Towards an Architecture for Trusted Edge IoT Security Gateways

Matt McCormack, Amit Vasudevan, Guyue Liu, Sebastián Echeverría, Kyle O’Meara, Grace Lewis, Vyas Sekar

IoT Insecurity is Growing

2

krebsonsecurity.com

iotsecurityfoundation.org

wired.com

washingtonpost.com

Prior Work: “Bolt-on” Security Gateways

3[Yu et al., HotNets 15], [Ko and Mickens, ANRW 18]

Advantages: practical, deployable, agile

Edge Gateway

ControllerPolicy

Control PlaneData Plane Device-specific NFs

Problem: Edge Gateways are Insecure

4

Edge Gateway

Controller1. Alter NF

3. Alter security policy

2. Bypass NF

Policy

Our Vision: Trusted “Bolt-on” Security

5

Edge Gateway

Controller Policy

1. Cannot alter NFs

2. Cannot alter paths

3. Cannot alter policy

Requirements Contributions

6

Holistic Coverage–Data plane–Control plane

Aligns with “Bolt-on” Security Gateways

–General– Legacy compatible–Performant

Key security properties of a trusted gateway

Trusted gateway architecture built on a micro-hypervisor

Foundational Security Properties

7

Software Integrity

Secure Data Channel

Secure Control Channel

Data Isolation & Mediation

Background: Extensible Micro-Hypervisor

8

micro-hypervisor

Hardware

OS

Extension

App 1 App n…

General

Legacy compatible

Performant

[Vasudevan et al., IEEE SP 13, USENIX Security 16, IEEE EuroSP 18]

Security Foundation

Edge Gateway

Controller1. Alter NF

Trusted Data Plane Approach

9

Edge Gateway

micro-hypervisorvTPM

1. Detect altered NFs: Periodically attest

Edge Gateway

Controller

2. Bypass NFs

Trusted Data Plane Approach

10

Edge Gateway

micro-hypervisorPacket Signing

2. Enforce path: per-hop

authentication

Promising Preliminary Results

11

Data plane: Packet Signing Extension–OVS & Docker: +13% latency

Control plane: Policy Extension–Custom controller: +17% latency

Prototype on Raspberry Pi 3–Micro-hypervisor: uberXMHF

(https://uberxmhf.org)

Conclusions

12

• Edge gateways offer hope for IoT security–Currently these gateways lack trust

• Vision for trusting edge IoT security gateways–Defined a holistic adversary model to derive our

foundational trust properties–High-level architecture for trusted data and

control plane built on top of a micro-hypervisor

• Thank you! – Contact: mccorm1@andrew.cmu.edu