An Architecture for Virtualization-Based Trusted Execution Environment on Mobile Devices

In this paper, we present an architecture for a trusted execution environment on mobile devices that allows applications with a wide range of security requirements to run safely in an isolated environment, by using a mobile virtualization technology. These applications can take advantage of the semantics of running on secure area which is isolated from non-secure area that suffers from hacking, malignant code, or the like, while retaining the ability to run side-by-side with normal applications on a general execution environment. We achieve this synthesis by use of a mobile virtual machine monitor (mVMM) that partitions single mobile hardware platform into the separated and isolated virtual machines (VMs), providing the trusted execution environment and the trusted paths. In VM on which the secure OS runs, authentication credentials (e.g. Private keys) for electronic transactions and security sensitive data are stored and security sensitive processing is executed with no external network interfaces provided and only with a secure communication channel provided by mVMM. We explore the strengths and limitations of this architecture by describing and analyzing our prototype implementation and a simple mobile payment service that can be one of the important applications for the trusted execution environment. Through the architecture analysis, the proposed architecture can provide a reasonably trustworthy execution environment to a user in the run-time execution point of view.