NDSS 2025 – SCRUTINIZER: Towards Secure Forensics On Compromised TrustZone
SCRUTINIZER 是首个针对受损 Arm TrustZone 系统的安全取证方案,通过 Arm 机密计算架构的 Root 世界构建保护层,将内存获取功能与监控分离并整合到 TrustZone 代理中以减少代码扩展和性能开销,并利用硬件特性增强安全性。
2025-12-26 16:0:0
Author: securityboulevard.com(查看原文)
阅读量:3
收藏
Session 7B: Trusted Hardware and Execution
Authors, Creators & Presenters: Yiming Zhang (Southern University of Science and Technology and The Hong Kong Polytechnic University), Fengwei Zhang (Southern University of Science and Technology), Xiapu Luo (The Hong Kong Polytechnic University), Rui Hou (Institute of Information Engineering, Chinese Academy of Sciences), Xuhua Ding (Singapore
Management University), Zhenkai Liang (National University of Singapore), Shoumeng Yan (Ant Group), Tao Wei (Ant Group), Zhengyu He (Ant Group)
PAPER
SCRUTINIZER: Towards Secure Forensics on Compromised TrustZone
The number of vulnerabilities exploited in Arm TrustZone systems has been increasing recently. The absence of digital forensics tools prevents platform owners from incident response or periodic security scans. However, the area of secure forensics for compromised TrustZone remains unexplored and presents unresolved challenges. Traditional out-of-TrustZone forensics are inherently hindered by TrustZone protection, rendering them infeasible. In-TrustZone approaches are susceptible to attacks from privileged adversaries, undermining their security. To fill these gaps, we introduce SCRUTINIZER, the first secure forensics solution for compromised TrustZone systems. SCRUTINIZER utilizes the highest privilege domain of the recent Arm Confidential Computing Architecture (CCA), called the Root world, and extends it to build a protected SCRUTINIZER Monitor. Our design proposes a protective layer in the Monitor that decouples the memory acquisition functionality from the Monitor and integrates it into an in-TrustZone agent. This ensures that the agent is isolated from TrustZone systems and helps to minimize the codebase expansion of the Root world. Furthermore, by grafting most of the target’s page tables in the agent, SCRUTINIZER reduces redundant translation and mapping operations during memory acquisition, ultimately reducing performance overhead. SCRUTINIZER leverages multiple standard hardware features to enable secure forensic capabilities beyond pure memory acquisition, such as memory access traps and instruction tracing, while making them impervious to hardware configuration tampering by the privileged adversary. We prototype SCRUTINIZER and evaluate it using extensive experiments. The results show that SCRUTINIZER effectively inspects TrustZone systems while immune against privileged adversaries.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
