Ambassy: A Runtime Framework to Delegate Trusted Applications in an ARM/FPGA Hybrid System

Many mobile systems run on ARM-based devices today. People use these for increasingly diverse yet security-sensitive applications. ARM has adopted a security model to tackle this threat, where they manage private information in an isolated trusted execution environment (TEE) provided by TrustZone. This TrustZone-based model has been proven effective, but due to security concerns, it is available solely for the vendors applications, thereby hindering the broad use of TrustZone. Consequently, we propose a runtime framework backed by TrustZone to construct a secondary TEE. AMBASSY has its residence built on an on-chip field-programmable gate array (FPGA), which is a standard component in an ARM/FPGA hybrid system readily available on the market today. This study, to the best of our knowledge, is the first attempt to broaden the use of TrustZone by using an FPGA to build a secondary TEE for arbitrary third-parties, which otherwise should be expelled to the Normal World. This paper describes many design challenges that we have overcome to fully implement AMBASSY on an FPGA. Our experiments demonstrate the practicality of AMBASSY by presenting the security analysis and performance results of third-party application samples. The samples all run safely on AMBASSY, with shorter execution time than regular TEE applications in TrustZone (by a factor of 5.552).