Technical Report MSC-2019-03

Title: Trusted Execution Environments
Authors: Assaf Rosenbaum
Supervisors: Eli Biham and Sara Bitan
PDFCurrently accessibly only within the Technion network
Abstract: Our dependence on computer systems is constantly growing. We rely on them for almost every aspect of our lives and and trust them with our most sensitive information, and critical operations. For example, a standard mobile phone may store personal data such as biomteric data or credit card number, as well as private information such as browsing history or medical records.

From an attacker's stand point, the potential profit from a successful attack on these devices is quite considerable. Therefore, malicious players are willing to invest increasing efforts to devise highly sophisticated attacks. These malicious players use various technologies to constantly attack a wide range of targets such as governments, institutes and individuals.

One particularly interesting type of attack is aiming the victim's operating system (OS) kernel. A modern OS kernel is an extremely complex software with millions of lines of code, making it error prone and therefore easier to be exploited by attackers. A successful attack on the OS kernel is devastating. An attacker with kernel privileges may bypass the security policy which is supposed to be enforced by the kernel. Moreover, attackers who succeed to take over the kernel have total control over the system, including all user programs, disk files and I/O devices. Successful attackers can even bypass protection mechanisms like anti-virus or anti-malware kits, which rely on kernel services for their integrity and availability. With these facts in mind, we realized the OS kernel is a high value target for attackers.

However, we observed that the OS kernel lacks some of the protection mechanisms that are used in user space. If the OS is compromised, the victim's system can no longer protect itself. Moreover, the system may not be aware it is compromised.

If we wish to maintain some level of security even in the case the OS is compromised, an isolated trusted component must be added to the system. One such component is called a Trusted Execution Environment (TEE). A TEE can be used to protect the OS kernel in the case of an attack, or to store sensitive data and prevent its leakage if the OS is compromised.

Our work focuses on the ways TEEs can improve the security of computer systems. We assess the current status of various TEE implementations and identify weak points in their security design. Based on our assessment we develop TROOS -- Trusted Open Operating System, a trusted OS for TEE, designed to bridge some of the found flaws. We also develop TKRFP -- Trusted Return Flow Protection, which is a security mitigation that utilizes the TEE to eliminate the threats posed by return flow hijacking attacks (such as return oriented programming) on the OS. TKRFP provides another layer of security to the OS, thus it increases the entire system's security. Finally, we introduce the Context Switch Oriented Programming attack, which is a new attacking technique that can potentially bypass shadow-stack-based mitigations against return flow hijacking. We also discuss countermeasures against this new attack, including how we protected TKRFP.

CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2019
To the main CS technical reports page

Computer science department, Technion