Secure Systems Gain Speed: New Tech Cuts Delays by 3 Per Cent

Scientists are tackling the challenge of maintaining safety and functionality in complex systems where rich operating systems, while offering extensive features, introduce potential vulnerabilities. Richard Habeeb, Man-Ki Yoon, Hao Chen, and Zhong Shao, all professors of electrical engineering from Yale University and North Carolina State University, present a new framework called Ringmaster that allows Trusted Execution Environments (TEEs) to safely access operating system services asynchronously via Linux’s io_uring. This research is significant because it avoids the performance limitations of complete isolation, a common security measure, by enabling continued operation on a minimal kernel with critical device drivers should the main OS deny service. Ringmaster supports large, unmodified programs with low overhead, demonstrated through experiments achieving nearly 1GiB/sec data transfer on a Raspberry Pi4b with minimal throughput reduction, paving the way for more robust and responsive safety-critical applications such as unmanned aerial vehicles.

This innovation addresses a critical vulnerability in safety-critical systems where compromised operating systems could disrupt time-sensitive programs and cause real-world harm.

Ringmaster balances the need for secure, time-sensitive processing with the convenience of utilising comprehensive OS services, a feat previously difficult to achieve. The research demonstrates a solution where enclaves continue to operate on a minimal ARM TrustZone kernel, accessing critical device drivers even when the untrusted OS denies service.
This framework achieves high-throughput communication between enclaves and the host OS, facilitating the execution of large, unmodified programs within the secure environment. Experiments utilising an unmanned aerial vehicle demonstrate Ringmaster’s capability to transfer nearly 1GiB/sec of data into the enclave on a Raspberry Pi4b.

This performance is achieved with only 0-3% throughput overhead compared to non-enclave tasks, indicating minimal performance impact. The system’s design unlocks practical access to host OS services from TrustZone enclaves, decoupling enclave timing from the system call protocol itself. Ringmaster leverages asynchronous system calls, preventing enclaves from being indefinitely blocked by a malicious or unresponsive operating system.

When the OS fails to respond, time-sensitive input/output operations are seamlessly routed through a dedicated Ringmaster-owned device, ensuring continued operation. This approach allows for encrypted network communication, secure data storage, and essential inter-process communication from within the enclave, all without requiring extensive manual engineering or custom security expertise. The study introduces Ringmaster, a framework designed to allow TEEs to utilise rich, potentially untrusted, OS services through Linux’s io_uring mechanism.

This approach circumvents the complete isolation typically imposed on time-sensitive programs, allowing them to benefit from OS functionalities while maintaining safety. Ringmaster’s core innovation lies in its utilisation of io_uring’s submission queue (SQ) and completion queue (CQ) to facilitate communication between the enclave and the Linux kernel.

The system maps the SQ and CQ ring memory into the enclave’s address space, enabling the enclave to request I/O system calls without direct kernel management. This is achieved through a non-blocking, lock-free design, ensuring enclave execution continues even if the Linux OS denies service. The experimental setup involves a proxy process running as a Linux process, which creates io_uring queues and adds a specific entry to the SQ, triggering a registration process within the Ringmaster Linux kernel module.

Upon receiving this entry, the kernel module registers the queues’ physical memory address with the Ringmaster OS, and optionally spawns a new enclave. Ringmaster OS then maps the SQ and CQ rings into the enclave’s address space, granting access to I/O system calls. Performance was evaluated using an unmanned aerial vehicle, demonstrating Ringmaster’s ability to achieve nearly 1GiB/sec of data transfer on a Raspberry Pi4b.

This configuration resulted in 0-3% throughput overhead compared to non-enclaved tasks, highlighting the framework’s low-overhead design and suitability for large, unmodified programs. The work demonstrates a functional, highly-reliable system built with minimal engineering effort, balancing time-sensitive processing with the convenience of rich OS services.

High-performance secure enclave operation on embedded ARM platforms requires careful design and implementation

Ringmaster achieves nearly 1GiB/sec of data transfer into memory on a Raspberry Pi4b, demonstrating high throughput for time-sensitive applications. Experiments reveal 0-3% throughput overhead compared to non-Ringmaster tasks, indicating minimal performance impact when utilising the framework. The system successfully supports large, unmodified programs, offering a lower overhead alternative to existing solutions for secure enclave operation.

This work delivers a prototype implementation on the Raspberry Pi4B, alongside a demonstration on a drone platform and evaluations using unmodified GNU Core Utilities. The asynchronous programming model enables time-sensitive enclaves to securely request services from a potentially untrusted operating system, incorporating an optimised shared memory manager.

Design choices support minimally modified POSIX applications with non-starvation guarantees, achieving comparable or better latency for system calls than previous approaches for unmodified enclaves. The hardware model targets platforms with privilege levels above kernel mode, requiring memory sharing and isolation, configurable OS access to memory-mapped I/O, a dedicated timer, and independent power management.

The research defines an adversary model through two security games addressing real-time guarantees and enclave integrity. In the timeliness game, an enclave can write a valid message to a serial device within a time bound of T/2, even with potential interference from the adversary. The integrity and confidentiality game assesses the platform’s ability to protect communication between an enclave and an external party from malicious modification or observation by the adversary. This addresses a critical challenge in safety-critical systems, which require timely processing of sensor inputs alongside the benefits of a full operating system, without compromising security.

The system enables continued operation within the TEE, utilising minimal kernel drivers, should the untrusted operating system deny service. Experiments utilising an unmanned aerial vehicle demonstrated Ringmaster’s capability to handle nearly 1GiB/sec of data on a Raspberry Pi4b, with minimal performance overhead of between 0 and 3 percent compared to non-isolated tasks.

This balance between rich operating system functionality and secure, time-sensitive processing represents a significant advancement for robotics and other critical applications. The authors acknowledge limitations in scaling device access protection, as highlighted by existing work such as MyTEE and RT-TEE.

Future research could explore extending enclave isolation to GPUs, potentially through integration with technologies like StrongBox and Graviton, to facilitate secure private AI/ML tasks. Ringmaster successfully balances the conflicting demands of rich input/output and strong timing assurances in modern cyber-physical systems.

By providing critical software with access to operating system features while protecting it from timing attacks, the framework offers enhanced security for robotics and similar applications. The asynchronous approach to rich I/O, combined with strong isolation, allows for timing guarantees previously unattainable, thereby improving overall system security and reliability.