# TEE-aided Write Protection Against Privileged Data Tampering

**Authors:** Lianying Zhao, Mohammad Mannan

arXiv: 1905.10723 · 2019-05-28

## TL;DR

This paper introduces Inuksuk, a TEE-based system that provides programmable write protection for user data, preventing unauthorized tampering even by malware with high privileges, without impacting system performance.

## Contribution

It presents a novel TEE-enabled data protection method that secures user files against tampering, independent of OS or application, and demonstrates its implementation across multiple OS platforms.

## Key findings

- Inuksuk effectively prevents unauthorized data modifications.
- The system incurs no runtime performance penalty.
- Ported Flicker for TEE management on Windows enhances adoptability.

## Abstract

Unauthorized data alteration has been a longstanding threat since the emergence of malware. System and application software can be reinstalled and hardware can be replaced, but user data is priceless in many cases. Especially in recent years, ransomware has become high-impact due to its direct monetization model. State-of-the-art defenses are mostly based on known signature or behavior analysis, and more importantly, require an uncompromised OS kernel. However, malware with the highest software privileges has shown its obvious existence. We propose to move from current detection/recovery based mechanisms to data loss prevention, where the focus is on armoring data instead of counteracting malware. Our solution, Inuksuk, relies on today's Trusted Execution Environments (TEEs), as available both on the CPU and storage device, to achieve programmable write protection. We back up a copy of user-selected files as write-protected at all times, and subsequent updates are written as new versions securely through TEE. We implement Inuksuk on Windows 7 and 10, and Linux (Ubuntu); our core design is OS and application agnostic, and incurs no run-time performance penalty for applications. File transfer disruption can be eliminated or alleviated through access modes and customizable update policies (e.g., interval, granularity). For Inuksuk's adoptability in modern OSes, we have also ported Flicker (EuroSys 2008), a defacto standard tool for in-OS privileged TEE management, to the latest 64-bit Windows.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.10723/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/1905.10723/full.md

## References

80 references — full list in the complete paper: https://tomesphere.com/paper/1905.10723/full.md

---
Source: https://tomesphere.com/paper/1905.10723