SH3ARS: Privilege Reduction for ARMv8.0-A Secure Monitors

Röckl J, Funk J, Schulze SM, Müller T (2026)

Publication Type: Conference contribution

Publication year: 2026

Pages Range: 122-137

Conference Proceedings Title: 2025 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)

Event location: Gold Coast AU

DOI: 10.1109/RAID67961.2025.00035

Abstract

The ARM TrustZone Trusted Execution Environment (TEE) allows software to run in an isolated environment, separated from the untrusted OS. The isolation is based on the Secure Monitor (SM), software running at the most privileged hardware level, with unrestricted access to all system resources, including those of the TEE. Critically, recent research revealed widespread vulnerabilities in SMs that break the TEE isolation and, thus, undermine the very purpose of the TEE. To this end, we present SH3ARS, a fundamental restructuration of the SM firmware that reduces the privileges of the SM and restores ARM TrustZone isolation. SH3ARS modifies the SM to irrevocably relinquish access to memory outside its own address space through a page table latching mechanism. Furthermore, we introduce guards, carefully crafted, gadget-free code sequences, that supervise the context switch to and from the TEE, preventing code-reuse attacks against the TEE - a technique we refer to as SMC-oriented programming. Relying on software changes, SH3ARS ensures TEE isolation guarantees, even if the SM is compromised. We apply SH3ARS to the reference implementation of the SM on ARMv8.0-A, as deployed on millions of devices. We implement a proof of concept on real hardware, and our evaluation shows that the overhead is lower than 6% for most workloads.

Authors with CRIS profile

Jonas Röckl Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Julian Funk Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Sven Matti Schulze Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Tilo Müller Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Röckl, J., Funk, J., Schulze, S.M., & Müller, T. (2025). SH3ARS: Privilege Reduction for ARMv8.0-A Secure Monitors. In 2025 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (pp. 122-137). Gold Coast, AU.

MLA:

Röckl, Jonas, et al. "SH3ARS: Privilege Reduction for ARMv8.0-A Secure Monitors." Proceedings of the 2025 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Gold Coast 2025. 122-137.

BibTeX: Download