Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication
Authors: 
Eric Wagner, 
David Heye, Martin Serror, 
Ike Kunze, 
Klaus Wehrle, 
Martin HenzeAuthors Info & Claims
Pages 962 - 976
Abstract
Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
References
[1]
[n. d.]. Arrowhead, Ahead of the Future. http://www.arrowhead.eu. Last Accessed: 22-11-2023.
[2]
[n. d.]. Quickdraw Snort Ruleset. https://github.com/digitalbond/Quickdraw-Snort/blob/master/modbus.rules. Last Accessed: 22-11-2023.
[3]
[n. d.]. Snort. https://www.snort.org/. Last Accessed: 22-11-2023.
[4]
Taehyun Ahn, Jiwon Kwak, and Seungjoo Kim. 2023. mdTLS: How to Make middlebox-aware TLS more efficient?. In Proceedings of the International Conference on Information Security and Cryptology (ICISC'23).
[5]
Tejasvi Alladi, Vinay Chamola, and Sherali Zeadally. 2020. Industrial Control Systems: Cyberattack Trends and Countermeasures. Computer Communications 155 (2020).
[6]
Mihir Bellare, Roch Guérin, and Phillip Rogaway. 1995. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In 15th Annual International Cryptology Conference (Crypto'95).
[7]
Dan Boneh and Victor Shoup. 2020. A Graduate Course in Applied Cryptography.
[8]
Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, and Michael Schwarz. 2022. ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture. In USENIX Security Symposium.
[9]
Sébastien Canard, Aïda Diop, Nizar Kheir, Marie Paindavoine, and Mohamed Sabt. 2017. BlindIDS: Market-Compliant and Privacy-Friendly Intrusion Detection System over Encrypted Traffic. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (AsiaCCS'17).
[10]
B. Carpenter. 1996. Architectural Principles of the Internet. RFC 1958. IETF.
[11]
B. Carpenter. 2000. Internet Transparency. RFC 2775. IETF.
[12]
B. Carpenter and B. Liu. 2020. Limited Domains and Internet Protocols. RFC 8799. IETF.
[13]
Marco Caselli, Emmanuele Zambon, and Frank Kargl. 2015. Sequence-aware Intrusion Detection in Industrial Control Systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security.
[14]
Marco Caselli, Emmanuele Zambon, Jonathan Petit, and Frank Kargl. 2015. Modeling Message Sequences for Intrusion Detection in Industrial Control Systems. In Proceedings of the Internation Conference on Critical Infrastructure Protection (IC-CIP 15).
[15]
Fabricio E Rodriguez Cesen, Levente Csikor, Carlos Recalde, Christian Esteve Rothenberg, and Gergely Pongrácz. 2020. Towards Low Latency Industrial Robot Control in Programmable Data Planes. In Conference on Network Softwarization (NetSoft'20).
[16]
Markus Dahlmanns, Johannes Lohmöller, Jan Pennekamp, Jörn Bodenhausen, Klaus Wehrle, and Martin Henze. 2022. Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (AsiaCCS'22).
[17]
Xavier de Carné de Carnavalet and Paul C. van Oorschot. 2023. A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring How End-to-End TLS is Made "End-to-Me" for Web Traffic. Comput. Surveys 55, 13s (2023).
[18]
D. Dolev and A. Yao. 1983. On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29, 2 (1983).
[19]
Huayi Duan, Cong Wang, Xingliang Yuan, Yajin Zhou, Qian Wang, and Kui Ren. 2019. LightBox: Full-Stack Protected Stateful Middlebox at Lightning Speed. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS'19).
[20]
Ertem Esiner, Utku Tefek, Daisuke Mashima, Binbin Chen, Zbigniew Kalbarczyk, and David M Nicol. 2023. Message Authentication and Provenance Verification for Industrial Control Systems. ACM Transactions on Cyber-Physical Systems 7, 4 (2023).
[21]
Marc Fischlin. 2023. Stealth Key Exchange and Confined Access to the Record Protocol Data in TLS 1.3. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS'23).
[22]
Brendan Galloway and Gerhard P Hancke. 2012. Introduction to Industrial Control Networks. IEEE Communications Surveys & Tutorials 15, 2 (2012).
[23]
Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish. 2022. Zero-Knowledge Middleboxes. In USENIX Security Symposium.
[24]
Csaba Györgyi, Károly Kecskeméti, Péter Vörös, Géza Szabó, and Sándor Laki. 2021. In-network Solution for Network Traffic Reduction in Industrial Data Communication. In International Conference on Network Softwarization (NetSoft'21).
[25]
Csaba Györgyi, Péter Vörös, Károly Kecskeméti, Géza Szabó, and Sándor Laki. 2023. Adaptive Network Traffic Reduction on the Fly With Programmable Data Planes. IEEE Access 11 (2023).
