache and registers of the normal world
7474
inside the processor. However, she will not be able to access
the processor cache or registers in the secure world due
to the protection of TrustZone. We assume that attackers
with physical access to the mobile devices cannot utilize
sophisticated hardware to access the SoC-bound data in
cache or registers. Side channel attacks such as timing and
power analysis are out of the scope of this paper.
IV. C
ASE ARCHITECTURE
CaSE is designed to provide a secure and isolated SoC-
bound execution using the commodity hardware components
running ARM processors. We first present our security goals
and then give a system overview which focuses on how these
goals are achieved in CaSE.
A. Security Goals
To protect against both software attacks and physical
memory disclosure attacks, we design CaSE to satisfy the
following security goals:
1) SoC-bound Execution Environment: The computation
and memory of the application shall be within the physical
boundary of the SoC. Since physical memory disclosure
attacks are capable of revealing all memory contents outside
the SoC, CaSE needs to use the memory that is within the
physical boundary of the SoC, such as on-chip memory or
processor cache to create a SoC-bound execution environ-
ment.
2) Isolated Execution Environment: The system shall
be able to provide an isolated execution environment. In
other words, it shall be able to bootstrap and maintain an
execution environment that is completely isolated from the
compromised mobile OS, including separation for processor,
memory, and peripherals. On ARM processors, TrustZone
can be used to achieve this goal.
3) Memory Protection Outside the Execution Environ-
ment: To protect both integrity and confidentiality of ap-
plication code and data, all program information outside the
physical boundary of the SoC shall be protected by cryp-
tography. More specifically, code and data of the application
shall be encrypted when they are saved into external DRAM
due to memory paging, context switch, etc.
B. CaSE Overview
The overall system architecture is shown in Figure. 2.
Cold boot attackers can gain unrestricted read access to all
external DRAM, including those used by the system as either
the secure world memory or the normal world memory. On
the other hand, software attacks allow adversaries to access
and manipulate memory contents of the normal world. The
protected application is encrypted in the DRAM to ensure
its confidentiality. When a user invokes an application, the
CaSE controller will first load the encrypted application into
the L2 unified cache. Then CaSE controller verifies and
decrypts the application completely within cache and sets
Figure 2: System Architecture
up the execution environment with cached memory. Using
the hardware-assisted memory protection by TrustZone, the
cache-based execution environment is isolated from software
attacks from the rich OS in the normal world. Lastly, the
application context is encrypted before written to memory
such that sensitive information never leaves the SoC in plain
text.
By executing applications only in the cache of an iso-
lated environment provided by TrustZone, CaSE can defend
against both software attacks that compromise the OS in the
normal world and physical memory disclosure attacks such
as cold boot attacks.
C. Constructing the SoC-bound Execution Environment
SoC-bound execution ensures that the execution of a piece
of code is entirely enclosed within the physical boundary of
the SoC. More specifically, the code, data, stack, and heap
of the application should all be allocated to the CPU cache.
Therefore, cold boot attacks cannot read either the program
state or the program itself. To enable a SoC-bound execution
in CPU cache, we need to solve several key challenges.
First, none of the publicly available ARM documents
describes the mapping from physical memory address to
cache line index in the cache way. We have to design and
perform experiments to figure out this mapping for both L1
and L2 caches in ARM processors. Our results indicate that
the cache organization of Cortex-A8 is similar to many other
platforms in x86 systems [33], [34]. Second, since there is
no direct access to cache lines from system software, we
need to develop a method to precisely load memory into
cache lines and avoid cache eviction during the load, run
7575
