Papers
Topics
Authors
Recent
2000 character limit reached

Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication (2312.09650v1)

Published 15 Dec 2023 in cs.CR and cs.NI

Abstract: Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (63)
  1. [n. d.]. Arrowhead, Ahead of the Future. http://www.arrowhead.eu. Last Accessed: 22-11-2023.
  2. [n. d.]. Quickdraw Snort Ruleset. https://github.com/digitalbond/Quickdraw-Snort/blob/master/modbus.rules. Last Accessed: 22-11-2023.
  3. [n. d.]. Snort. https://www.snort.org/. Last Accessed: 22-11-2023.
  4. mdTLS: How to Make middlebox-aware TLS more efficient?. In Proceedings of the International Conference on Information Security and Cryptology (ICISC’23).
  5. Industrial Control Systems: Cyberattack Trends and Countermeasures. Computer Communications 155 (2020).
  6. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In 15th Annual International Cryptology Conference (Crypto’95).
  7. Dan Boneh and Victor Shoup. 2020. A Graduate Course in Applied Cryptography.
  8. ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture. In USENIX Security Symposium.
  9. BlindIDS: Market-Compliant and Privacy-Friendly Intrusion Detection System over Encrypted Traffic. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (AsiaCCS’17).
  10. B. Carpenter. 1996. Architectural Principles of the Internet. RFC 1958. IETF.
  11. B. Carpenter. 2000. Internet Transparency. RFC 2775. IETF.
  12. B. Carpenter and B. Liu. 2020. Limited Domains and Internet Protocols. RFC 8799. IETF.
  13. Sequence-aware Intrusion Detection in Industrial Control Systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security.
  14. Modeling Message Sequences for Intrusion Detection in Industrial Control Systems. In Proceedings of the Internation Conference on Critical Infrastructure Protection (ICCIP 15).
  15. Towards Low Latency Industrial Robot Control in Programmable Data Planes. In Conference on Network Softwarization (NetSoft’20).
  16. Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (AsiaCCS’22).
  17. Xavier de Carné de Carnavalet and Paul C. van Oorschot. 2023. A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring How End-to-End TLS is Made “End-to-Me” for Web Traffic. Comput. Surveys 55, 13s (2023).
  18. D. Dolev and A. Yao. 1983. On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29, 2 (1983).
  19. LightBox: Full-Stack Protected Stateful Middlebox at Lightning Speed. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS’19).
  20. Message Authentication and Provenance Verification for Industrial Control Systems. ACM Transactions on Cyber-Physical Systems 7, 4 (2023).
  21. Marc Fischlin. 2023. Stealth Key Exchange and Confined Access to the Record Protocol Data in TLS 1.3. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS’23).
  22. Brendan Galloway and Gerhard P Hancke. 2012. Introduction to Industrial Control Networks. IEEE Communications Surveys & Tutorials 15, 2 (2012).
  23. Zero-Knowledge Middleboxes. In USENIX Security Symposium.
  24. In-network Solution for Network Traffic Reduction in Industrial Data Communication. In International Conference on Network Softwarization (NetSoft’21).
  25. Adaptive Network Traffic Reduction on the Fly With Programmable Data Planes. IEEE Access 11 (2023).
  26. SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module. In Proceedings of the First Asia-Pacific Workshop on Networking.
  27. Kevin E. Hemsley and Dr. Ronald E. Fisher. 2018. History of Industrial Control System Cyber Incidents. (2018). https://doi.org/10.2172/1505628
  28. Secure Low Latency Communication for Constrained Industrial IoT Scenarios. In Conference on Local Computer Networks (LCN’18).
  29. Jonathan Katz and Andrew Y Lindell. 2008. Aggregate Message Authentication Codes. In Cryptographers’ Track at the RSA Conference.
  30. The Click Modular Router. Transactions on Computer Systems 18, 3 (2000).
  31. P4CEP: Towards In-Network Complex Event Processing. In Proceedings of the Morning Workshop on In-Network Computing.
  32. Implementing ChaCha Based Crypto Primitives on Programmable SmartNICs. In Proceedings of the ACM SIGCOMM Workshop on Formal Foundations and Security of Programmable Network Infrastructures.