[26]
Juhyeng Han, Seongmin Kim, Jaehyeong Ha, and Dongsu Han. 2017. SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module. In Proceedings of the First Asia-Pacific Workshop on Networking.
[27]
Kevin E. Hemsley and Dr. Ronald E. Fisher. 2018. History of Industrial Control System Cyber Incidents. (2018).
[28]
Jens Hiller, Martin Henze, Martin Serror, Eric Wagner, Jan Niklas Richter, and Klaus Wehrle. 2018. Secure Low Latency Communication for Constrained Industrial IoT Scenarios. In Conference on Local Computer Networks (LCN'18).
[29]
Jonathan Katz and Andrew Y Lindell. 2008. Aggregate Message Authentication Codes. In Cryptographers' Track at the RSA Conference.
[30]
Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M Frans Kaashoek. 2000. The Click Modular Router. Transactions on Computer Systems 18, 3 (2000).
[31]
Thomas Kohler, Ruben Mayer, Frank Dürr, Marius Maaß, Sukanya Bhowmik, and Kurt Rothermel. 2018. P4CEP: Towards In-Network Complex Event Processing. In Proceedings of the Morning Workshop on In-Network Computing.
[32]
Shaguftha Zuveria Kottur, Krishna Kadiyala, Praveen Tammana, and Rinku Shah. 2022. Implementing ChaCha Based Crypto Primitives on Programmable Smart-NICs. In Proceedings of the ACM SIGCOMM Workshop on Formal Foundations and Security of Programmable Network Infrastructures.
[33]
Ralf Kundel, Fridolin Siegmund, Jeremias Blendin, Amr Rizk, and Boris Koldehofe. 2020. P4STA: High Performance Packet Timestamping with Programmable Packet Processors. In IEEE/IFIP Network Operations and Management Symposium (NOMS'20).
[34]
Ike Kunze, René Glebke, Jan Scheiper, Matthias Bodenbenner, Robert H Schmitt, and Klaus Wehrle. 2021. Investigating the Applicability of In-Network Computing to Industrial Scenarios. In International Conference on Industrial Cyber-Physical Systems (ICPS'21).
[35]
Ike Kunze, Philipp Niemietz, Liam Tirpitz, René Glebke, Daniel Trauth, Thomas Bergs, and Klaus Wehrle. 2021. Detecting Out-Of-Control Sensor Signals in Sheet Metal Forming Using In-Network Computing. In Proceedings of the 2021 IEEE International Symposium on Industrial Electronics (ISIE'21).
[36]
Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, and Zhi Liu. 2016. Embark: Securely Outsourcing Middleboxes to the Cloud. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI'16).
[37]
Hyunwoo Lee, Zach Smith, Junghwan Lim, Gyeongjae Choi, Selin Chun, Taejoong Chung, and Ted Taekyoung Kwon. 2019. maTLS: How to Make TLS middleboxaware?. In Network and Distributed System Security Symposium (NDSS'19).
[38]
Jie Li, Rongmao Chen, Jinshu Su, Xinyi Huang, and Xiaofeng Wang. 2019. METLS: Middlebox-enhanced TLS for Internet-of-Things Devices. IEEE Internet of Things Journal 7, 2 (2019).
[39]
Xiaozhou Li, Raghav Sethi, Michael Kaminsky, David G Andersen, and Michael J Freedman. 2016. Be Fast, Cheap and in Control with SwitchKV. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI'16).
[40]
Athanasios Liatifis, Panagiotis Sarigiannidis, Vasileios Argyriou, and Thomas Lagkas. 2023. Advancing SDN from OpenFlow to P4: A Survey. Comput. Surveys 55, 9 (2023).
[41]
Chih-Yuan Lin and Simin Nadjm-Tehrani. 2019. Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID'19).
[42]
Michele Luvisotto, Zhibo Pang, and Dacfey Dzung. 2016. Ultra High Performance Wireless Control for Critical Applications: Challenges and Directions. IEEE Transactions on Industrial Informatics 13, 3 (2016).
[43]
Tianle Mai, Haipeng Yao, Song Guo, and Yunjie Liu. 2020. In-Network Computing Powered Mobile Edge: Toward High Performance Industrial IoT. IEEE Network 35, 1 (2020).
[44]
Kit Murdock, David Oswald, Flavio D. Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens. 2020. Plundervolt: Software-based Fault Injection Attacks against Intel SGX. In Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P'20).
[45]
David Naylor, Richard Li, Christos Gkantsidis, Thomas Karagiannis, and Peter Steenkiste. 2017. And Then There Were More: Secure Communication for More Than Two Parties. In International Conference on emerging Networking EXperiments and Technologies (CoNEXT'17).
[46]
David Naylor, Kyle Schomp, Matteo Varvello, Ilias Leontiadis, Jeremy Blackburn, Diego R López, Konstantina Papagiannaki, Pablo Rodriguez Rodriguez, and Peter Steenkiste. 2015. Multi-Context TLS (mcTLS) Enabling Secure In-Network Functionality in TLS. In Proceedings of the ACM Conference on Special Interest Group on Data Communication (SIGCOMM'15).
