Related Applications

[0001] This application claims the benefit of U.S. Provisional Patent Application No. 63/234,913, filed August 19, 2021, the contents of which are incorporated herein by reference.

Government interest

[0002] This invention was made with U.S. government support under contract to CNS-1564009, ordered by the National Science Foundation. U.S. government has certain rights in this invention.

Background of the Invention

[0003] The Internet of Things (loT) describes a network of physical devices having embedded sensors, software and other components that allow the object to perform a task and connect and exchange data with other devices over the internet. These devices range from ordinary household objects to sophisticated industrial tools.

[0004] An increasing number of loT devices are deployed into edge environments, from home networks to manufacturing floors. Unfortunately, these devices are plagued by a myriad of vulnerabilities, which attackers have been able to exploit as stepping stones into protected networks and as launch pads for other attacks. Consequently, these loT devices pose a continuing threat to the security of edge networks.

[0005] Industry and academia have proposed securing potentially vulnerable loT devices on edge networks with on-site security gateways. These "bolt-on" security gateways are designed to intercept all traffic to and from an loT device and apply security protections via middleboxes at the network level (e.g., a firewall). These middleboxes can be used to implement "network patches" which mitigate a device's vulnerabilities without patching the device's software.

[0006] While bolt-on security gateways are gaining popularity and are a deployable solution, the fundamental question of the trustworthiness of the system providing the network level protections remains. As an example scenario, consider a smart factory with a plethora of loT devices protected by multiple security gateways. The factory's security gateways provide network level protections tailored to each individual loT device's vulnerabilities. Unfortunately, security gateways form a single point of failure. They are particularly vulnerable to an adversary who can compromise the security gateway (by exploiting OS and/or application vulnerabilities), as the gateway typically runs commodity software (e.g., Linux, Docker, OVS, Snort, etc.). Once compromised, an adversary can modify the gateway's protections (e.g., remove a firewall rule) thereby enabling attacks against an loT device to stop/alter production.

[0007] Current approaches for securing applications in untrusted cloud environments could potentially be applied to establish trust in security gateways. These approaches rely on hardware specific capabilities (e.g., SGX, MPX). Unfortunately, such approaches have high performance overheads, rendering them impractical for loT deployments. They also lack generality, being limited to a specific processor class, and only support user space applications with constrained memory allocation. Furthermore, addressing security vulnerabilities requires fabricating newer revisions of the hardware.

Summary of the Invention

[0008] Disclosed herein is a method for defining a model of a trusted loT security gateway architecture based on a microhypervisor, wherein evaluation of the architectural model provides a formal (mathematical) guarantee that the correct security protections are applied to each loT device's network traffic at all times, including when under attack. The models defined in accordance with the method disclosed herein are used to verify security gateway architectures that provide robust trust properties to a broad range of legacy hardware platforms utilizing existing software with a reasonable performance overhead.

[0009] As disclosed herein, a microhypervisor-based approach is used as an architectural basis for building trust in edge security gateways. A microhypervisor, like a traditional hypervisor, is a software reference monitor that provides core security capabilities (e.g., memory isolation, mediation, and attestation) that can be applied to effectively address the aforementioned challenges. In contrast to traditional hypervisors, a microhypervisor provides these capabilities with a dramatically reduced trusted computing base (TCB) and complexity which enables formal verification to rule out potential vulnerabilities. Furthermore, microhypervisors provide an extensible foundation for realizing robust trust properties without a loss of generality and minimal performance overhead. Lastly, in contrast to approaches using specific hardware capabilities which limit applications (e.g., SGX's limitations previously described), microhypervisors can support a variety of hardware platforms (e.g., x86, ARM, microcontroller) running unmodified software (e.g., Linux). Thus, a microhypervisor provides a practical and secure foundation for building security mechanisms.

