SegTEE:面向小型端侧设备的可信执行环境系统  

作　　者：杜冬冬 杨璧丞 余炀 夏虞斌[1] 丁佐华[2] 赵永望 张磊 臧斌宇[1] 陈海波[1] DU Dong-Dong;YANG Bi-Cheng;YU Yang;XIA Yu-Bin;DING Zuo-Hua;ZHAO Yong-Wang;ZHANG Lei;ZANG Bin-Yu;CHEN Hai-Bo(School of Software,SEIEE,Shanghai Jiao Tong University,Shanghai 200240;School of Information Science and Technology,Zhejiang Sci-Tech University,Hangzhou 310018;School of Cyber Science and Technology,Zhejiang University,Hangzhou 310007;Nanhu Laboratory,Jiaxing,Zhejang314001)

机构地区：[1]上海交通大学电子信息与电气工程学院软件学院,上海200240 [2]浙江理工大学信息学院,杭州310018 [3]浙江大学网络空间安全学院,杭州310007 [4]南湖实验室,浙江嘉兴314001

出　　处：《计算机学报》2025年第1期188-209,共22页Chinese Journal of Computers

基　　金：国家自然科学基金重点项目(62132014);国家杰出青年科学基金项目(61925206);国家重点研发计划(2022YFB4501500,2022YFB4501502)资助。

摘　　要：面向万物互联、智联计算的边端场景,如何在小型端侧设备上保护用户隐私,隔离关键代码和数据,成为一个亟待突破的重要问题。现有系统通常依赖于可信执行环境,通过基于处理器的硬件扩展,保护安全敏感应用的机密性和完整性。然而,现有端侧可信执行环境系统主要面向静态、固定的安全场景,难以满足万物互联所带来的动态复杂的安全要求。具体来说,包含四个关键挑战。首先,动态复杂的安全需求会在可信执行环境中带来不可忽视的“资源税”,导致其难以部署在小型端侧设备中。其次,在内存安全方面,现有端侧设备往往只提供简单的段隔离机制(如ARM MPU和RISC-V PMP),难以支持多层多域的复杂隔离需求。再次,在I/O安全方面,现有系统通过静态划分或主机代理的方式,前者难以适应动态变化的安全应用场景,后者存在严重性能开销和安全隐患。最后,在可扩展性方面,端侧设备依赖的段隔离机制能够降低硬件资源开销,但是仅能支持十分有限的隔离域,无法满足万物互联场景下较多的隔离域需求。为了系统性地突破并解决上述挑战,本文提出SegTEE,一个面向万物互联小型端侧设备的可信执行环境系统。和传统可信执行环境方案相比,SegTEE围绕段隔离机制设计了全系统的隔离和保护,支持同特权态隔离域间隔离和跨特权态的段隔离。具体来说,SegTEE首先提出嵌套段隔离机制,在硬件层面支持TEE-Seg段保护机制和OS-Seg段保护机制,其中TEE-Seg能够实现隔离域间隔离,而OS-Seg则提供用户态和特权态操作系统间的隔离性保障。基于TEE-Seg和OS-Seg的嵌套段隔离机制,SegTEE引入了段滑动窗口设计,能够在有限数量(例如16个)的段寄存器基础上,实现上百个隔离域,有效支撑万物互联的复杂场景。SegTEE还引入了基于段的内存裁剪机制,有效降低资源税,并且设计了基于段隔离的I/O动�In the context of interconnected IoT and intelligent computing at the edge,safeguarding user privacy and isolating critical code and data on lightweight edge devices has become an urgent and critical issue.Existing systems often rely on trusted execution environments(TEEs)that protect the confidentiality and integrity of security-sensitive applications through hardware extensions embedded in processors.However,applying TEEs effectively on lightweight edge devices in the IoT realm remains a challenge.Specifically,four key problems and challenges exist.Firstly,the use of trusted execution environment with dynamic security requirements imposes a non-negligible resource tax,making it difficult to deploy on lightweight edge devices.Secondly,existing edge devices often only provide simple segmentation mechanisms(such as ARM MPU and RISC-V PMP),which are insufficient to support complex multi-level and multi-domain isolation requirements that are necessary for nowadays IoT applications.Moreover,in term of I/O protection,existing methods usually adopt static partition or host-proxy approach that cannot support dynamic security requirements and may incur high costs.Lastly,while segmentation mechanisms can adapt well to resource-constrained demands,they are unable to meet the growing number of isolation domain requirements in the IoT context.To systematically overcome these challenges,this paper proposes SegTEE:a trusted execution environment system tailored for small edge devices in the IoT landscape.Compared to traditional TEE solutions,SegTEE introduces a comprehensive system-level isolation and protection design based on segmentation mechanisms.It supports both isolation between privilege levels and isolation between applications with the same privilege level,utilizing segment-based methods.Specifically,SegTEE first introduces a nested segmentation mechanism that provides TEE-Seg and OS-Seg segment protections at the hardware level.TEE-Seg enables isolation between different domains,while OS-Seg ensures isolation betwee

关 键 词：操作系统 可信执行环境 RISC-V 

分 类 号：TP316[自动化与计算机技术—计算机软件与理论]