Plug’n’Trust: Fine-Grained USB Device Isolation for ARM TrustZone

Funk J, Kothmeier Y, Röckl J, Lindenmeier C, Müller T (2026)

Publication Type: Conference contribution

Publication year: 2026

Book Volume: 2

Pages Range: 25-36

Conference Proceedings Title: Proceedings of the 12th International Conference on Information Systems Security and Privacy

Event location: Marbella ES

DOI: 10.5220/0014249900004061

Abstract

On millions of devices, the ARM TrustZone Trusted Execution Environment (TEE) protects the device’s most valuable secrets like cryptographic keys, even when the operating system is compromised. However, the default TrustZone model provides only coarse-grained control over USB peripherals, i.e., the TEE can either take control over the entire bus, along with all connected devices, or relinquish it entirely. This poses a significant challenge for enabling secure I/O from individual USB devices. For example, it is not possible to use a keyboard as a secure peripheral in the TEE while connecting a USB flash drive to the operating system outside the TEE. To address this limitation, we introduce TusbEE. TusbEE deploys a minimal trusted USB driver within the TEE for direct interaction with the standard xHCI USB host controller. The driver enables fine-grained control over the bus, securely partitioning traffic to isolate TEE-assigned USB devices from the remaining non-secure peripherals. Ou r proof-of-concept implementation on real hardware demonstrates that TusbEE achieves practical USB device isolation with a performance overhead of at most 22.7% for USB 3.0 devices. Despite this overhead, TusbEE is well-suited for security-critical use cases like secure keyboard input or biometrics, which do not rely on high throughput.

Authors with CRIS profile

Julian Funk Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Jonas Röckl Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Christian Lindenmeier Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Tilo Müller Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Funk, J., Kothmeier, Y., Röckl, J., Lindenmeier, C., & Müller, T. (2026). Plug’n’Trust: Fine-Grained USB Device Isolation for ARM TrustZone. In Proceedings of the 12th International Conference on Information Systems Security and Privacy (pp. 25-36). Marbella, ES.

MLA:

Funk, Julian, et al. "Plug’n’Trust: Fine-Grained USB Device Isolation for ARM TrustZone." Proceedings of the Proceedings of the 12th International Conference on Information Systems Security and Privacy, Marbella 2026. 25-36.

BibTeX: Download