Guides
 
 
 
 
 
 

    Media & Resource Center  > White Papers & Guides

> Back to Made Simple Guides



GlobalPlatform made simple guide: Trusted Execution Environment (TEE) Guide

Quick links

Introduction

Smart connected devices, such as smartphones, are intrinsic to daily life: they are used for business, social interactions, making purchases and enjoying media content. All of this data, however, is susceptible to attacks from hackers and the millions of downloadable applications represent an even larger opportunity for fraudsters.

Similarly, automotive and home devices are increasingly becoming connected and offering more functionality. On top of this, consumers are increasingly using their devices in new ways: organizing a trip from a smart TV, streaming music while driving or using a smartphone to pay for shopping. These expanded practices create new security vulnerabilities, which highlight the need for mechanisms that allow trusted parties to have access to applications without granting hackers the same opportunity.

Service providers and original equipment manufacturers (OEMs) now need to protect applications on many levels: from attacks originating in a device’s operating system, authenticating the correct user to the correct service, offering increased privacy, protecting valuable content, allowing secure access to corporate and personal data and mitigating financial risks. One solution to these security challenges is to provide a small, isolated execution environment that allows service providers and OEMs to improve the user experience while reducing fraud. The GlobalPlatform Trusted Execution Environment (TEE) effectively addresses these concerns.

What is a TEE?

The TEE is a secure area of the main processor in a smart phone (or any connected device). It ensures that sensitive data is stored, processed and protected in an isolated, trusted environment. The TEE's ability to offer isolated safe execution of authorized security software, known as 'trusted applications', enables it to provide end-to-end security by enforcing protected execution of authenticated code, confidentiality, authenticity, privacy, system integrity and data access rights. Comparative to other security environments on the device, the TEE also offers high processing speeds and a large amount of accessible memory.

The TEE offers a level of protection against software attacks, generated in the Rich OS environment. It assists in the control of access rights and houses sensitive applications, which need to be isolated from the Rich OS. For example, the TEE is the ideal environment for content providers offering a video for a limited period of time, as premium content (e.g. HD video) must be secured so that it cannot be shared for free.

Watch this short video which provides an overview of the TEE:

Who created the TEE and why?

Multiple handset and chip manufacturers have already developed and deployed proprietary versions of this technology. The resulting lack of standardization has presented application developers with a significant challenge to overcome; each proprietary TEE solution requires a different version of the same application to ensure that the application conforms to unique versions of the technology. In addition, if the application provider wishes to deploy to multiple TEE solution environments and have assurance that each environment will provide a common level of security, then a security evaluation will need to be performed on each TEE solution. This leads to a resource intensive development process.   

There are two central reasons why the TEE exists:

  • An increasing number of mobile services, which require a greater level of security, are emerging.
  • With a growing number of users, there is a greater need for protection against software attacks. Applications with higher security requirements, and therefore heightened ramifications if compromised, require more protection than can be offered by rich OS solutions alone.

Enterprise IT environments, delivery of premium multimedia content, mobile payments, the Internet of Things, government identification programs and more seek to balance a consumer’s desire for a rich experience with the security concerns shared by consumers and service providers. The TEE isolates trusted applications and keeps them away from any malware which might be downloaded inadvertently. Because of this, the TEE will become an essential environment within all devices as the secure services market evolves.

Since GlobalPlatform is handset and Rich OS agnostic, it is well placed to bring forward specifications for the TEE that can be embraced by all suppliers and reside comfortably alongside each of their rich OS environments. Interoperability in both functionality and security will be enhanced by the standardization of the TEE. This will simplify application development and deployment for all concerned, saving costs and time to market.

What are the use cases for the TEE?

There are three main use cases for the TEE. It can be used to protect:

  1. Digital content such as films, television, music and other multimedia formats,
  2. mCommerce and mPayments credentials and transactions,
  3. Enterprise and government data.

The protection of premium content, such as a 4K resolution film or a TV series which has just been aired, is a key driver for the adoption of TEE technology. TEE technology can be used to ensure that content cannot be stolen once it is decrypted on a device. It does this by offering a trusted environment in which to perform the decryption and store the file, in addition to offering trusted video playback to protect the content while it is being displayed on screen. The technology is therefore of great value for smartphones and tablets, in addition to 4K televisions and set top boxes.

In mCommerce and mPayments, TEE technology is already being used to protect payment credentials such as cryptographic keys while a transaction is being authorized. Another benefit of the TEE is the ability to offer a trusted user interface (UI) which ensures that the correct information is displayed to the user and that the information displayed on screen and entered by the user is secure. These capabilities reduce the risk of passcode logging and allow transaction, logs and statement information to be securely displayed.

