Trusted - Virtual Execution Environment

Unified TEE access and security protection for enterprise application security

TVEE: Trusted Virtual Execution Environment

The growth of mobile platform business has given rise to a variety of security problems. The current widespread security risks include the applications being hacked and data being, which caused great threat to financial data security, privacy protection and business data integrity. TEE is now a standard in the Google Android system, and the TEE and eSE based on chip and device security can provide high security guarantee for applications. There are integration concerns for security features of different devices as certain device security capability is not open for third-party developers. These concerns can be solved through customized solutions for each different type of device before using TEE. However this usually caused a long period of time and extremely high costs. TrustKernel's Trusted Virtual Execution Environment (TVEE) specialize in solving these problems for application developers by providing a unified TEE access and secure protections for applications.

About TVEE

The Trusted Virtual Execution Environment (TVEE) is a platform-level security execution environment for the application vendors to ensure the data security of applications by using TEE. Based on the unified security API and SDK of TVEE, the trusted application developed by the application developers can safely operate in all smart devices (including mobile phones, tablets, etc.) and platforms (including Android, iOS, etc.). TVEE, through making full use of the secure mechanisms (including software and hardware mechanism such as ARM TrustZone, virtualization, Intel SGX, etc.) in devices, combined with the compiler security, code protection and white-box encryption methods, ensures the security of the application. On the security underlying level, TVEE uses TEE and advanced code protection technology. By combining with TrustKernel’s back end flexible open trust backend, trusted application can be developed once and run on smart devices.

At present, TVEE has been integrated into more than 100 types of hardware TEE compatible devices. With continuous increase in TEE coverage, devices that are compatible with TEE integration will become more common. TVEE hardware secure capability and efficiency can be expected to increase. Even in devices without TEE integrated, the compiler security, code protection, white box and other security schemes adopted by TVEE is significantly better than other existing application security reinforcement measures in the industry.

Key Features

Unified development environment and interface

TVEE adopts a developing environment and interface completely consistent with TEE, and provides the developers with SDK based on the Global Platform TEE API. At the bottom implementation level, TVEE generates a unified binary code at compile time, which automatically selects the most secure and reliable environment execution at runtime. On the API, TVEE completely shields the differences between different TEE vendors and different underlying security schemes.

Convenient and flexible dynamic security management service

In addition to security, TVEE also provides flexible and convenient security service management and updating services, providing safe and controllable management channels for security applications. Technically, TVEE has a built-in reliable application management service. The service combines security architecture and credible application management by using techniques empirically verified by big banks. This is also the core technology that TEE uses to implement trusted service management.

Secure execution

TVEE supports application vendors to safely protect parts of the sensitive security codes (such as validation code, encryption algorithm, etc.) from spy and tamper to guarantee the security of sensitive code at runtime. In TVEE, the security codes between different application vendors are isolated from each other.

Secure storage and key protection

TVEE supports multiple secure storage methods, including hardware Secure RPMB and SFS(Secure File System) to ensure the safe storage of sensitive data. TVEE has a built-in comprehensive security and decryption algorithm, which guarantees the security of key generation, key operation and key storage through TEE and white box encryption technology.

User-driven attestation

TVEE can verify whether the content of an ordinary application is correctly displayed on the device screen, and whether the user has actually operated on the specified display element, to ensure "User Initiation"/"User Understanding"/"User Authentication". For example, in the scene of using advertising services, it is proved to the advertiser whether the displayed content is displayed correctly to the user, and whether the user has clicked the advertisement.

Trusted UI

The user's daily input data including passwords, credit card accounts, SMS, etc., which may be stolen due to the defects in OS itself and the loopholes in the input method. At the same time, the UI content seen by user is easy to be screenshot or maliciously forged. The security UI (TUI) can build a secure channel from the user to the device, from the device to the application, to ensure the security of the user input and the content displayed on the screen.

Case Studies