逃避性惡意軟體會在受監控的環境下將自己偽裝成行為良好的軟體。
這種逃避性攻擊技術與虛擬機發現或反偵測（甚至是虛擬機逃逸）有關。
而開源便攜式可信執行環境（OP-TEE）能藉著由硬體保護的分離式記憶
體設計以對抗類似攻擊。若使用 Teaclave TrustZone SDK，一個官方支
持的 OP-TEE 的子模塊，不僅可以辨識這種攻擊，還可以解決程式中的記
憶問題體而增強系統。Fabian 等人 已經表明，使用具有顯式記憶體管
理的程式語言，如 C/C++，容易受到攻擊。因此，本研究提出一個概念
系統，利用 OP-TEE 和安全程式語言 Rust 來檢測惡意軟體，特別是反分
析攻擊。

Evasive malware counterfeits itself as well-behaved software only when
it is under a monitored environment. This evasive hacking technique relates to VM-discovering or anti-detection (or even VM-escaping). The Open
Portable Trusted Execution Environment (OP-TEE) has properties against
similar attacks by a hardware-protected memory on separated worlds. Using the Teaclave TrustZone SDK, an officially supported sub-module of
OP-TEE, not only can address this attack but also enhance the system from
memory problems among all programs. Fabian et al. have shown that
using programming languages with explicit memory management, such as
C/C++, is vulnerable to attacks. Therefore, this study proposes a conceptual system that utilizes OP-TEE and a secure programming language, Rust,
to detect malware, particularly for anti-analysis attacks.

Contents
Table of Contents i
List of Figures v
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Background 8
2.1 ARM Trusted Firmware - Trusted Board Boot . . . . . . . . . 9
2.1.1 Chain of Trust . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Trusted Execution Environment Operating System . . . . . . 13
2.2.1 OP-TEE . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.2 Teaclave TrustZone SDK . . . . . . . . . . . . . . . . . 15
2.3 Linux memory management . . . . . . . . . . . . . . . . . . . 16
2.3.1 System process tree . . . . . . . . . . . . . . . . . . . 16
2.3.2 Virtual Memory Mapping . . . . . . . . . . . . . . . . 17
3 Related Work 20
3.1 LibVMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2 Dynamic integrity measurement . . . . . . . . . . . . . . . . . 21
3.3 Trusted boot on IOT . . . . . . . . . . . . . . . . . . . . . . . 21
4 Methodology 22
4.1 Goal and Challenges . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Alternative Design . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 Threat Model and Assumptions . . . . . . . . . . . . . . . . . 24
4.4 Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.4.1 Client Application . . . . . . . . . . . . . . . . . . . . 25
4.4.2 Trusted Application . . . . . . . . . . . . . . . . . . . 26
4.4.3 OP-TEE core library Libutee . . . . . . . . . . . . . . 27
4.4.4 OP-TEE core module Pseudo Trusted Application . . 27
4.4.5 Attestation Server . . . . . . . . . . . . . . . . . . . . 29
5 Implementation 30
5.1 Experimental setup . . . . . . . . . . . . . . . . . . . . . . . . 30
5.2 Client Application . . . . . . . . . . . . . . . . . . . . . . . . 31
5.3 Trusted Application . . . . . . . . . . . . . . . . . . . . . . . 32
5.4 OP-TEE core library Libutee . . . . . . . . . . . . . . . . . . 33
5.5 OP-TEE core module Pseudo Trusted Application . . . . . . . 34
5.6 Attestation Server . . . . . . . . . . . . . . . . . . . . . . . . 36
6 Evaluation 37
6.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.1.1 Key system before boot . . . . . . . . . . . . . . . . . 38
6.1.2 Secure Storage . . . . . . . . . . . . . . . . . . . . . . 39
6.2 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.2.1 TA signature and encryption key . . . . . . . . . . . . 40
6.3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.3.1 PTA UUID . . . . . . . . . . . . . . . . . . . . . . . . 41
6.4 Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.6 Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7 Conclusion 48
7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.1 Development Board . . . . . . . . . . . . . . . . . . . 49
7.2.2 Android System . . . . . . . . . . . . . . . . . . . . . 50
7.2.3 LibVMI . . . . . . . . . . . . . . . . . . . . . . . . . . 50
References 52

