Trusted Monitor: TEE-Based System Monitoring

  • Benedikt Jung Nokia Networks
  • Christian Eichler Ruhr Universität Bochum
  • Jonas Röckl Friedrich-Alexander University Erlangen-Nürnberg
  • Ralph Schlenk Nokia Networks
  • Timo Hönig Ruhr Universität Bochum
  • Tilo Müller Hof University of Applied Sciences

Resumo


As trusted computing becomes increasingly important, Trusted Execution Environments (TEEs) see more widespread use. A particular high demand for security arises in the context of embedded systems in critical infrastructures. We present a novel intrusion detection system called the Trusted Monitor (TM) that protects its integrity even in the presence of a system-level attacker by running inside the ARM TrustZone TEE. The TM constantly monitors the system using hardware performance counters and detects intrusions based on the classification by an application-specific machine learning model. Our evaluation shows that the TM correctly classifies 86% of 183 evaluated workloads, while the performance overhead stays below 2%. In particular, we show that a real-world kernel-level rootkit observably influences the hardware performance counters and, thus, can be detected.
Publicado
21/11/2022
JUNG, Benedikt; EICHLER, Christian; RÖCKL, Jonas; SCHLENK, Ralph; HÖNIG, Timo; MÜLLER, Tilo. Trusted Monitor: TEE-Based System Monitoring. In: SIMPÓSIO BRASILEIRO DE ENGENHARIA DE SISTEMAS COMPUTACIONAIS (SBESC), 12. , 2022, Fortaleza/CE. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2022 . p. 47-54. ISSN 2237-5430.