TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCB

Taichi Takemura; Ryo Yamamoto; Kuniyasu Suzaki

doi:10.1109/ACCESS.2024.3366344

IEEE Access (Jan 2024)

TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCB

Taichi Takemura,
Ryo Yamamoto,
Kuniyasu Suzaki

Affiliations

Taichi Takemura: ORCiD; Cybozu Inc., Tokyo, Japan
Ryo Yamamoto: ORCiD; Department of Informatics, Graduate School of Informatics and Engineering, The University of Electro-Communications (UEC), Tokyo, Japan
Kuniyasu Suzaki: ORCiD; Institute of Information Security (IISEC), Yokohama, Japan

DOI: https://doi.org/10.1109/ACCESS.2024.3366344
Journal volume & issue: Vol. 12
pp. 26536 – 26549

Abstract

Read online

AI&IoT edge devices run complex applications and are under the threat of stealthy attacks that are not easily detected by traditional security systems. Provenance auditing is a promising technique for determining the ramification of an attack from event logs. However, the original provenance auditing was designed for personal computers and is unsuitable for edge devices. Therefore, introducing provenance auditing on edge devices raises the following three problems. (1) Current edge devices have relatively powerful CPUs but are not enough for provenance auditing. (2) Most provenance auditing tools are developed as normal applications, and the log data is exposed to an untrusted area. (3) Most edge devices are used outdoors without an administrator and must be managed by secure M2M (Machine to Machine). To solve these problems, we propose TEE-PA to securely collect system call logs on an edge device using TEE (Trusted Execution Environment) and send them to a remote provenance auditing on a powerful server. The system call logs are directly transferred from the kernel to the TEE and are not exposed to administrators as well as attackers. Although the kernel runs in an untrusted world and has a semantic gap from the TEE, TEE-PA offers a semi-TCB (Trusted Computing Base) that measures the kernel integrity check mechanism from the TEE at boot time and partially trusts the kernel. Operational correctness is periodically confirmed by unpredictable heartbeat messages sent from the remote provenance auditing server. If the correctness is not confirmed in the logs on the server, heartbeat message is not sent, triggering an autonomous recovery with a system reset of the watchdog timer protected by the TEE. We implemented a prototype of TEE-PA on the Arm TrustZone of Raspberry Pi3 with SPADE and LKRG (Linux Kernel Runtime Guard) as remote provenance auditing and kernel integrity check. We demonstrate that TEE-PA can determine the ramifications of stealthy attacks (fileless malware and shell command attacks) with acceptable performance. The performance evaluation estimates that TEE-PA is 19 times faster than on-board provenance auditing.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords