Trusty System Basics

Chapter 9: Memory & Permission Management

Memory and Permission Management in Trusty

Trusty OS provides robust memory and permission management mechanisms to ensure secure execution of trusted applications. This chapter covers three critical aspects of Trusty's security architecture.

1. Secure Memory Pool Configuration (memmap parameter)

Trusty uses memory partitioning to isolate secure and non-sesecure worlds. The memmap parameter defines memory regions during boot.

Key Configuration Parameters:

Best Practices:

Note: The memory map must be configured at boot time and cannot be changed dynamically.

2. Capability-Based Access Control Model

Trusty implements a capability-based security model where access to resources is controlled through unforgeable tokens (capabilities).

Capability Types:

Key Characteristics:

// Example: Checking a capability
handle_t mem_cap = get_memory_capability();
if (!check_capability(mem_cap, CAP_ACCESS_READ)) {
    return ERR_ACCESS_DENIED;
}

3. Preventing TOCTOU Attacks

Trusty includes several design features to prevent Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities.

Defensive Mechanisms:

Warning: Developers must still be careful with multi-step operations that span multiple system calls.

Implementation Example:

// Safe file access pattern
handle_t file = open_file(path);
if (!validate_file(file)) {
    close_handle(file);  // Immediate cleanup
    return ERR_INVALID;
}

// Use the validated handle
result = read_file(file);

close_handle(file);  // Explicit cleanup
return result;

Summary

Trusty's memory and permission management provides a secure foundation for trusted applications:

  1. Secure memory isolation through boot-time configuration
  2. Fine-grained access control via capabilities
  3. Built-in protections against common vulnerabilities like TOCTOU

These mechanisms work together to maintain the integrity of the Trusty execution environment while providing flexibility for application developers.