Trusted Monitor: TEE-Based System Monitoring

As trusted computing becomes increasingly important, Trusted Execution Environments (TEEs) see more widespread use. A particular high demand for security arises in the context of embedded systems in critical infrastructures. We present a novel intrusion detection system called the Trusted Monitor (TM) that protects its integrity even in the presence of a system-level attacker by running inside the ARM TrustZone TEE. The TM constantly monitors the system using hardware performance counters and detects intrusions based on the classification by an application-specific machine learning model. Our evaluation shows that the TM correctly classifies 86% of 183 evaluated workloads, while the performance overhead stays below 2%. In particular, we show that a real-world kernel-level rootkit observably influences the hardware performance counters and, thus, can be detected.