SCRUTINIZER: Towards secure forensics on compromised TrustZone

Author

Yiming ZHANG
Fengwei ZHANG
Xiapu LUO
Rui HOU
Xuhua DING
Zhenkai LIANG
Shoumeng YAN
Tao WE
Zhengyu HE

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

2-2025

Abstract

The number of vulnerabilities exploited in Arm TrustZone systems has been increasing recently. The absence of digital forensics tools prevents platform owners from incident response or periodic security scans. However, the area of secure forensics for compromised TrustZone remains unexplored and presents unresolved challenges. Traditional out-of-TrustZone forensics are inherently hindered by TrustZone protection, rendering them infeasible. In-TrustZone approaches are susceptible to attacks from privileged adversaries, undermining their security. To fill these gaps, we introduce SCRUTINIZER, the first secure forensics solution for compromised TrustZone systems. SCRUTINIZER utilizes the highest privilege domain of the recent Arm Confidential Computing Architecture (CCA), called the Root world, and extends it to build a protected SCRUTINIZER Monitor. Our design proposes a protective layer in the Monitor that decouples the memory acquisition functionality from the Monitor and integrates it into an in-TrustZone agent. This ensures that the agent is isolated from TrustZone systems and helps to minimize the codebase expansion of the Root world. Furthermore, by grafting most of the target’s page tables in the agent, SCRUTINIZER reduces redundant translation and mapping operations during memory acquisition, ultimately reducing performance overhead. SCRUTINIZER leverages multiple standard hardware features to enable secure forensic capabilities beyond pure memory acquisition, such as memory access traps and instruction tracing, while making them impervious to hardware configuration tampering by the privileged adversary. We prototype SCRUTINIZER and evaluate it using extensive experiments. The results show that SCRUTINIZER effectively inspects TrustZone systems while immune against privileged adversaries.

Discipline

Information Security

Areas of Excellence

Digital transformation

Publication

Proceedings of the 32nd Annual Network and Distributed System Security Symposium (NDSS 2025), San Diego, California, 2025 February 24-28

First Page

1

Last Page

16

Identifier

10.14722/ndss.2025.230147

City or Country

US

Citation

ZHANG, Yiming; ZHANG, Fengwei; LUO, Xiapu; HOU, Rui; DING, Xuhua; LIANG, Zhenkai; YAN, Shoumeng; WE, Tao; and HE, Zhengyu. SCRUTINIZER: Towards secure forensics on compromised TrustZone. (2025). Proceedings of the 32nd Annual Network and Distributed System Security Symposium (NDSS 2025), San Diego, California, 2025 February 24-28. 1-16.
Available at: https://ink.library.smu.edu.sg/sis_research/10968

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.14722/ndss.2025.230147