I am reading about ARM TrustZone. I read that when the Normal World wants a function from the Secure World, they raise SMC exception which makes a transfer to the Secure World. The thing that I did not understand is what prevents any malicious code from raising the SMC exception? if any unauthorized software can cause a transfer to the Secure World then how is the secure world "secure"?
Asked
Active
Viewed 472 times
2
-
2Corollary: how is userspace "unprivileged" if any malicious code can enter a privileged mode by raising an SVC exception? – Notlikethat Nov 08 '16 at 10:24
-
Or the SMC is a *firewall*; like a router in a home. How can any home be secure when it is connect to the internet? In some sense, it can't. However, it gives a tool to try and limit access. The Motorola Razor uses TrustZone and was broken using SMC calls to access secure world memory/secrets. The SMC code itself needs to be audited, proved secure, etc. Trust-zone is a tool to **BUILD** a secure system. – artless noise Nov 08 '16 at 13:53
-
When an application reads and writes a file it makes calls to the operating system, what makes the operating system save and secure from the application? Making a system call, making a request across security levels doesnt automatically negate security, it is simply a way to communicate between security levels. How do you suggest we do this otherwise? – old_timer Nov 09 '16 at 02:30
1 Answers
5
Malicious software can transfer control to the secure world but is unable to manipulate the code in the secure world.
When normal world software request a function from the secure world, the secure world is able to arbitrate whether to perform it or not.
Essentially, if malicious code has taken over the normal world, then its privileges cannot exceed what the normal world code would normally be able to do.
tangrs
- 9,709
- 1
- 38
- 53
-
1Well, actually if TZ was set up incorrectly, the normal world could manipulate secure world code. One way to secure things is to make 'secure world' code/data unreadable (and certainly un-writeable) by the normal world. However, you need ways to communicate between the world to accomplish anything and to secure a system this interface must be thoroughly vetted. So it is possible *what the normal world code would **normally** be able to do* is not well known by even the people that design the system. Ie, there is a lot of loaded information in that statement. However, a correct answer. – artless noise Nov 09 '16 at 15:12
-
And also implicit is the security design principal of layering. Ie, the normal world can be secured and part of a security solution. People must break the normal world security in order to get to be able to try and exploit the interface to get to the secure world. – artless noise Nov 09 '16 at 15:16