Electronic data security has become an area of great focus for development as more daily transactions become computerized. Computing devices are constantly being utilized to exchange financial data, personal identification data, etc. As a result, hackers may attempt to compromise computing devices to gain access to this valuable information. For example, malicious software (e.g., malware) may be loaded to passively or actively attack computing devices. Passive attacks may comprise malware observing data being passed between a processor and a memory to obtain passwords or other sensitive or confidential data. Active attacks may involve altering data stored in memory to trigger an atypical result such as allowing an unpermitted user to gain access to the computing device. In either instance, plaintext (unencrypted) data in the memory of a computing device, that is exchanged with a processor in the computing device, etc. is a major vulnerability.
Virtualized computing environments may offer some inherent protection from the above attacks. For example, a system-on-a-chip (SoC) for a mobile platform may support virtualization wherein at least one virtual machine (VM) executes an operating system (OS), etc. in a software-based environment that emulates actual device hardware. Thus, more than one VM may utilize a single set of device hardware to emulate multiple physical devices. An example implementation may include a virtual machine manager (VMM) or “hypervisor” to control at least one “trusted” VM or trusted execution environment (TEE) and at least one untrusted VM. Each VM may have an underlying OS to execute applications. A TEE may comprise a trusted OS (TOS) and a set of trusted services or applications executing in a trusted kernel. The untrusted VM may have a rich OS (e.g., Windows) and set of untrusted applications. Virtualization-based security technologies may rely on the isolation inherent between VMs to protect the applications executing on one VM from the applications executing on the rest of the VMs. A region of memory may be partitioned for each VM that is accessible only by the VM to ensure secure execution/storage of secrets like keys, etc. associated with the VM. To ensure complete security the TOS must also be protected from malicious software attacks. Security is currently maintained by storing the TOS in hidden memory ranges that are invisible to untrusted software, peripherals, etc. When executing trusted applications, the TOS is accessed via trusted kernel in the TEE. These activities may expose the hidden location of the TOS to attackers that may wish to compromise TEE security by accessing and/or corrupting the TOS. Existing TEE schemes do not provide protection against the attacks.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications and variations thereof will be apparent to those skilled in the art.