Security Hardening

Permission Check

Check the permissions on teecd, tlogcat, libteec.so, and libboundscheck.so.

The owner of each file is root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

ll /usr/bin/teecd
-rwxr-xr-x 1 root root 67K Mar 8 17:04 /usr/bin/teecd

ll /usr/bin/tlogcat
-rwxr-xr-x 1 root root 66K Mar 8 17:04 /usr/bin/tlogcat

ll /usr/lib64/libteec.so
-rwxr-xr-x 1 root root 66K Mar 8 17:04 /usr/lib64/libteec.so

ll /usr/lib64/libboundscheck.so
-rwxr-xr-x 1 root root 130K Mar 8 17:04 /usr/lib64/libboundscheck.so

Log Control

• Check whether the tlogcat function is normal and whether TEE security logs can be viewed.
• Check whether the system can limit the size of a single log file.
• Check whether there is a mechanism for clearing logs after the log space is used up.
• Check whether the permission on the log files that are being written is 640.

User Control

The REE patch (teecd and tzdriver.ko) in the TrustZone kit must be executed by the root user. The teecd user-mode daemon must be loaded from the absolute path /usr/bin/teecd.

The CA and TA must be run and loaded as the root user. Otherwise, they fail to be loaded or communicate with each other through the REE Patch.

Buffer Overflow Prevention

To prevent buffer overflow attacks, you are advised to use the address space layout randomization (ASLR) technology to randomize the layout of linear areas, such as heap, stack, and shared library mappings, to make it more difficult for attackers to predict destination addresses and prevent them to directly locating code locations. ASLR can be applied to heap, stack, and memory mapping areas (mmap base addresses, shared libraries, and vDSO pages).

How to enable ASLR:

1

echo 2 >/proc/sys/kernel/randomize_va_space