TrustedGateway: TEE-protected Routing and Firewalling for Network Gateways

Gateway routers are at the core of a network's functionality and security. They perform traffic routing, group devices into subnetworks, and enforce firewall policies.

However, the central position of gateway routers makes them high-value targets for attacks. In fact, there have been several serious remote code execution vulnerabilities in gateways over the last years, resulting in a full compromise of the gateway and its security policies. That way, attackers can launch several types of attacks, including traffic sniffing, data exfiltration (theft), as well as the infiltration of critical enterprise networks.

The root cause of the high number of vulnerabilities is the increasing number of auxiliary services (e.g., VPN, web UI, IoT hub) on gateway routers and their reliance on huge commodity operation systems, e.g., Linux or BSD. While auxiliary services increase a gateway router's system utility, they also expose a large attack surface and are not specifically hardened against attacks. Furthermore, commodity OS consist of millions of lines of code with a high risk of undetected vulnerabilities. Therefore, there is a high risk that attackers combine remote code execution exploits against auxiliary services with local privilege escalation attacks to gain full control of a gateway router, including its routing and firewall policies.

To preserve the security of consumer and enterprise networks, we propose TrustedGateway (short: TruGW), a new gateway router architecture based on a system-level trusted execution environment (TEE). TruGW uses Arm TrustZone to split the router into a trusted and untrusted domain. TruGW provides secure routing and firewall services (NetTrug) within the trusted domain while containing the vulnerable auxiliary gateway services and OS in the untrusted one. To guarantee traffic protection and policy enforcement, TruGW grants the trusted domain exclusive access to the physical network cards (NICs) and provides secure NIC drivers. That way, all network traffic must pass through TruGW's trusted services. In addition, TruGW exposes a virtual NIC (VNIC) to the untrusted domain that provides the untrusted auxiliary services and OS with restricted network access, enabling remote admins full control on what traffic reaches them and what communication is permitted by them. By using secure boot (trusted board boot), the router platform can verify the integrity of TruGW's bootloader and TEE code base. In conclusion, TruGW significantly decreases the attack surface of gateway routers and guarantees secure policy enforcement, even if the gateway's OS or auxiliary services become compromised.

We have implemented and evaluated a prototype of TrustedGateway based on the OP-TEE OS (trusted OS) and Linux (untrusted OS) for a 2GB Nitrogen 6X board with a i.MX6 FEC network card. For more information on TrustedGateway, please check out the corresponding research paper that has been published at the RAID conference 2022.