This repository contains a prototype of the TEE-PA which is presented at IEEE Access.
For all technical details, please refer to our paper.
We have tested and confirmed that works on the following platforms.
- Raspberry Pi3 Model B (Arm Cortex-A53, 4 cores, 1.2 GHz,1GB memory, 16GB SD card) or QEMU v8-arm
- Linux kernel 5.4
- Linux Audit enabled in kernel options
The following commands must be installed.
- soc_term
- Docker
- Docker Compose
Run docker-compose build --no-cache command to build the required software.
Run docker-compose up -d command to start the container.
Then run the docker-compose exec spade /app/init-spade.sh command to perform the initial SPADE configuration.
The terminal that makes the connection to QEMU is running as part of Docker Compose and must be attached from the host to the terminal container.
Therefore, run the docker attach ree-terminal command to connect to the terminal.
Once the connection is made to the terminal, you can log in to the Linux shell running on QEMU.
Please refer to the OP-TEE documentation for information on performing a TA.
The following is an example of the settings required to operate TA-Collect and a simple operation check. First, configure rules for Linux Audit. This configuration must be done using the auditctl command. Also, since this software needs to exclude tee-supplicant system calls, configure Linux Audit rules to exclude tee-supplicant PID.
- Run the
TEE_SUPP_PID=$(pidof tee-supplicant)command to obtain the PID of the tee-supplicant - Run the
auditctl -a exit,always -F arch=aarch64 -S read -S readv -S write -S writev -S kill -S exit -S exit_group -S connect -S sendto -S recvfrom -S sendmsg -S recvmsg -S mmap -S linkat -S symlinkat -S execve -S close -S openat -S dup -S bind -S accept -S accept4 -S renameat -S memfd_create -F pid!=$TEE_SUPP_PIDcommand to configure the audit rules
Logs sent from Linux are stored in SPADE via Log Receiver. SPADE can examine the sent logs by issuing a qeury.
- Running
docker-compose exec spade bashto get inside the SPADE container - Run the
./bin/spade querycommand to start spade's query client - Run the
set storage Neo4jcommand to configure storage settings - Run the following command to retrieve all processes from the logs
%only_processes = "type" == 'Process'
dump $base.getVertex(%only_processes)The following is an overview of how to perform Provenance Auditing using SPADE.
- Issue a query to collect processes named wget
%wget = "name" == 'wget'
$wget_processes = $base.getVertex(%wget)- Issue a query that examines the processes and files that are causally related to the process named wget
$dag = $base.getLineage($wget_processes, 10, 'both')- Save the results of the query execution as a dot file
export > /tmp/dag.dot
visualize force $dagdocker cp spade:/tmp/dag.dot /tmp/dag.dot command can be used to copy files from the container to the host.
Run the dot -Ksfdp -o <outputname> -Tsvg /tmp/dag.dot command can convert dot to svg file.
Hardware based functions are not supported.
- Kernel integrity check
- PTA-WDT: performing a system reset using the watchdog timer
Each component is subject to its own license.
- Linux version 4.14: GPLv2
- SPADE version 8d51f11a7a5aa7db4fa5ddabcf13e672881f2ab6: GPLv3
- OP-TEE version 3.11.0: GPLv2
- TA (Trusted Application): MIT
- Log Receiver: MIT
@ARTICLE{10436677,
author={Takemura, Taichi and Yamamoto, Ryo and Suzaki, Kuniyasu},
journal={IEEE Access},
title={TEE-PA: TEE Is a Cornerstone for Remote Provenance Auditing on Edge Devices With Semi-TCB},
year={2024},
volume={12},
number={},
pages={26536-26549},
doi={10.1109/ACCESS.2024.3366344}
}