[0010] Heretofore, microhypervisors have not been used in edge loT gateways. As such, the novelty of this invention is derived from a more holistic system adversary model for an edge loT security gateway and a high-level architecture based on microhypervisors to enable a practical and flexible solution with formally proven security properties.

Brief Description of the Drawings

[0011] FIG. 1 is a schematic drawing illustration various attack vectors associated with an loT device.

[0012] FIG. 2 is a high-level block diagram of a trusted, extensible, and widely-deployable edge security gateway architecture.

[0013] FIG. 3 is a high-level block diagram of the architecture's stack on a data plane implementation.

[0014] FIG. 4 is a block diagram showing a key component of the architectural model. [0015] FIG. 5 is a listing in the Alloy modeling language showing an abridged formal model of the software-defined security gateway architecture.

[0016] FIG. 6 shows the Alloy model of policy isolation and mediation.

[0017] FIG. 7 shows the Alloy model of instance validation.

[0018] FIG. 8 shows the Alloy model of message integrity and authentication.

[0019] FIG. 9 shows the Alloy model of packet path and data validation

Detailed Description

[0020] FIG. 1 shows various attack vectors from which bolt-on security architectures are vulnerable. An attacker could launch attacks at multiple points in the architecture. For example, an attacker could: (1) use an unpatched exploit to compromise the gateway itself ("B") and (2) modify the middlebox configuration such that it allows the attacker's traffic to pass through to enable the attacker to compromise a factory's loT device and steal proprietary data ("A"). Beyond modifying the software, an attacker could also tamper with network messages. For example, modifying packets on the control channel between the controller and gateway ("C") and data channel between the vSwitch and the middlebox ("D"), redirecting traffic to the wrong middlebox, evading security inspections. A trusted security architecture needs to protect the gateway and controller's software while prohibiting tampering with network traffic. [0021] To address these various attack vectors, disclosed herein is a system and methods implementing a trusted, extensible, and widely-deployable edge security gateway architecture that addresses the security challenges of today's edge loT deployments.

[0022] The design space can be categorized along two axes. First, approaches dependent on hardware functionality are limited in both the hardware platforms and software they can support. Additionally, their security properties rest on a complex and opaque implementation in microcode and silicon, known to have vulnerabilities. Second, pure software approaches (e.g., formal verification, secure programming languages) are limited as they require significant reimplementation and verification effort. As many commonly used software applications on edge security gateways span over 100,000 lines of C/Java this quickly becomes intractable.

[0023] It is dangerous to tie critical security features to either hardware implementations that require new hardware to address threats, or to software approaches that require significant reimplementation or formal verification effort of the entire software stack. Instead, the present architecture leverages legacy hardware features in combination with a small TCB and extensible software framework to provide fundamental trust properties and protect edge devices from evolving threats.

[0024] Consequently, a microhypervisor-based approach is disclosed herein to enable a trusted edge security gateway architecture, shown in FIG. 2, that retrofits security protections to only the necessary system components. A microhypervisor is in essence a software reference monitor that acts as a guardian, implementing access control to system resources (e.g., files, sockets) using a small TCB. These protections can be applied in a fine-grained manner, protecting a single data value (e.g., secret key) or a complex set of objects (e.g., a virtual machine) with minimal performance overhead. Microhypervisors provide a strong foundation for fine-grained mediation, isolation, and attestation with a small TCB, which allows for security services to be designed and implemented as extensions.

[0025] Due to their simplicity and small TCB, microhypervisors are amenable to formal verification for ruling out potential vulnerabilities within their code. Additionally, microhypervisors can potentially be supported on any hardware platform. The invention is built on top of the aforementioned microhypervisor-enabled foundational capabilities to construct a trusted security gateway architecture. The software of the controller and gateway run on top of a microhypervisor, thereby supporting any commodity OS and application stack. On the controller, critical data (e.g., the security policy) is migrated into microhypervisor extensions to isolate it from untrusted software (e.g., the OS). Further, all access is mediated by the microhypervisor, prohibiting an attacker from subverting the data's integrity.

