Using Trusted Execution Environments to enable Integrity of Offline Tests
As a part of the Engineering course in PESIT we were supposed to complete a project which culminated an entire semester's work.
For this project I was guided by my Professor Dr. Viraj Kumar and two other external guides (1) Dr. Arvind Seshadri of IBM Research and (2) Dr. Sriram Rajamani of Microsoft Research. I was tasked to develop a system which could provide a secure and trust-worthy experience for offline quiz-taking. The results of this project were published as a paper and also a poster was presented in the IBM I-Care 2016 Conference.
Abstract
Today automated assessment in online courses (MOOCs, SPOCS, etc.) is done in a client-server fashion. The only trusted component is the server as it is run by the test creator. The user accesses the automated assessment module by logging into the server using their mobile device. The server sends questions to the user’s device one-by-one. For each question, the user types their answer into their device, which is then transmitted to the server for evaluation and scoring. This process requires constant internet connectivity on the user’s device, which may be a difficult requirement in developing nations. For evaluating complex assignments, it also places significant load on the server. This paper is aims to address these issues by providing a secure offline solution for the automated assessment problem. An offline approach performs the evaluation and scoring on the user’s mobile device and we must protect the evaluation and scoring process from being tampered by the user. To achieve this, we divide the assessment module into two parts:
- An untrusted user facing GUI component, and
- A trusted enclave component that handles the evaluation and scoring, and use a hardwarerooted isolated execution technology (ARM TrustZone) to create an isolated enclave for the execution of the enclave component.
Important Links