Preview of ARM TrustZone TEE and threat model of it

ARM TrustZone Architecture : ARM TrustZone, implemented in architectures like ARMv7-A and ARMv8-A, establishes two distinct security domains within the system on chip (SoC) : the secure world and the normal world, with hardware partitioning (Janjua et al., 2018). Each core, memory region, and peripheral in the system is marked as secure or non-secure. The secure world runs the Trusted Execution Environment (TEE), including its operating system and trusted applications (TAs), while the normal world operates a rich OS (like Android or Linux) and regular applications. A fundamental aspect of TrustZone's design is that software running in the normal world is prohibited from accessing secure world resources. But, secure world code is allowed to access memory and devices in the normal world(Ma et al., 2023). And a functional priviledged mode called the Secure Monitor (EL3) conciliates switches between worlds (Janjua et al., 2018). These transitions are initiated via Secure Monitor Calls (SMC), which cause the processor to trap into the monitor. The secure monitor then saves the current execution context and updates the CPU state to reflect the new world (Ma et al., 2023). Fig 1 in this paper illustrates this architecture and the associated privilege levels in a typical TrustZone-assisted system (Cerdeira et al., 2022). In this case, the normal world contains the user-level applications and the rich OS kernel, while the secure world includes the secure monitor, the TEE's tursted OS, and user-space TAs. The initial expectation of this structure is that even the whole normal world is fully compromised, the secure world remains capable of preserving the confidentiality and the integrity of critical assets by hardware partitioning(Cerdeira et al., 2022). 

Threat Model and Trust Assumptions : The TrustZone threat model assumes the normal world could be compromised, meanwhile the secure world's TEE OS and applications are expected to be secure. The secure monitor (EL3) and secure world kernel (S-EL1) run with higher privilege. In good practice, an attacker who succeded getting into the normal world OS can not be able to elevate privileges into the secure world and get back to the normal world with higher privileges(Ma et al., 2023; Cerdeira et al., 2022). The model also assumes that secure world code is small and thoroughly vetted, so it is reliable than code in a rich OS. However, this assumption has proven overly optimistic. In real practice, modern TEEs have modern TEEs have evolved to include full-featured secure OS-often comprising more than ten of thousands of lines of code- as well as a growing number of TAs from multiple vendors. These TAs support DRM, keystore operations, and biometric authentication. So the Trusted Computing Base (TCB) in the secure world has expanded substantially, introducing increased complexity and a broader attack surface(Weippl, 2016). And the more important thing is that certain resources are shared across worlds, which means management of privileges for those is careful issue to avoide confused deputy scenarios. A typical TrustZone TEE relies on the normal world for some services (like TA, certain drivers), creating necessary trust in normal-world components behaving correctly in those interactions(Cerdeira et al., 2020). These interactions have become a source of vulnerabilities when not properly handled.  

TrustZone in Practice; Expectations and Security Gaps :
ARMv8-M introduced TrustZone to microcontrollers, making it possible to build Trusted Execution Environments (TEEs) even in devices with limited resources. This wider availability opened the door to more advanced use cases (like DRM, secure user interfaces, biometric authentication, cryptocurrency wallets). These scenarios often depend on running multiple Trusted Applications and interactions between secure and normal worlds. The assumption was that a combination of hardware partitioning and established TEE design principles would ensure strong security. But in practice, this assumption hasn't always held true. Numerous research studies have uncovered a wide range of vulnerabilities across commercial TEE implementations such as Qualcomm's QSEE, Trustonic's Kinibi, Huawei's TEE, Samsung's TEEGRIS, Linaro's OP-TEE, and Google's Trusty. These issues often stem from design weaknesses and coding flaws that would break the core privilege management system(Cerdeira et al., 2022). Attackers have exploited multiple vulnerabilties like buffer overflows, unchecked pointers, race conditions, and hardware configuration errors to get access into the secure world ‌(Stajnrod et al., 2021). The one example is CVE-2018-18068; ARM SoC allowed a normal world program to fully read/write secure world memory, because the TrustZone access control was not fully applied (Stajnrod et al., 2021). Likewise, logic flaws in TEE system calls have certain TAs to get access or write memory in the normal world unintentionally (Cerdeira et al., 2020). These vulnerablities suggest that privilege management is the crucial issue of current TEEs. 

ref ref 

1) Janjua, H., Joosen, W., Michiels, S., & Hughes, D. (2018). Trusted Operations on Sensor Data †. Sensors, 18(5), 1364. https://doi.org/10.3390/s18051364
2) Ma, Z., Tan, X., Ziarek, L., Zhang, N., Hu, H., & Zhao, Z. (2023). Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense. 2023 60th ACM/IEEE Design Automation Conference (DAC), 1–6. https://doi.org/10.1109/dac56929.2023.10247972
3) Cerdeira, D., Martins, J., Santos, N., & Pinto, S. (2022). REZONE: Disarming TrustZone with TEE Privilege Reduction. https://www.usenix.org/system/files/sec22fall_cerdeira.pdf
4) Weippl, E. (2016). Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. https://www.usenix.org/conference/usenixsecurity24/presentation/busch-globalconfusion
5) Cerdeira, D., Santos, N., Fonseca, P., & Pinto, S. 2020. SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems. https://syssec.dpss.inesc-id.pt/papers/cerdeira-sp20.pdf
6) Stajnrod, R., Ben Yehuda, R., & Zaidenberg, N. J. (2021). Attacking TrustZone on devices lacking memory protection. Journal of Computer Virology and Hacking Techniques, 18(3), 259–269. https://doi.org/10.1007/s11416-021-00413-y