Overview

The increasing adoption of edge and cloud computing is providing individual users with a more seamless interaction with numerous mobile and server devices. Alongside industry advancements, there is a growing concern for data security. Advanced virtualization-based TEE introduced in the recently new concept of Confidential Compute Architecture (CCA) creates a new physical address space (PAS) called Realm world for confidential computing to protect the data confidentiality and integrity. The current version of CCA primarily achieves isolation through the construction of Realm VM using virtualization techniques and does not provide user-level isolation environments.

We propose Shelter as a complement to CCA’s primary Realm VM-style architecture, aiming to allow third-party developers to deploy their applications with isolation in userspace as SApp. Shelter is designed by cooperating with Arm CCA hardware primitive to provide hardware-based isolation while removing the need for software workloads to trust their data to a Host OS, hypervisor, or privileged software (e.g., trusted OS, Secure/Realm hypervisor).

FAQ

(1) What's the difference between Shelter and CCA?

Isolation PAS world Privilege level TCB
Shelter RME+Multi-GPT Normal User Monitor
CCA RME+Virtualization Realm VM Monitor+RMM

  • Extending CCA. Shelter is designed to deploy confidential computing for user-level applications. No hardware modification on compatible platforms, including mobile and server.
  • Smaller TCB. Shelter does not need to trust RMM since the isolation mechanism of Shelter only relies on GPT manipulation in EL3 Monitor.
  • Lower performance overhead. Shelter is based on userspace and does not incur overhead from the hypervisor-based virtualization (e.g., VM exits and virtualization I/O operations).

    • (2) How does Shelter enforce isolation?

    Shelter reuses CCA hardware Realm Management Extension (RME) and CCA’s in-memory structure Granule Protection Table (GPT) to enforce isolation in userspace as Shelter App (SApp). GPT specifies what physical address spaces (PAS) a memory page belongs to. Granule Protection Check (GPC) enforced by RME checks the GPT on each memory access and blocks illegal access.

    To isolate each SApp from other SApps, untrusted OS/hypervisor, and privileged software (e.g., trusted OS, SPM, and RMM), Shelter deploys a design called Multi-GPT Memory Isolation. Shelter maintains multiple GPTs to divide the PAS for different programs. Shelter controls the access permissions of different programs by dynamically swapping the corresponding GPT based on the running target program. By establishing an address-space-per-core for each SApp and other code regions, each SApp is isolated from other SApps and software in the Normal, Secure, and Realm World.

    Prototype

    We release a prototype based on FVP Base RevC-2xAEMvA with RME-enabled features for functional validation of our design.

    Prototype on Github

    Publication

    SHELTER: Extending Arm CCA with Isolation in User Space

    Yiming Zhang, Yuxin Hu, Zhenyu Ning, Fengwei Zhang, Xiapu Luo, Haoyang Huang, Shoumeng Yan, and Zhengyu He

    In Proceedings of the 32nd USENIX Security Symposium (USENIX Security'23).

    Download Link

    Bibtex for citation: 

    @inproceedings{zhang2023shelter,
  title={SHELTER: Extending Arm CCA with Isolation in User Space},
  author={Zhang, Yiming and Hu, Yuxin and Ning, Zhenyu and Zhang, Fengwei and Luo, Xiapu and Huang, Haoyang and Yan, Shoumeng and He, Zhengyu},
  booktitle={32nd USENIX Security Symposium (USENIX Security’23)},
  year={2023}
}