Research On Cross-domain Call Security Mechanism Based On Hypervisor

As an isolated execution environment coexisting with the Rich Execution Environment(REE),the Trusted Execution Environment(TEE)provides a secure environment for sensitive and secure operations.The Client APP in the REE can execute secure and sensitive operations by invoking the Trusted APP in the TEE across domains.However,in the ARM TrustZone architecture,due to the lack of authentication mechanism for Client APP in the TEE and the transmission of data between REE and TEE through a shared buffer,there are risks of identity spoofing,information leakage and tampering in such cross-domain invocation.To address these issues,this paper proposes a cross-domain invocation security mechanism that uses the stage-2 address translation of the Hypervisor to access control the shared buffer,authenticates the REE process that requests connection at the Secure Monitor,and allows only the authenticated REE process to invoke the Trusted APP in the TEE across domains.This paper also designs a mechanism to monitor the integrity of the REE kernel and Client APP to enhance the security of cross-domain invocation.The main contributions of this paper are as follows:(1)A legitimacy check scheme for inter-domain invocation and a trusted invocation scheme for Client APP in the REE are proposed to address the risk of identity spoofing.By maintaining a linked list of crossdomain invocation authorization in the Secure Monitor and intercepting the REE invocation command to the TEE process for legitimacy authentication,it ensures that authorized Client APP can establish a connection with Trusted APP legally.Meanwhile,by creating a kernel thread to periodically monitor the critical registers,code segment integrity,and running state of the Client APP,it prevents the Client APP from being attacked by attackers during the cross-domain invocation with the TEE.(2)To address the risks of information leakage and tampering,a shared buffer protection scheme is proposed.The second-stage address translation of the Hypervisor is introduced to access-control the shared buffer by setting the permission bit of the second-stage address translation page table entry.When an REE process accesses the shared buffer,it triggers a second-stage address translation page fault exception.Then,the validity of the memory access instruction is verified in the exception handling,and the valid instruction is allowed to access the shared buffer through instruction simulation.(3)To enhance the security of the REE kernel during cross-domain invocation with the TEE,a kernel integrity verification scheme is proposed.When Client APP sends a invocation request to the TEE,the system verifies the integrity of the kernel in the REE to ensure that the kernel integrity in the REE is not compromised during cross-domain invocation with the TEE.Through functionality and performance testing of the prototype of the cross-domain invocation security mechanism,it is shown that the proposed mechanism can effectively resist the risks of identity spoofing and information leakage and tampering during cross-domain invocation and the performance loss of the cross-domain invocation security mechanism is acceptable.