Issues in Trustworthy Software Systems

Lack of security in computing is most of the timedue to software vulnerabilities. To a broad extent, securitybreaches are not due to problems in cryptography nor in thecommunication medium or in computer hardware and microprocessors. In turn, software vulnerabilities are mainly due to limitations in current state of the art software testing. Unfortunately, no major breakthrough in software testing is expected, neither at this time nor in the near future. To this end, researchers tackled the problem of platform security from a different perspective: dividing the platform into two orthogonal execution environments: trusted execution environment (TEE) and untrusted or rich execution environment (REE). In the latter, a rich execution environment hosting unrestricted commercial off-the-shelf software executes, while in the former a minimalistic highly trusted software stack executes. Execution takes place most of the time in the REE, while only sensitive and security critical operations take place in the TEE. In this paper, we review and discuss the required and highly recommended properties that any code executing in the TEE must preserve, and we show how software, security and machine architects should cooperate for maintaining a secure TEE orthogonal to a rich REE in embedded computing devices.