[0026] On the gateway, a set of customized middleboxes is assigned to each device. The middleboxes are isolated from each other. Middleboxes are processing elements or virtual machines which are assigned to a single loT device and which are attested on startup by the microhypervisor. Additionally, the signature of each middlebox and the vSwitch is periodically monitored to verify their integrity. Finally, the controller and the gateway run trusted agents, which are microhypervisor extensions used to mediate communication between the control and data planes, to ensure the instantiated protections correctly reflect the security policy.

[0027] The microhypervisor-based architecture provides three key benefits. First, it provides fine-grained isolation and mediation which allow for precisely ensuring that the architecture enforces the correct protections while being performant. Second, it is extensible allowing for rapid growth of new security functionality and response to emerging threats. Third, it is widely-deployable, supporting a wide range of hardware platforms while utilizing existing software, with a low performance overhead for providing trust.

[0028] There are three challenges that the disclosed architecture and associated formal modeling addresses: (1) Necessary Security Properties: Identify the security properties that ensure trust under a holistic adversary model; (2) Support Dynamic Middleboxes: Enable protecting the dynamic middleboxes required by an loT environment, ensuring an adversary cannot modify the protections; and (3) Secure Communications: Provide per-packet protections with a low performance impact, guaranteeing an adversary cannot modify or spoof packets. The key building blocks of the architecture that address these requirements will now be discussed.

[0029] Adversary and Trust Properties: The goal is to provide end-to-end protections against a holistic threat model. Within the SDN domain, this would entail protecting both the control plane and the data plane (e.g., from BGP hijacking). However, prior works on loT security gateways have typically only considered a narrow threat model. [0030] To this end, such an adversary systematically defined with a goal of inhibiting the gateway's protections (i.e., enable exploiting a protected loT device). It is assumed that the adversary has knowledge of the security architecture as well as network access to all devices. Adversary capabilities are grouped into two categories: (1) the ability to compromise a device's software stack (i.e., software on the controller or gateway: "A" and "B" in FIG. 1), and (2) the ability to inject/modify network messages (i.e., the control, data channels: "C" and "D" in FIG. 1).

[0031] A set of adversary capabilities are summarized in Table 1. These capabilities inhibit the architecture's ability to protect an loT device and, when taken together, form an adversary model.

Table 1.

[0032] While not a complete list, the example threats in Table 1 are used to define the fundamental security properties needed for the trusted architecture. Based upon the adversary model in Table 1, there are a minimum of five fundamental properties required for a trusted security gateway architecture.

[0033] Data Isolation and Mediation (Pswl): The ability to isolate security critical logic (e.g., keep the OS from accessing the security policy) and the ability to have a trusted entity mediate access to security critical data (e.g., blocking an untrusted application's access to secret keys)

[0034] Software Integrity (Psw2): The ability to detect code and data modifications (e.g., changes in middlebox configuration).

[0035] Secure Control Channel (Pcoml): The ability to trust data transferred between the controller and gateway (e.g., the gateway only executes commands from the controller).

[0036] Secure Data Channel (Pcom2): The ability to trust that packets are routed through the correct middleboxes (e.g., packets should not be processed by a wrong middlebox).

[0037] The architecture may support additional adversarial properties, but fouses on these four as being fundamental to a trusted architecture. These fundamental properties can be grouped into: (1) protecting running code and data (P _sw ) and (2) protecting communications (P _com ).

[0038] Formal Model

[0039] To guide and inform the design of the trustworthy architecture, a formal model of current software-defined loT security gateway architectures is created. This model aids in the identification of critical components and interfaces of the architecture, formally define and encode the corresponding architectural elements, and prove desired trust and security properties.

