KEVLAR-TZ: A Secure Cache for ARM TrustZone

TL;DR

KEVLAR-TZ introduces a secure, application-level cache leveraging ARM TrustZone for privacy-preserving data storage on edge devices, with a REST interface and durable secure storage, evaluated through performance experiments.

Contribution

It presents KEVLAR-TZ, a novel TrustZone-based secure cache with REST interface and persistent storage, fully implemented and evaluated on OP-TEE.

Findings

Demonstrates performance trade-offs in throughput and latency.

Provides open-source implementation for practical adoption.

Evaluates system performance across various workloads.

Abstract

Edge devices are increasingly in charge of storing privacy-sensitive data, in particular implantables, wearables, and nearables can potentially collect and process high-resolution vital signs 24/7. Storing and performing computations over such data in a privacy-preserving fashion is of paramount importance. We present KEVLAR-TZ, an application-level trusted cache designed to leverage ARM TrustZone, a popular trusted execution environment available in consumer-grade devices. To facilitate the integration with existing systems and IoT devices and protocols, KEVLAR-TZ exposes a REST-based interface with connection endpoints inside the TrustZone enclave. Furthermore, it exploits the on-device secure persistent storage to guarantee durability of data across reboots. We fully implemented KEVLAR-TZ on top of the OP-TEE framework, and experimentally evaluated its performance. Our results showcase performance trade-offs, for instance in terms of throughput and latency, for various workloads, and we believe our results can be useful for practitioners and in general developers of systems for TrustZone. KEVLAR-TZ is available as open-source at https://github.com/mqttz/kevlar-tz/.