[47]
Jianting Ning, Geong Sen Poh, Jia-Ch'ng Loh, Jason Chia, and Ee-Chien Chang. 2019. PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS'19).
[48]
Gennady Pekhimenko, Chuanxiong Guo, Myeongjae Jeon, Peng Huang, and Lidong Zhou. 2018. TerseCades: Efficient Data Compression in Stream Processing. In USENIX Annual Technical Conference (ATC'18).
[49]
Rishabh Poddar, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. 2018. SafeBricks: Shielding Network Functions in the Cloud. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI'18).
[50]
Francesca Righetti, Carlo Vallati, Daniela Comola, and Giuseppe Anastasi. 2019. Performance Measurements of IEEE 802.15. 4g Wireless Networks. In International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoW-MoM'19).
[51]
Fabricio Rodriguez, Christian Esteve Rothenberg, and Gergely Pongrácz. 2019. In-Network P4-based Low Latency Robot Arm Control. In Proceedings of the 15th International Conference on emerging Networking EXperiments and Technologies (CoNEXT'22).
[52]
Jan Rüth, René Glebke, Klaus Wehrle, Vedad Causevic, and Sandra Hirche. 2018. Towards In-Network Industrial Feedback Control. In Proceedings of the Morning Workshop on In-Network Computing.
[53]
Amedeo Sapio, Ibrahim Abdelaziz, Abdulla Aldilaijan, Marco Canini, and Panos Kalnis. 2017. In-Network Computation Is a Dumb Idea Whose Time Has Come. In ACM Workshop on Hot Topics in Networks.
[54]
Syahril Ramadhan Saufi, Zair Asrar Bin Ahmad, Mohd Salman Leong, and Meng Hee Lim. 2019. Challenges and Opportunities of Deep Learning Models for Machinery Fault Detection and Diagnosis: A Review. IEEE Access 7 (2019).
[55]
Justine Sherry, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. 2015. Blindbox: Deep Packet Inspection over Encrypted Traffic. In Proceedings of the ACM Conference on Special Interest Group on Data Communication (SIGCOMM'15).
[56]
Bohdan Trach, Alfred Krohmer, Franz Gregor, Sergei Arnautov, Pramod Bhatotia, and Christof Fetzer. 2018. Shieldbox: Secure Middleboxes Using Shielded Execution. In Proceedings of the Symposium on SDN Research.
[57]
Mostafa Uddin, Sarit Mukherjee, Hyunseok Chang, and TV Lakshman. 2017. SDN-based service automation for IoT. In Proceedings of the 25th International Conference on Network Protocols (ICNP'17).
[58]
Jonathan Vestin, Andreas Kassler, Sándor Laki, and Gergely Pongrácz. 2020. Toward In-Network Event Detection and Filtering for Publish/Subscribe Communication Using Programmable Data Planes. IEEE Transactions on Network and Service Management 18, 1 (2020).
[59]
Eric Wagner, Jan Bauer, and Martin Henze. 2022. Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'22).
[60]
Eric Wagner, Martin Serror, Klaus Wehrle, and Martin Henze. 2022. BP-MAC: Fast Authentication for Short Messages. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'22).
[61]
Konrad Wolsing, Eric Wagner, Antoine Saillard, and Martin Henze. 2022. IPAL: Breaking Up Silos of Protocol-Dependent and Domain-Specific Industrial Intrusion Detection Systems. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'22).
[62]
Sophia Yoo and Xiaoqi Chen. 2021. Secure Keyed Hashing on Programmable Switches. In Proceedings of the ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure.
[63]
Collin Zhang, Zachary DeStefano, Arasu Arun, Joseph Bonneau, Paul Grubbs, and Michael Walfish. 2023. Zombie: Middleboxes that Don't Snoop. In IEEE Symposium on Security and Privacy (S&P'23).
Index Terms
- Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication
Recommendations
Secure IoT framework and 2D architecture for End-To-End security
In this paper, we proposed an secure IoT framework to ensure an End-To-End security from an IoT application to IoT devices. The proposed IoT framework consists of the IoT application, an IoT broker and the IoT devices. The IoT devices can be deployed ...
The End of End-to-End Security?
In 1984, a year after the Arpanet switched from using the Network Control Protocol to using the TCP/IP protocol suite, Jerry Saltzer, David Reed, and Dave Clark expressed what became the core concept of the Internet in a short paper titled "End-to-End ...
A middlebox-cooperative TCP for a non end-to-end internet
SIGCOMM'14Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One particularly daunting aspect of the challenge is the presence of transparent middleboxes---which are now common in today's Internet. In-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 163Total Downloads
- Downloads (Last 12 months)163
- Downloads (Last 6 weeks)62
Reflects downloads up to 24 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in