Marten van Dijk
Consultant, Inventor, Researcher, Applied Mathematician, & Computer Scientist
The Trusted Execution Module:
The increasing adoption of attachable (as opposed to embedded) inexpensive trusted hardware such as
smartcards, SIM cards, and USB sticks allows their use as small trusted computing bases (TCBs) that
easily integrate into a user’s communication/computing environment. They can be used to safely carry
around security-critical data such as cryptographic keys, used for secure computation or executing
security-critical decisions anywhere and at any time.
In [1] we propose the trusted execution module (TEM) as a TCB for the low-resource environments of
such inexpensive commercially available secure chips that have limited computational capability.
The TEM can securely execute small computations expressed as SECpacks; these are partially encrypted
packets of executable code destined to be only executed by the TEM having the appropriate decryption
key.
The TEM guarantees the confidentiality and integrity of both the computation process, and the
information it consumes and produces, even if the SECpack author and the TEM owner do not trust each
other. The TEM protects the SECpack’s integrity and confidentiality against attacks by its owner. A
malicious SECpack cannot negatively impact the TEM it runs on, and it cannot maliciously interfere
with the results of those written by other authors. SECpacks can migrate from one TEM to another
TEM and their execution may depend on previously executed SECpacks (if they share mutable variables).
The TEM provides an exact description of how it can be accessed, execute code, and manage keys. Thus,
the TEM is a minimal TCB that can be used for mobile code and private execution applications.
Smartcards today are mostly used in an application-specific way; the TEM is not application specific,
anyone can write secure applications by using the SECpack methodology. SECpacks of different
applications are isolated from one another in that they do not share keys. SECpacks have control
over their own keys; a key can only be accessed by an authorized SECpack, this prevents a malicious
SECpack from using the same key.
The TEM is a general framework that allows anyone to write their own secure (mobile agents)
application. Any private execution of mobile code can be implemented using SECpacks; SECpacks
constitute the layer that accesses the TEM.
The use of trusted hardware in active mobile agents applications removes the requirement of online
contact with a trusted third party (TTP) by instead placing trust in TCBs that are connected to
the users’ machines. Even if the rest of a user’s machine is untrusted there is no need to rely on
a trusted OS, BIOS, CPU, or proprietary hardware or software as in Trusted Platform Module (TPM)
based approaches. We assume that each TEM is protected by a tamper-resistant envelope; any attempt
to break a TEM leads to the destruction of the security-critical data in its persistent storage.
[1] V. Costan, L.F.G. Sarmenta, M. van Dijk, and S. Devadas, The trusted execution module: commodity
general purpose trusted computing, CARDIS 2008.
© 2009 Marten van Dijk .
All rights reserved.