CISPA
Browse

TrustedGateway: TEE-Assisted Routing and Firewall Enforcement Using ARM TrustZone

Download (845.7 kB)
conference contribution
posted on 2023-11-29, 18:21 authored by Fabian Schwarz
Gateway routers are at the heart of every network infrastructure, interconnecting subnetworks and enforcing access control policies using firewalls. However, their central position makes them high-value targets for network compromises. Typically, gateways are erroneously assumed to be hardened against software vulnerabilities (``bastion host''). In fact, though, they inherit the attack surface of their underlying commodity OSes which together with the wealth of auxiliary services available on both consumer and enterprise gateways---web and VoIP, file sharing, remote logins, monitoring, etc.---undermines this belief. This is underlined by a plethora of recent CVEs for commodity OSes and services of popular routers which resulted in authentication bypass or remote code execution thus enabling attackers full control over their security policies. We present TrustedGateway (TruGW), a new gateway architecture, which isolates ``core'' networking features---routing and firewall---from error-prone auxiliary services and gateway OSes. TruGW leverages a TEE-assisted design to protect the network path and policies while staying compatible with commodity gateway platforms. TruGW uses ARM TrustZone to protect the NIC and traffic processing from a fully-compromised gateway and permits policy updates only by trusted remote administrators. That way, TruGW can readily guarantee the secure enforcement of trusted policies on commodity gateways. TruGW's small attack surface is a key enabler to regain trust in core network infrastructures.

History

Preferred Citation

Fabian Schwarz. TrustedGateway: TEE-Assisted Routing and Firewall Enforcement Using ARM TrustZone. In: The International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 2022.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

The International Symposium on Research in Attacks, Intrusions and Defenses (RAID)

Legacy Posted Date

2022-07-06

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3723, title = "TrustedGateway: TEE-Assisted Routing and Firewall Enforcement Using ARM TrustZone", author = "Schwarz, Fabian", booktitle="{The International Symposium on Research in Attacks, Intrusions and Defenses (RAID)}", year="2022", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC