In recent years, we have witnessed unprecedented growth in using hardware-assisted Trusted Execution Environments (TEE) to protect sensitive code and data on commodity devices thanks to new hardware security features, such as Intel SGX and Arm TrustZone. Even though the existing TEEs bring many benefits, they have some crucial drawbacks. For example, existing TEEs time-share a processor core with the Rich Execution Environment (REE), making execution less efficient and vulnerable to side-channel attacks. Moreover, Arm TrustZone lacks hardware support for multiple TEEs, remote attestation, and memory encryption. Intel SGX only provides static hardware trusted computing base (TCB), and enclaves cannot communicate with peripherals directly.
In this project, we present BYOTee (Build Your Own Trusted Execution Environments), which is an infrastructure for building multiple equally secure TEEs by utilizing commodity System-on-Chip (SoC) Field Programmable Gate Arrays (FPGA) devices. BYOTee creates TEEs with customized hardware TCBs, which include softcore processors, block RAMs, and peripheral connections, in FPGA on demand. Additionally, BYOTee provides mechanisms to attest the integrity and execution of Security-Sensitive Applications (SSA) in the customized TEEs to remote verifiers. We implement a proof-of-concept BYOTee system on the Digilent Cora Z7-07S board with the Xilinx Zynq-7000 SoC FPGA. The evaluations results on four types of SSAs and 12 benchmark applications demonstrate the usage, effectiveness, and performance of BYOTee.
Comments