English

StreamBox-TZ: Secure Stream Analytics at the Edge with TrustZone

Cryptography and Security 2019-06-07 v2 Distributed, Parallel, and Cluster Computing Operating Systems

Abstract

While it is compelling to process large streams of IoT data on the cloud edge, doing so exposes the data to a sophisticated, vulnerable software stack on the edge and hence security threats. To this end, we advocate isolating the data and its computations in a trusted execution environment (TEE) on the edge, shielding them from the remaining edge software stack which we deem untrusted. This approach faces two major challenges: (1) executing high-throughput, low-delay stream analytics in a single TEE, which is constrained by a low trusted computing base (TCB) and limited physical memory; (2) verifying execution of stream analytics as the execution involves untrusted software components on the edge. In response, we present StreamBox-TZ (SBT), a stream analytics engine for an edge platform that offers strong data security, verifiable results, and good performance. SBT contributes a data plane designed and optimized for a TEE based on ARM TrustZone. It supports continuous remote attestation for analytics correctness and result freshness while incurring low overhead. SBT only adds 42.5 KB executable to the TCB (16% of the entire TCB). On an octa core ARMv8 platform, it delivers the state-of-the-art performance by processing input events up to 140 MB/sec (12M events/sec) with sub-second delay. The overhead incurred by SBT's security mechanism is less than 25%.

Keywords

Cite

@article{arxiv.1808.05078,
  title  = {StreamBox-TZ: Secure Stream Analytics at the Edge with TrustZone},
  author = {Heejin Park and Shuang Zhai and Long Lu and Felix Xiaozhu Lin},
  journal= {arXiv preprint arXiv:1808.05078},
  year   = {2019}
}
R2 v1 2026-06-23T03:34:34.158Z