Tacco: A Framework for Ensuring the Security of Real-World TEEs via Formal Verification

Trusted Execution Environment (TEE) provides isolation for sensitive data in electronic devices and its compromise can lead to enormous losses. TEE's information-flow security is essential and can be robustly ensured by formal methods. Nevertheless, the cross-domain API invocation of TEE is int...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing Jg. 22; H. 6; S. 6983 - 6997
Hauptverfasser: Hu, Jilin, Zhao, Yongwang, Pan, Shuangquan, Ding, Zuohua, Ren, Kui
Format: Journal Article
Sprache:Englisch
Veröffentlicht: Washington IEEE 01.11.2025
IEEE Computer Society
Schlagworte:
Application programming interface
Application programming interfaces
Certification
Criteria
Formal method
Formal verification
globalplatform
Information flow
information-flow security
Kernel
Memory management
Monitoring
Security
Source coding
Switches
Theorem proving
trusted execution environment
Verification
ISSN:1545-5971, 1941-0018
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Trusted Execution Environment (TEE) provides isolation for sensitive data in electronic devices and its compromise can lead to enormous losses. TEE's information-flow security is essential and can be robustly ensured by formal methods. Nevertheless, the cross-domain API invocation of TEE is intricate for information-flow analysis, and the service provider on the TEE, i.e., trusted application, brings complexity to the TEE specification and verification. Existing research seldom delves into general TEEs that are compliant with GlobalPlatform (GP), which is an important and universal TEE standard. Furthermore, they do not align with the requirements for Common Criteria certification. In this paper, we propose a TEE-applicable and Common Criteria-oriented framework to specify and verify the information-flow security of GP TEE, which is applied to the verification of the real-world commercial MiTEE. Firstly, we present a framework for TEE that aligns with the requirements of Common Criteria's highest assurance level (EAL 7). It incorporates a domain-switch based mechanism to model the cross-domain TEE API invocation and a parameterized modeling approach to handle trusted applications. Secondly, we model GlobalPlatform-compliant TEE with the framework as GP TEE security model layer and function layer, which are reusable for all GP TEEs. Thirdly, we specify MiTEE as the MiTEE design layer that refines GP TEE model. Lastly, we verify the information-flow security of GP TEE and MiTEE via theorem proving and uncover four critical vulnerabilities in MiTEE. This work contributes to MiTEE's acquirement of an EAL 5+ certificate. All works are carried out in Isabelle/HOL, with nearly 32000 lines of code.
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2025.3594594