  33. P4STA: High Performance Packet Timestamping with Programmable Packet Processors. In IEEE/IFIP Network Operations and Management Symposium (NOMS’20).
  34. Investigating the Applicability of In-Network Computing to Industrial Scenarios. In International Conference on Industrial Cyber-Physical Systems (ICPS’21).
  35. Detecting Out-Of-Control Sensor Signals in Sheet Metal Forming Using In-Network Computing. In Proceedings of the 2021 IEEE International Symposium on Industrial Electronics (ISIE’21).
  36. Embark: Securely Outsourcing Middleboxes to the Cloud. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI’16).
  37. maTLS: How to Make TLS middlebox-aware?. In Network and Distributed System Security Symposium (NDSS’19).
  38. ME-TLS: Middlebox-enhanced TLS for Internet-of-Things Devices. IEEE Internet of Things Journal 7, 2 (2019).
  39. Be Fast, Cheap and in Control with SwitchKV. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI’16).
  40. Advancing SDN from OpenFlow to P4: A Survey. Comput. Surveys 55, 9 (2023).
  41. Chih-Yuan Lin and Simin Nadjm-Tehrani. 2019. Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID’19).
  42. Ultra High Performance Wireless Control for Critical Applications: Challenges and Directions. IEEE Transactions on Industrial Informatics 13, 3 (2016).
  43. In-Network Computing Powered Mobile Edge: Toward High Performance Industrial IoT. IEEE Network 35, 1 (2020).
  44. Plundervolt: Software-based Fault Injection Attacks against Intel SGX. In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P’20).
  45. And Then There Were More: Secure Communication for More Than Two Parties. In International Conference on emerging Networking EXperiments and Technologies (CoNEXT’17).
  46. Multi-Context TLS (mcTLS) Enabling Secure In-Network Functionality in TLS. In Proceedings of the ACM Conference on Special Interest Group on Data Communication (SIGCOMM’15).
  47. PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS’19).
  48. TerseCades: Efficient Data Compression in Stream Processing. In USENIX Annual Technical Conference (ATC’18).
  49. SafeBricks: Shielding Network Functions in the Cloud. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI’18).
  50. Performance Measurements of IEEE 802.15. 4g Wireless Networks. In International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM’19).
  51. In-Network P4-based Low Latency Robot Arm Control. In Proceedings of the 15th International Conference on emerging Networking EXperiments and Technologies (CoNEXT’22).
  52. Towards In-Network Industrial Feedback Control. In Proceedings of the Morning Workshop on In-Network Computing.
  53. In-Network Computation Is a Dumb Idea Whose Time Has Come. In ACM Workshop on Hot Topics in Networks.
  54. Challenges and Opportunities of Deep Learning Models for Machinery Fault Detection and Diagnosis: A Review. IEEE Access 7 (2019).
  55. Blindbox: Deep Packet Inspection over Encrypted Traffic. In Proceedings of the ACM Conference on Special Interest Group on Data Communication (SIGCOMM’15).
  56. Shieldbox: Secure Middleboxes Using Shielded Execution. In Proceedings of the Symposium on SDN Research.
  57. SDN-based service automation for IoT. In Proceedings of the 25th International Conference on Network Protocols (ICNP’17).
  58. Toward In-Network Event Detection and Filtering for Publish/Subscribe Communication Using Programmable Data Planes. IEEE Transactions on Network and Service Management 18, 1 (2020).
  59. Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’22).
  60. BP-MAC: Fast Authentication for Short Messages. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’22).
  61. IPAL: Breaking Up Silos of Protocol-Dependent and Domain-Specific Industrial Intrusion Detection Systems. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’22).
  62. Sophia Yoo and Xiaoqi Chen. 2021. Secure Keyed Hashing on Programmable Switches. In Proceedings of the ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure.
  63. Zombie: Middleboxes that Don’t Snoop. In IEEE Symposium on Security and Privacy (S&P’23).
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now

Whiteboard

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up