一种基于TrustZone的Linux内核完整性保护方法

Kernel integrity protection has the abilityto prevent code injection and data tampering attack. However, most of the existing researches of Linux kernel integrity protection are based on desktop hardware platform and lack of methods suitable for mobile devices. In orderto solve this problem, we design a dynamic integrity verification method for kernel code and data based on the ARM TrustZone security extension, which is widely used by mobile devices. We put the key integrity verification function and integrity reference value into Secure World to prevent attackers located in Normal World from directly destroying the integrity protection process. Compared with traditional integrity protection methods, the security level of our method is greatly improved. We set a polling thread in the kernel that periodically traps into Secure World to perform integrity verification. In addition, we design a looped-self-protection-threads to hinder the attacker from suspending the polling thread to bypass protection. Experiments show that the prototype system can detect the integrity damage of the kernel in time and has a slight impact on performance.