Smartphone owners often need to run security-critical programs on the same device as other untrusted and potentially malicious programs. This requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced. Our goal is to minimize the number and complexity of hardware and software components that a smartphone owner needs to trust to withstand adversarial inputs. We present a multi-domain hardware design composed of statically-partitioned, physically-isolated trust domains. We introduce a few simple, formally-verified hardware components to enable a program to gain provably exclusive and simultaneous access to both computation and I/O on a temporary basis. To manage this hardware, we present OctopOS, an OS composed of mutually distrustful subsystems. We present a prototype of this machine (hardware and OS) on a CPU-FPGA board and show that it incurs a small hardware cost compared to modern SoCs. For security-critical programs, we show that this machine significantly reduces the required trust compared to mainstream TEEs while achieving decent performance. For normal programs, performance is similar to a legacy machine.
翻译:智能手机所有者通常需要与其他不受信任和潜在的恶意程序在同一设备上运行安全关键程序。 这要求用户信任硬件和系统软件, 以纠正沙箱恶意程序, 信任往往错位。 我们的目标是将智能手机所有者需要信任的硬件和软件组件的数量和复杂性降至最低, 以抵御对立输入。 我们展示了由静态分割、 物理孤立的信任域组成的多领域硬件设计。 我们引入了几个简单、 正式验证的硬件组件, 以使程序能够暂时获得可辨别的独家和同步访问计算和 I/ O 的功能。 为了管理此硬件, 我们展示了由互相不信任的子系统组成的 OctoopOS 。 我们在计算机- FPGA 板上展示了一台机器的原型( 硬件和 OS ), 并显示它与现代的 SoCs 系统相比产生少量硬件成本 。 对于安全关键程序, 我们展示了这台机器在取得体面的性能的同时, 大大降低了与主流TEE 相比所需的信任。 对于普通程序来说, 性能与遗留机器类似。