[1] S. Wan, M. Sun, K. Sun, N. Zhang, and X. He, “Rustee: Developing
memory-safe arm trustzone applications,” in Annual Computer Security
Applications Conference, ACSAC ’20, (New York, NY, USA), p. 442–
453, Association for Computing Machinery, 2020.
[2] F. Fleischer, M. Busch, and P. Kuhrt, “Memory corruption attacks
within android tees: A case study based on op-tee,” in Proceedings of
the 15th International Conference on Availability, Reliability and Security, ARES ’20, (New York, NY, USA), Association for Computing
Machinery, 2020.
[3] K. Tam, A. Feizollah, N. Anuar, R. Salleh, and L. Cavallaro, “The
evolution of android malware and android analysis techniques,” ACM
Computing Surveys, vol. 49, pp. 1–41, jan 2017.
[4] T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and
S. Ioannidis, “Rage against the virtual machine: Hindering dynamic
analysis of android malware,” in Proceedings of the Seventh European
Workshop on System Security, EuroSec ’14, (New York, NY, USA), Association for Computing Machinery, 2014.
[5] J. Gajrani, J. Sarswat, M. Tripathi, V. Laxmi, M. S. Gaur, and M. Conti,
“A robust dynamic analysis system preventing sandbox detection by
android malware,” in Proceedings of the 8th International Conference
on Security of Information and Networks, SIN ’15, (New York, NY,
USA), p. 290–295, Association for Computing Machinery, 2015.
[6] X. Wang, S. Zhu, D. Zhou, and Y. Yang, “Droid-antirm: Taming control flow anti-analysis to support automated dynamic analysis of android malware,” in Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC 2017, (New York, NY, USA), p. 350–361,
Association for Computing Machinery, 2017.
[7] J. Gajrani, V. Laxmi, M. Tripathi, M. S. Gaur, A. Zemmari, M. Mosbah,
and M. Conti, “Chapter three - effectiveness of state-of-the-art dynamic
analysis techniques in identifying diverse android malware and future
enhancements,” vol. 119 of Advances in Computers, pp. 73–120, Elsevier,
2020.
[8] X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, “Towards
an understanding of anti-virtualization and anti-debugging behavior in
modern malware,” in 2008 IEEE international conference on dependable
systems and networks with FTCS and DCC (DSN), pp. 177–186, IEEE,
2008.
[9] M. Lindorfer, C. Kolbitsch, and P. Milani Comparetti, “Detecting
environment-sensitive malware,” in Recent Advances in Intrusion Detection: 14th International Symposium, RAID 2011, Menlo Park, CA,
USA, September 20-21, 2011. Proceedings 14, pp. 338–357, Springer,
2011.
[10] C. Wueest, “Threats to virtual environments,” Symantec Security Response. Version, vol. 1, 2014.
[11] A. Jadhav, D. Vidyarthi, and M. Hemavathy, “Evolution of evasive
malwares: A survey,” in 2016 International Conference on Computational Techniques in Information and Communication Technologies
(ICCTICT), pp. 641–646, IEEE, 2016.
[12] Symantec Inc., “Cybersec 2022 symantec white papers,” 2022.
[13] TrustedFirmware.org, “OP-TEE documentation,” p. 170, 2021.
[14] F. Khalid and A. Masood, “Vulnerability analysis of qualcomm secure execution environment (qsee),” Computers & Security, vol. 116,
p. 102628, 2022.
[15] A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma,
and W. Shen, “Hypervision across worlds: Real-time kernel protection
from the arm trustzone secure world,” in Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security, CCS
’14, (New York, NY, USA), p. 90–102, Association for Computing Machinery, 2014.
[16] Advanced RISC Machines(ARM) Architecture and Technology Group,
“Trusted board boot requirements client (tbbr-client) armv8-a,” sep
2018.
[17] GlobalPlatform Technology, “Tee internal core api specification version
1.2.1.31 [target v1.3],” sep 2020.
[18] Advanced RISC Machines(ARM) Architecture and Technology Group,
“Learn the architecture - trustzone for aarch64,” Dec 2021.
[19] R. Jung, J.-H. Jourdan, R. Krebbers, and D. Dreyer, “Rustbelt: Securing the foundations of the rust programming language,” Proc. ACM
Program. Lang., vol. 2, dec 2017.
[20] Advanced RISC Machines(ARM) Architecture and Technology Group,
“Armv8-a address translation,” Jul 2019.
[21] B. D. Payne, T. K. Lengyel, S. Maresca, A. Saba, and et al., “Libvmi:
Simplified virtual machine introspection,” GitHub repository, 2022.
[22] C. Liu, M. Fan, Y. Feng, and G. Wang, “Dynamic integrity measurement
model based on trusted computing,” in 2008 International Conference
on Computational Intelligence and Security, vol. 1, pp. 281–284, 2008.
[23] Z. Ling, H. Yan, X. Shao, J. Luo, Y. Xu, B. Pearson, and X. Fu, “Secure
boot, trusted boot and remote attestation for arm trustzone-based iot
nodes,” Journal of Systems Architecture, vol. 119, p. 102240, 2021.
[24] Y. Chen, Y. Zhang, Z. Wang, and T. Wei, “Downgrade attack on trustzone,” p. 11, arXiv, 2017.
[25] N. Hussein, “Randomizing structure layout,” May 2017.
[26] SimonWan, “Can i start a ta without being called by ca?,” May 2017.
[27] Google Inc., “Android documentation,” 2022.