In an enterprise or government environment, the protection of corporate or otherwise sensitive data is essential. Bring your own device (BYOD) is becoming ever more prevalent as more employees use their own handsets and tablets to perform work-based tasks like email and document editing. The TEE enables the secure handling of confidential data, protection against software attacks from the Rich OS and assistance with access rights control and user authentication.

What are the benefits of using a TEE?

From a business and commercial perspective, the TEE meets the requirements of all of the key players. At a high level:

  • Mobile manufacturers’ security concerns are tied to several factors, not the least of which being the sheer number of stakeholders involved in device and application delivery. A framework (such as GlobalPlatform-certified TEE) that guarantees a minimum baseline for platform security would allow all stakeholders to make updates to devices and applications while minimizing threats to consumers.
  • For MNOs the TEE delivers a higher level of security than what the Rich OS offers and higher performance than what a secure element (SE) typically offers. In essence, the TEE ensures a high level of trust between the device, the network, the edge and the cloud, thereby improving the ability of a MNO to enhance services for root detection, SIM-lock, anti-tethering, mobile wallet, mobile as PoS, data protection, mobile device management, application security, content protection, device wipes, and anti-malware protection.
  • Content and service providers want the TEE to ensure that their product remains secure and can be deployed to numerous platforms in a common manner and is easily accessible to the end user.
  • Payment service providers do not want to have to develop different versions of the same application in order to satisfy the needs of different proprietary TEE environments. E.g. if the ecosystem is not standardized, payment service providers will have to be certified and support different applications and processes. This is time consuming, costly and counterintuitive to the goal of creating a mass market for application deployment.

Focusing specifically on security, the TEE is a unique environment that is capable of increasing the security and assurance level of services and applications, in the following ways:

  • User Authentication: Using the trusted UI, the TEE makes it possible to securely collect a user’s password or PIN. This trusted user authentication can be used to verify a cardholder for payment, confirm a user’s identification to a corporate server, attest to a user’s rights with a content server, and more.
  • Trusted Processing and Isolation: Application processing can be isolated from software attacks by running in the TEE. Examples include processing a payment, decrypting premium content, reviewing corporate data, and more.
  • Transaction Validation: Using the trusted UI, the TEE ensures that the information displayed on-screen is accurate. This is useful for a variety of functions, including payment validation or protection of a corporate document.
  • Usage of Secure Resources: By using the TEE APIs, application developers can easily make use of the complex security functions made available by a device’s hardware, instead of using less safe software functions. This includes hardware cryptography accelerators, SEs, biometric equipment and the secure clock.
  • Certification: Trusted certification is best achieved through standardization of the TEE, which in turn improves stakeholder confidence that the security-dependent applications are running on a trusted platform.

How does the TEE fit into the security infrastructure of a smartphone?

It is useful to put the TEE in the context of the overall security infrastructure of a mobile device. There are three environments which make up the framework. Each has a different task:

  • Rich OS: An environment created for versatility and richness where device applications, such as Android, Symbian OS, and Windows Phone for example, are executed. It is open to third party download after the device is manufactured. Security is a concern here but is secondary to other issues. 
  • TEE: The TEE is a secure area of the main processor in a smartphone (or any connected device) and ensures that sensitive data is stored, processed and protected in an isolated, trusted environment. The TEE's ability to offer isolated safe execution of authorized security software, known as 'trusted applications', enables it to provide end-to-end security by enforcing protection, confidentiality, integrity and data access rights. The TEE offers a level of protection against software attacks, generated in the Rich OS environment. It assists in the control of access rights and houses sensitive applications, which need to be isolated from the Rich OS. For example, the TEE is the ideal environment for content providers offering a video for a limited period of time that need to keep their premium content (e.g. HD video) secure so that it cannot be shared for free.
  • SE: The SE is a secure component which comprises autonomous, tamper-resistant hardware within which secure applications and their confidential cryptographic data (e.g. key management) are stored and executed. It allows high levels of security, but limited functionality, and can work in tandem with the TEE. The SE is used for hosting proximity payment applications or official electronic signatures where the highest level of security is required. The TEE can be used to filter access to applications stored directly on the SE to act as a buffer for Malware attacks.

