LVC21-122: Trust Ain't Easy: Challenges of TEE Security

Session Abstract

The adoption of Trusted Execution Environment (TEE) technology is prevalent in many industries. We have been active in the TEE security field since its inception, more than a decade ago. Since then, we have seen TEE security overall improve due to technology advances, like the new ARM v8.4 features, to increased awareness being spread (e.g. at Linaro Connect!) and significant improvements in design (e.g. see OP-TEE). Nonetheless, the availability of technology alone is not sufficient for securing a TEE adequately. Even today, we find weaknesses due to shortcomings, requiring the necessary awareness and attention to be addressed. In this talk, we put the spotlight on several important challenges and pitfalls that may undermine the ability to effectively secure a TEE-based product. We touch upon assumptions made during design, implementation weaknesses, overlooked configurations, insufficient processes and ecosystem peculiarities. All of which may affect TEE security negatively and give opportunity for attackers to succeed. Many of the challenges can be addressed at the technology level whereas others require an increased level of understanding and awareness. With our talk, we aim to encourage adoption of new technological solutions and foster key reflections that may spark useful discussions in the industry, hopefully, contributing to the advancement of TEE security.

Session Speakers

Cristofaro Mune

Raelize (Raelize, Co-Founder)

Cristofaro is a founder at Raelize and he has been in the security field for 15+ years. He has 10 years of experience with evaluating software and hardware security of secure devices, as well as in testing and assessing the security of Trusted Execution Environments (TEEs). His varied research, covering Fault Injection, TEE, White-Box cryptography, IoT exploitation and Mobile Security, has been presented at renowned international conferences and in academic papers.

Niek Timmers

Raelize (Co-Founder)

Niek has been analyzing and testing the security of software and hardware of secure devices for over a decade. His interest is typically sparked by technologies where the hardware of the device is fundamentally part of the equation.

The adoption of Trusted Execution Environment (TEE) technology is prevalent in many industries. We have been active in the TEE security field since its inception, more than a decade ago. Since then, we have seen TEE security overall improve due to technology advances, like the new ARM v8.4 features, to increased awareness being spread (e.g. at Linaro Connect!) and significant improvements in design (e.g. see OP-TEE).

Nonetheless, the availability of technology alone is not sufficient for securing a TEE adequately. Even today, we find weaknesses due to shortcomings, requiring the necessary awareness and attention to be addressed. In this talk, we put the spotlight on several important challenges and pitfalls that may undermine the ability to effectively secure a TEE-based product. We touch upon assumptions made during design, implementation weaknesses, overlooked configurations, insufficient processes and ecosystem peculiarities. All of which may affect TEE security negatively and give opportunity for attackers to succeed.

Many of the challenges can be addressed at the technology level whereas others require an increased level of understanding and awareness. With our talk, we aim to encourage adoption of new technological solutions and foster key reflections that may spark useful discussions in the industry, hopefully, contributing to the advancement of TEE security.

comments powered by Disqus

Other Posts

Sign up. Receive Updates. Stay informed.

Sign up to our mailing list to receive updates on the latest Linaro Connect news!