[0040] A model of bolt-on loT security architectures may be created, in some embodiments, using the Alloy modeling language (See FIG. 5, Listing 1). Alloy models are defined using first-order, relational logic. At its core, the Alloy language is an easy to use but expressive logic based on the notion of relations. The Alloy model is compiled into a scope-bound satisfiability problem and analyzed by off-the-shelf SAT solvers. This analysis can be used to identify if an instance of the model exists and to identify counterexamples to constraints. This analysis is used to identify attack vectors, refine security architecture, and to formalize our trust properties.

[0041] Model Description and Semantics - The bolt-on software-defined loT security architecture model, shown in block diagram form in FIG. 4, comprises a centralized controller and a set of gateways that process packets to and from loT devices. For brevity, an exemplary architecture with a single gateway is used to explain the abridged Alloy model in Listing 1.

[0042] Two key entities ate modelled first: a Controller and a Gateway, using Alloy's sig interface (lines 1-10 of Listing 1). A s/g (signature) defines a set (e.g., Controller) and its relationship to other sigs (i.e., each Controller has one Policy, see line 2 of Listing 1). The Controller maintains the security policy and uses the control channel to configure each Gateway based on the policy. Each Gateway is managed by the associated controller. The Gateway receives its policy over the control channel and installs paths in the vSwitch and then instantiates the middleboxes. Each path specifies to which middlebox traffic of a specific loT device should be routed through.

[0043] The manner in which the Gateway processes packets is modelled using Alloy's/un (function) interface (see lines 11-18 of Listing 1). A function evaluates a series of statements and returns all possible solutions. A packet received by the Gateway is sent to the vSwitch for routing. The vSwitch routes the packet to the specific middlebox (ROUTEPKT, see line 12 of Listing 1). The middlebox then processes the packet and determines if the packet is benign or malicious (MIDDLEBOXPROCESS, see line 13 of Listing 1). Packets that are benign are routed back to the switch and then sent out to the loT device, while all other packets are dropped.

[0044] Next, a trusted gateway architecture is defined using Alloy's pred (predicate) interface (see lines 19-27 of Listing 1). A predicate evaluates a series of constraints. It returns true only if all of the constraints are met, otherwise, false is returned. Thus, for an architecture to be trusted, the following conditions must all be met. First, an attacker must not be able to tamper with the policy on the controller (i.e., TAMPERPROOF is true in line 21 of Listing 1), Second, the control channel between the controller and the gateway must be secure so that it is immune to an attacker injecting malicious messages (i.e., SECURECHANNEL is true in line 22 of Listing 1). Third, the correct software must be running on the controller, vSwitch, and middle box (CORRECTSW is true for lines 23-26 of Listing 1). Finally, each packet must follow the path specified by the controller and enforced by the vSwitch and each middlebox (AUTHENTICATEROUTE is true in line 27 of Listing 1). If all of these conditions are true then the gateway architecture deemed to be trusted.

[0045] Finally, a goal that all output packets were processed correctly is defined using Alloy's assert interface (see lines 28-31 of Listing 1). In Alloy, an assert claims that a series of statements must be true based upon the model, and will generate a counterexample if any of the claims do not hold to be true. A trusted gateway architecture can achieve this goal. Specifically, it allows all benign packets while dropping all malicious packets. [0046] Using the architectural model and semantics, the overarching security property and its sub-properties are defined.

[0047] Overarching Security Property: Given a network where all of an loT device's inbound and outbound traffic goes through the trusted security gateway, the goal is to ensure that any packet pkt output by the gateway was processed by the correct middlebox, such that benign packets are allowed and malicious packets are dropped (modeled in Listing 1). This can be denoted as:

Ypkt BenignPkt,processPkt(pkt, GW) = Allow

Vpkt G MaliciousPkt, processPkt(pkt, GW) = Drop

(1) [0048] To achieve this property in the presence of an attacker, the gateway architecture must be trusted, which can be expressed formally as:

TrustedGateway GW, Controller') <=> tamperProof (policy) A correct Instance (GW, Controller) A secure Channel (GW, Controller) A

YmBoxi, authenticate Route (vSwitch, mboxi)

(2) where:

GW = [channel, vSwitch, {mbox _Q . , ... , mbox _n }[

Controller = {channel, policy} [0049] Eqs (1,2) are realized in Alloy as shown in Listing 1, where gateway architectures are instantiated with a Controller and Gateway that processes packets using a software middlebox. The PROCESSPKT function determines if each packet is benign, and therefore allowed to be forwarded to its final destination or is malicious and is dropped. The TRUSTEDGATEWAY predicate tests if an architecture (composed of a Gateway and a Controller) is trustworthy. The model verifies that the Controller is assigned to the Gateway, that the Controller's security policy is tamper proof, that the channel between the Controller and the Gateway is secure, that the controller, vSwitch and all middleboxes are attested to be correct and that each packet being processed follows an authenticated route. A gateway meeting these requirements ensures that all benign packets are allowed and malicious packets are dropped (confirmed with the assert interface).

[0050] The overarching security property is further decomposed into four sub-properties.

These sub-properties can be broadly grouped into two categories: (1) protecting data and running code (P _swl , P _SW 2) and (2) protecting network communications (P _CO mi> Pcomi - Each of these will now be discussed in more detail.

[0051] Security Policy Isolation and Mediation (P _swl )'. The first sub-property is to protect the security policy (data) stored in the Controller. Controller applications are subject to attacks which make the security policy vulnerable. As the correctness of the rest of the system is based upon this policy, the policy must be tamper-proof. To achieve this, the security policy is isolated in protected memory and all accesses require mediation by a trusted entity (see Listing 2, FIG. 6). Such defenses block the OS and other untrusted applications from accessing and modifying the security policy. This can be denoted as: tamperProof (policy) <=> isolatedMemory (policy) A me diate dAccess (policy)

(3) [0052] Listing 2 depicts how Eq. (3) is modelled in Alloy. The TAMPERPROOF predicate checks if an object is located in isolated memory and all accesses are mediated. The assert interface checks that a controller's policy is tamper-proof.

[0053] Component Instance Validation (P _sw2 )- Besides the security policy, the software of key components must not be altered by an attacker (e.g., Attack B in Table 1). To achieve this, a validation that the correct instances of key components are running is needed. This includes validating the Controller, the vSwitch and all middleboxes (see Listing 3, FIG. 7). Where each middlebox instance is the type and configuration (e.g., rule set) currently specified by the controller's security policy. This can be denoted as: correct!nstance(GW, Controller) <=> remoteAttest(Controller) A remoteAttest(vSwitch) A

Ymbox , remoteAttest(mboxi)

(4) [0054] The implementation of Eq, (4) is modelled in Listing 3. The predicate REMOTEATTEST checks that an object has the correct software and its correctness can be attested. This is then verified by asserting it for the controller, the vSwitch, and each middlebox. [0055] Control Message Integrity and Authentications (P _com i)- To protect against control channel attacks (e.g., Attack C in Table 1), assurances are provided that the control channel is secure. To achieve this, the control channel needs to be authenticated and encrypted so that data transmitted over the channel has not been modified or spoofed (e.g., only the controller can send middlebox configuration commands to the gateway). Meanwhile, the secret keys used by the channel are isolated and any access is mediated by a trusted entity (see Listing 4, FIG. 8). This can be denoted as: secureChannel^channel') <=> authenticatedEncrypted^channel') A isolatedMemory(keys) A , mediatedAccess(keys)

(5) [0056] A model of the Alloy implementation of Eq. (5) is shown in Listing 4. The

TRUSTWORTHYCHANNEL predicate checks that the channel (i.e., the method being used to send messages between the Controller and the Gateway) uses authenticated encryption and that the encryption keys are tamper-proof. The assert then verifies that the channel between the Gateway and the Controller uses authenticated encryption and both hosts protect the encryption keys.

[0057] Packet Path and Data Validation (P _com2 )- Each packet must be routed to the correct middlebox as specified by the security policy. Prior work on internet routing has advocated for per-hop path authentication to validate that packets follow the specified path. Herein, similar guarantees are provided to detect packets maliciously routed to the wrong middlebox (e.g., Attack D in Table 1). In particular, the intended path of a packet must be enforced, and whether packet data has been modified (see Listing 5, FIG. 9). This can be denoted as: authenticate Route (vSwitch, mboxi) <=>

Ypkt, intendedPath(pkt, policy) = mboxi => actualPathj(pkt) = vSwitch -> mbox^ -> vSwitch

(6) [0058] Listing 5 in FIG. 9 depicts the Alloy implementation of Eq. (6). The function GETPATH provides the mapping of packets to the appropriate middlebox and returns the packet's sequence of hops on the gateway. Next, the predicate AUTHENTICATEDHOP is defined, which checks to ensure that the packet was not modified and that it arrived at the correct hop location. It is verified that packers being processed by the Gateway follow authenticated routes using the assert statements to ensure the packet follows the correct path and that the packet is not modified at each hop location.

[0059] A system that provides these properties will, by construction, stop the example attacks in Table 1. As shown in Table 2, security policy isolation and mediation (P _swl ) blocks an attacker from modifying the security policy (Attack A in Table 1). Component instance validation (P _sw2 ) enables the architecture to detect an attacker modifying a middlebox (Attack B in Table 1). Control message integrity and authentication (P _coml ) blocks an attacker from being able to inject malicious control messages (Attack C in Table 1). Finally, packet path and data validation (P _com 2) mitigates local attackers modifying packets (Attack D in Table 1). 4

Table 2

[0060] In additional embodiments, the architecture supports additional properties, but focuses on those presented herein as fundamental to a trusted architecture. The fundamental properties can be grouped into one of: (1) protecting running code and data (P _sw ) and (2) protecting communications (P _com ). One approach for providing these will now be disclosed.

[0061] Supporting Dynamic Middleboxes

[0062] Ideally, the entire codebase on both the control and data planes of the loT device could be robustly protected from an attacker. However, this is impractical as it either incurs significant performance costs (e.g., multiple enclaves to process each packet) or requires significant reimplementation (e.g., migrating 100,000+ lines of C/Java). Instead, fine-grained security properties are applied to the portions of the codebase that impact the architecture's protections, thereby creating a robustness against an adversary. Specifically, periodic, remote attestations are applied to guarantee the code's integrity (providing P _sw2 )- This allows the code to run with minimal performance degradation, while bounding the duration it is vulnerable to attack. Additionally, critical code (e.g., security policy) can be protected with a hypervisor extension to isolate it and mediate access to it (providing P _swl ).

[0063] Periodic, Remote Attestation: loT security gateways rely upon a large codebase to provide device-specific protections. Prior methods of remote attestation, such as Trusted Platform Modules (TPM), are used to precisely guarantee that the appropriate software stack is running (providing Psw2). Upon boot, the correct baseline software stack, composed of the microhypervisor, OS, and critical software components (e.g., controller, vSwitch, middleboxes, etc.) is verified.

[0064] Subsequently, new modules that will impact the provided protections (e.g., the code of a new middlebox prior to loading) are attested, thereby allowing the architecture to ensure that the correct protections are instantiated.

[0065] During runtime, critical modules (e.g., controller, vSwitch, middleboxes) are periodically re-attested, thereby ensuring an attacker has not tampered with them. For example, the middlebox code must be run outside of the hypervisor to enable high packet throughput. To bound the potential impact of an attacker tampering with this code (i.e., the protection not being applied), the controller remotely attests critical software components on the gateway at the end of every epoch, where the epoch duration can be adjusted to provide a trade-off between the vulnerable window's length and the security overhead.

[0066] A virtual trusted platform module (vTPM) on the microhypervisor is leveraged to provide this attestation capability. A vTPM is a software implementation of a physical TPM and provides many of the same capabilities. Specifically, its ability to securely store a chain of measurements, by extending a program control register (PCR), and securely providing those stored values (i.e., a PCR quote) is used. These two capabilities enable determining if a software stack on a local or a remote machine matches a known configuration. These vTPM measurements can be applied at a fine granularity, with separate storage for multiple measurements.

[0067] Protecting the Controller's Security Policy: While attestation can provide significant guarantees about a code's integrity, there are some pieces of code that merit further protection (e.g., code impacting decisions about the protections provided by the security gateway). The microhypervisor approach enables selectively isolating this code (Pswl) and requiring that access to it be mediated by a trusted entity (Pswl). Examples of such pieces of code are the secret keys used to establish a secure control channel between the planes and the security policy on the controller.

[0068] As a concrete example, consider the controller's security policy. The security policy is critical to ensuring the correct protections are implemented (e.g., modifying it could result in the gateway's middleboxes not protecting the loT devices). This code can be extracted from the controller and placed into memory isolated by the microhypervisor (providing Pswl). Further, access to this memory is mediated by the code white-list of the microhypervisor (providing Pswl), to ensure that only the controller's code can access the security policy.

[0069] This combination prohibits an attacker in control of the operating system from accessing and modifying microhypervisor-protected pieces of code, without requiring significant changes to existing code. [0070] Secure and Efficient Communication

[0071] The security architecture requires trust guarantees on both the control channel (between controller and gateway, Pcoml) and the data channel (along the gateway's packet processing path, Pcom2). The microhypervisor is used to provide isolation and mediation to secure these communication channels.

[0072] Secure Control Channel: It is crucial that communication between the control plane and the data plane can be trusted as these messages often impact the security protections provided by the gateway. The architecture bolsters the guarantees provided by traditional tunneling (e.g., IPsec/TLS) between the controller and the gateway to ensure a compromised controller or gateway cannot send spoofed messages over the tunnel (e.g., malicious middlebox configuration commands). To protect these communications (Pcomml), a trusted agent pair running in the microhypervisor is used to mediate these communications (e.g., access the secret keys required to send data over this channel). There is an agent on the controller and a corresponding agent on the gateway, which together are responsible for mediating access to the secure channel.

[0073] Secure Data Channel: On the data plane, the security protections are dependent upon each packet being processed by the correct middlebox. The architecture provides perhop guarantees with a low performance overhead. Specifically, the goal is to guarantee that packets follow the correct path and are processed by the correct sequence of middleboxes on the data plane (Pcom2). While traditional tunnels could be established between each middlebox and the vSwitch, this would result in significant overhead and processing delays. To protect the data channel, the microhypervisor is used to enforce the correct path (i.e., middlebox chain) for each packet. This is achieved by having the microhypervisor sign and verify each packet along its processing path and dropping packets that fail verification. This approach differs from prior per-hop authentication proposals as packets remain on a single host where a hypervisor can maintain secret keys.

[0074] These digital signatures create a connection between the raw packet data and the middlebox processing the packet, by the secret key (protected by the microhypervisor) shared between the vSwitch and each middlebox. Furthermore, the digital signatures can be trusted, as the secret keys are kept in isolated memory only accessible by the microhypervisor's mediation, stopping an attacker from forging signed packets.

[0075] Model Evaluation

[0076] The Alloy model disclosed above was updated to reflect the trusted architecture and analyze its performance. The architecture's model was probed for instances that would allow an attacker to violate the trust property and output a malicious packet (i.e., one containing an exploit).

[0077] The Alloy Analyzer was unable to identify a counter example resulting in the architecture output a packet processed by an incorrect middlebox. The Analyzer employs bounded model checking (BMC), where models are evaluated up to a bound, N, of each sig in the model. The model was evaluated with up to a bound of 100 (i.e., 100 instances of each sig) and the resources required indicate that the analysis could be performed on a personal computer. [0078] Additionally, constraints related to the security sub-properties were systematically removed (e.g., middlebox software does not need to be correct) and it was verified that each resulted in a counter example where the overarching security property was violated. This analysis provided confidence in the security properties in the architecture's design.

[0079] The Alloy model aided in identifying nuances and informed the refining of the design.

The model highlighted the need to prohibit packets from completely skipping a middlebox. For example, if a middlebox signs input and output packets with the same key, it allows a packet to bypass the middlebox without being detected. Similarly, the Alloy model highlighted software components that needed either to be trusted or to be regularly attested to trust the architecture's operation. Beyond just the middlebox processing the packet, both the virtual switch and the controller software need to be trusted to ensure correct operation.

[0080] Implementation

[0081] An exemplary embodiment will now be disclosed. In one embodiment, the uberXMHF open source microhypervisor that supports both x86 and ARM platforms is used. A Raspberry Pi 3 hardware platform can be used to execute the uberXMHF microhypervisor, the Raspbian Jessie (Linux 4.4.y) and Open Virtual Switch and Snort on the gateway.

[0082] A high-level overview of the software stack of the implementation is shown in FIG. 3 where the hypervisor extension 302 is depicted as the rectangle labelled "Packet Signing". Ovals 304, 306 represent hypercalls to the hypervisor extension 302, added to the commodity software to perform a hypervisor protected operation (e.g., creating/verifying a digital signature for a packet). These elements of the architecture implementation are exemplary only and, as would be realized, implementation using other elements are contemplated to be within the scope of the invention.

[0083] Virtual Trusted Platform Module (vTPM): The architecture leverages a hypervisor- enabled vTPM to provide periodic, remote attestation. A key motivation in the development of Trusted Platform Modules (TPM) was to provide the ability to remotely attest the health of a system's boot sequence. A subset of the features provided by the TPM standard are leveraged to provide trust properties, specifically PCR extend and PCR quote. In addition to a vTPM not requiring additional hardware, it provides two key benefits over a physical TPM, increased storage and increased performance. The measurement storage (i.e., PCRs) on a vTPM is based upon the platform's memory region protected by the microhypervisor, allowing for a large number of separate measurements (e.g., >200 PCRs on a single 4 KB page). Furthermore, these measurements are not limited by the data rate of a system bus (e.g., SPI on a Raspberry Pi 3), reducing access latency by over 20x. A challenge for software-based TPMs is preserving secrets across reboots. The vTPM leverages existing platform non-volatile memory to preserve secrets across boots (e.g., the Raspberry Pi 3 has a boot NVRAM that can act as a long-term secure storage).

[0084] In one embodiment, the architecture may be implemented as a trustworthy "security- as-a-service" offering that providers (e.g., edge ISPs, CDNs, loT providers) could offer to loT consumers, ensuring the correct security protections are applied at all times. For instance, the architecture provides a trusted mechanism for enforcing loT security best practices (e.g., access-control policies in a device's manufacturer usage description specification).

[0085] As would be realized by one of skill in the art, the disclosed systems and methods described herein can be implemented by a system comprising a processor and memory, storing software that, when executed by the processor, performs the functions comprising the method. For example, the training, testing and deployment of the model can be implemented by software executing on a processor.

[0086] As would further be realized by one of skill in the art, many variations on implementations discussed herein which fall within the scope of the invention are possible. Specifically, many variations of the architecture of the model could be used to obtain similar results. The invention is not meant to be limited to the particular exemplary model disclosed herein. Moreover, it is to be understood that the features of the various embodiments described herein were not mutually exclusive and can exist in various combinations and permutations, even if such combinations or permutations were not made express herein, without departing from the spirit and scope of the invention. Accordingly, the method and apparatus disclosed herein are not to be taken as limitations on the invention but as an illustration thereof. The scope of the invention is defined by the claims which follow.