Minimizing Trust with Exclusively-Used Physically-Isolated Hardware

TL;DR

This paper proposes a hardware and OS design that isolates trust domains on smartphones to minimize trusted components, using formal verification and a prototype to demonstrate security benefits with minimal performance impact.

Contribution

It introduces a multi-domain hardware architecture with formal verification and a trust-minimizing OS, validated by a prototype on a CPU-FPGA platform.

Findings

Significantly reduces trust assumptions compared to mainstream TEEs.

Achieves low hardware overhead on a CPU-FPGA prototype.

Maintains normal performance for non-security-critical programs.

Abstract

Smartphone owners often need to run security-critical programs on the same device as other untrusted and potentially malicious programs. This requires users to trust hardware and system software to correctly sandbox malicious programs, trust that is often misplaced. Our goal is to minimize the number and complexity of hardware and software components that a smartphone owner needs to trust to withstand adversarial inputs. We present a multi-domain hardware design composed of statically-partitioned, physically-isolated trust domains. We introduce a few simple, formally-verified hardware components to enable a program to gain provably exclusive and simultaneous access to both computation and I/O on a temporary basis. To manage this hardware, we present OctopOS, an OS composed of mutually distrustful subsystems. We present a prototype of this machine (hardware and OS) on a CPU-FPGA board and show that it incurs a small hardware cost compared to modern SoCs. For security-critical programs, we show that this machine significantly reduces the required trust compared to mainstream TEEs while achieving decent performance. For normal programs, performance is similar to a legacy machine.