Tacco: A Framework for Ensuring the Security of Real-World TEEs via Formal Verification

Trusted Execution Environment (TEE) provides isolation for sensitive data in electronic devices and its compromise can lead to enormous losses. TEE's information-flow security is essential and can be robustly ensured by formal methods. Nevertheless, the cross-domain API invocation of TEE is int...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing Vol. 22; no. 6; pp. 6983 - 6997
Main Authors: Hu, Jilin, Zhao, Yongwang, Pan, Shuangquan, Ding, Zuohua, Ren, Kui
Format: Journal Article
Language:English
Published: Washington IEEE 01.11.2025
IEEE Computer Society
Subjects:
Application programming interface
Application programming interfaces
Certification
Criteria
Formal method
Formal verification
globalplatform
Information flow
information-flow security
Kernel
Memory management
Monitoring
Security
Source coding
Switches
Theorem proving
trusted execution environment
Verification
ISSN:1545-5971, 1941-0018
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Trusted Execution Environment (TEE) provides isolation for sensitive data in electronic devices and its compromise can lead to enormous losses. TEE's information-flow security is essential and can be robustly ensured by formal methods. Nevertheless, the cross-domain API invocation of TEE is intricate for information-flow analysis, and the service provider on the TEE, i.e., trusted application, brings complexity to the TEE specification and verification. Existing research seldom delves into general TEEs that are compliant with GlobalPlatform (GP), which is an important and universal TEE standard. Furthermore, they do not align with the requirements for Common Criteria certification. In this paper, we propose a TEE-applicable and Common Criteria-oriented framework to specify and verify the information-flow security of GP TEE, which is applied to the verification of the real-world commercial MiTEE. Firstly, we present a framework for TEE that aligns with the requirements of Common Criteria's highest assurance level (EAL 7). It incorporates a domain-switch based mechanism to model the cross-domain TEE API invocation and a parameterized modeling approach to handle trusted applications. Secondly, we model GlobalPlatform-compliant TEE with the framework as GP TEE security model layer and function layer, which are reusable for all GP TEEs. Thirdly, we specify MiTEE as the MiTEE design layer that refines GP TEE model. Lastly, we verify the information-flow security of GP TEE and MiTEE via theorem proving and uncover four critical vulnerabilities in MiTEE. This work contributes to MiTEE's acquirement of an EAL 5+ certificate. All works are carried out in Isabelle/HOL, with nearly 32000 lines of code.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2025.3594594