A Trusted Execution Environment (TEE) is a secure area within a computer system or mobile device that ensures the confidentiality and integrity of data and processes that are executed inside it. The TEE is isolated and protected from the main operating system and other software applications, which prevents them from accessing or interfering with the data and processes within the TEE. The TEE is typically used for security-sensitive operations, such as secure storage of cryptographic keys, biometric authentication, and secure mobile payments. The TEE provides a high level of assurance that sensitive data and processes remain secure and tamper-proof, even if the main operating system or other software components are compromised.
Trusted Execution Environments are established at the hardware level, which means that they are partitioned and isolated, complete with busses, peripherals, interrupts, memory regions, etc. TEEs run their instance of an operating system known as Trusted OS, and the apps allowed to run in this isolated environment are referred to as Trusted Applications (TA). Untrusted apps run on an open part of the larger operating system referred to as the Rich Execution Environment (REE).
A trusted application has access to the full performance of the device despite operating in an isolated environment, and it is protected from all other applications. Data is usually encrypted in storage and transit and is only decrypted when it’s in the TEE for processing. The CPU blocks access to the TEE by all untrusted apps, regardless of the privileges of the entities requesting access.
To enhance security, two trusted applications running in the TEE also do not have access to each other’s data as they are separated through software and cryptographic functions.
TEE offers several benefits that include:
TEE has several major limitations as compared to software-focused privacy technologies, particularly around the financial burden of acquiring and deploying the technology, retrofitting existing solutions to use TEEs and the challenges of vendor-lock-in. In short, TEEs are inherently a hardware solution, implying that they need to be purchased, physically delivered, installed and maintained, in addition to this, special software is needed to run on them. This is a much higher “conversion” burden than software-only privacy technologies. Also, once the TEEs are installed, they need to be maintained. There is little commonality between the various TEE vendors’ solutions, and this implies vendor lock-in. If a major vendor were to stop supporting a specific architecture or, if worse, a hardware design flaw were to be found in a specific vendor’s solution, then a completely new and expensive solution stack would need to be designed, installed and integrated at great cost to the users of the technologies.
In addition to the lifecycle costs, TEE technology is not foolproof as it has its own attack vectors both in the TEE Operating System and in the Trusted Apps (they still involve many lines of code). This has been proven through several lab tests, with Quarkslab successfully exploiting a vulnerability in Kinibi, a TrustZone-based TEE used on some Samsung devices, to obtain code execution in monitor mode.