The Rich OS is therefore a rich environment that is vulnerable to both software and physical attacks. The SE, on the other hand, is resilient to physical attacks but somewhat constrained in execution processing capabilities.  The TEE, however, serves as an ideal balance between Rich OS performance and SE security, and a companion to both. The security offered by the TEE, in general, is sufficient for most applications. Moreover, the TEE provides a more powerful processing speed capability and greater accessible memory space than an SE (these are, in fact, quite similar to that of a Rich OS).

Why is standardization important?

TEE standardization is essential to avoid fragmentation. The proliferation of proprietary TEE solutions would lead to the following:

  • Higher costs to develop or change applications/solutions when creating or adapting to proprietary platforms
  • The need for very specialized skills
  • Extended time-to-market due to longer development times and potential integration issues.

Standardization, by contrast, enables simplified and unified implementation and improves interoperability between stakeholders. Furthermore, standardization allows a large ecosystem to thrive and blossom, allowing for multiple business partners and, because it ensures long-term stability and survivability, protects investment in a way that proprietary solutions cannot. It also defines a basis for evaluating and comparing different solutions. Lastly, standardization creates a foundation for a uniform certification process.

What has GlobalPlatform achieved?

GlobalPlatform’s 130+ members recognize the need for standards to be developed in parallel with the evolution of a new ecosystem. This mutual development will provide greater certainty and lower the cost of progress for the industry by removing barriers caused by a lack of interoperability.

Specifications : With 16 years of experience in the mobile space and the expertise of a global membership which represents the full ecosystem, GlobalPlatform’s work is leading the market. GlobalPlatform card specifications are now embedded in more than 10 billion SEs.  Since the TEE Client API v1.0 was published in July 2010, GlobalPlatform has been responsible for driving TEE standardization on behalf of the industry.  Since that time, the following specifications have been developed / delivered by GlobalPlatform:

  1. TEE Client API Specification v1.0 – enables communication between applications running in a Rich OS and trusted applications residing in the TEE.
  2. TEE Internal Core API Specification v1.1 – enables trusted applications within a TEE to perform the general operations of a security application, such as cryptography, secure storage, communication and general tasks, such as timekeeping and memory management.
  3. TEE Secure Element API Specification v1.0 – allows trusted applications to directly communicate with a SE, rather than through a client application.
  4. Trusted User Interface API Specification v1.0 – allows a trusted application to securely display text and graphics, and ask the user to perform an action ranging from navigation to entry of an associated PIN- or Password-backed ID.
  5. TEE Systems Architecture v1.0 – explains the hardware and software architectures behind the TEE.
  6. TEE Internal API Specification v1.0 – specifies how to develop trusted applications.
  7. TEE Protection Profile v1.2 – facilitates the Common Criteria evaluation of TEEs.
  8. TEE TA Debug Specification v1.0 – enables the debugging of GlobalPlatform compliant TEEs.
All specifications can be downloaded from the GlobalPlatform Device Specifications webpage.

The GlobalPlatform Compliance Program : To promote confidence within this advancing ecosystem, GlobalPlatform has launched a TEE compliance program. This offers assurances to application and software developers and hardware manufacturers that a TEE product will perform in line with the GlobalPlatform specifications and as intended. It also promotes market stability by providing a long-term, interoperable and industry agreed framework that will evolve with technical requirements over time. Visit the GlobalPlatform Compliance Program webpages for further information.

Here, Stephanie El Rhomri, Chair of the GlobalPlatform TEE Compliance Working Group discusses the work for the group, the importance of compliance, the process for stakeholders to validate their TEE products and the next steps for the program:

Security certification : To complete this infrastructure, in February 2015, GlobalPlatform’s TEE Protection Profile was officially certified by Common Criteria. Product vendors are now able to undertake a formal security evaluation of their TEE products, using laboratories licensed by supporting certification bodies to evaluate and certify that they meet the security requirements in the document.

GlobalPlatform has also launched a TEE Certification Scheme that evaluates the security level of a given TEE implementation. To drive this initiative, GlobalPlatform has also launched a TEE Security Evaluation Secretariat to manage the scheme. Under the scheme, providers of TEE products will be able to submit their products to the new GlobalPlatform secretariat for independent evaluation of their conformance to the organization’s TEE Protection Profile.

In the mid-term, GlobalPlatform is working to accelerate the deployment of certified TEEs and to create an ecosystem where GlobalPlatform certification is a prerequisite amongst service providers and handset manufacturers. This is a stepping stone on the way to achieving full market adoption, with the long-term goal of the specifications becoming a de facto standard for the industry.

Want more information? Check out our infographic, take a look at our YouTube channel GlobalPlatform TV and download the latest free white papers: