Secure VPN

Prove & Run’s Secure VPN Solution is a set of software components designed to enable an embedded device to connect to a peer (another embedded device or a server) over a VPN connection. It is pre-integrated with a number of SoCs and boards and is available directly from Prove & Run.

The need for Virtual Private Networks

Applications running on connected embedded devices need to communicate securely with remote peers (other embedded devices, gateways or servers): they must be assured that their communications cannot be listened to or modified on the way. Even on “private” networks it is never clear exactly who could be listening.

More precisely, applications and remote peers must be able to:

  • Authenticate each other to make sure they know for sure who is on the other end of the line,
  • Authenticate the messages they exchange to make sure that the messages they exchange are not modified on the way,
  • Encrypt the messages they exchange to make sure that the content of the messages are not disclosed to any potential listener.

However providing this level of security is actually hard as it requires experience with cryptography and protocol design. Off-the-shelf solutions exists but are not without issues. For example, SSL:

  • Requires applications to embed a large and complex library,
  • Requires applications to be modified to make use of this feature,
  • Requires the developer of each application to understand how to use this library securely.

Virtual Private Network (VPN) implementations offer a solution to these issues:

  • Supported at the OS level, so applications don’t have to be modified,
  • Simpler configuration, performed once for the whole device,
  • Still flexible as it can apply to some or all of the communications going in and out of a device.

Limitations of Traditional VPN Implementations

Nevertheless, the confidentiality and authenticity of messages exchanged across a VPN can only be trusted if the VPN agents running on each device are protected from attacks:

  • If an attacker can use a local application to remotely inject a new certificate in the certificate store of the VPN agent, the attacker can perform a Man-in-the-Middle attack.
  • If an attacker can use a local application to remotely read the private certificates store of the VPN agent, the certificates can be leaked, enabling the attacker to impersonate this device or to perform a Man-in-the-Middle attack.
  • If an attacker can use a local application to remotely erase the certificates store of the VPN agent, it will prevent the device from either authenticating remote peers or from being authenticated by remote peers, leading to availability issues.

If an attacker can perform a successful privilege escalation attack or more generally corrupt the OS kernel they can easily perform any of the attacks above and much more.

The Secure VPN Solution

Prove & Run’s Secure VPN Solution offers a pre-integrated solution to these concerns, focused on one crucial goal: Protecting communications between applications and remote servers. The Secure VPN Solution:

  • Comes pre-integrated with specific SoCs and boards,
  • Requires no modifications to the OS of a device,
  • Fits the requirements and architecture of most deployments,
  • Is cheaper than building your own: Requirements for the core part are similar across markets so there is little value in building a specific VPN implementation for each new device,
  • Is backed by Prove & Run’s years of expertise in the area of security architectures for embedded devices,
  • Includes a top quality Secure Boot implementation based on available hardware security features to offer a consistent and high quality root of trust.

Architecture

secure_vpn_architecture

The Secure VPN Solution is composed of two software bricks: the Secure VPN Proxy and the Secure VPN Agent.

Secure VPN Proxy Secure VPN Agent
Functional Role: Transmit IP packets back and forth between the OS and the Secure VPN Agent Transmit IP packets back and forth between the Secure VPN Proxy and a remote peer
Security Role: None Protect the confidentiality and authenticity of the IP packets it transmits over the VPN
Executes: As a driver of the OS On its own in a secure processing area managed by TrustZone®, protected by a Secure Boot anchored using available hardware features
Provided as: A Linux reference implementation with C source code for ease of adaptation to specific operating systems A binary pre-integrated with specific SoCs and boards

Security Rationale

Classic VPN clients cannot be fully trusted because they run in the same address space as the OS (Android, Linux, etc), where they are vulnerable to the huge numbers of local and remote attacks that affect traditional operating systems This also means that compromised devices cannot be recovered or controlled remotely.

The Secure VPN Solution is secure because:

  • Thanks to TrustZone, the Secure VPN Agent executes in a secure area, protected from attacks from applications running on the OS.
  • Thanks to TrustZone, the Secure VPN Agent relies on certificates whose authenticity and confidentiality are protected from any attacks coming from the OS.
  • The kernel of the Secure VPN Agent is formally proven for higher security.
  • The Secure VPN Solution’s implementation benefits from Prove & Run’s years of expertise developing security applications for embedded applications.
  • The authenticity of the Secure VPN Agent is protected by a Secure Boot mechanism anchored in the hardware security features of the board.

 

Deploying the Secure VPN Solution

Integrating the Secure VPN Solution with a device

The Secure VPN Solution is available as pre-integrated Packages targeted at specific boards. In order to deploy the solution, one needs to:

  • Obtain the pre-integrated Secure VPN Package for your board from Prove & Run,
  • Integrate the Secure VPN Proxy with your operating system,
  • Create the Secure VPN Image using the provided scripts and the configuration for the Secure VPN Agent,
  • Configure the Secure Boot process using Prove & Run’s documentation,
  • Load the Secure VPN Image along with the other images.

Compatibility

The Secure VPN Solution requires an ARM® Cortex®-A microprocessor as well as a protected TrustZone®-accessible memory area to store certificates. To obtain a list of compatible boards please contact Prove & Run at moc.n1495838788urnev1495838788orp@s1495838788elas1495838788.

Content of a Secure VPN Package

  • Binary code of the Secure VPN Agent
  • Source and binary code of the reference implementation of the Secure VPN Proxy
  • Scripts to create the Secure VPN Image
  • Integration and deployment documentation

Licensing

To obtain a license of the Secure VPN Solution, please contact Prove & Run at moc.n1495838788urnev1495838788orp@s1495838788elas1495838788.

Print Print