Please refer to the README for building the code and running the tests.
This repository implements security whitelistings at the level of individual network packets, targeted for edge applications. The whitelistings are enforced by a Trusted Execution Environment (TEE) We use Intel SGX as TEE.
Currently whitelisted protocols:
PROFINET DCP Restricted to a readonly subset of DCP. Allows to discover PROFINET devices. Prevents assignment of IP addresses or device names.
SNMP Restricted to a readonly subset of SNMP. Allows to retrieve variable bindings like firmware versions. Prevents modifications via SNMP.
S7COMM+ We allow some protocol subsets that are required for an S7 1200/1500 firmware update. E.g. start/stop CPU, write UDP file to CPU via OMS+.
TCP/IP/ARP We allow TCP streams that are directly generated by the TEE. We allow TCP port 80 (HTTP) for accessing web interfaces of devices. We enforce the correct host IP to prevent IP spoofing and ARP spoofing. Everything else is blocked by default.
Technical details
We use a virtual Ethernet interface (a TAP interface) to intercept packets and forward them to the TEE for the validation. We use an external MACSec gateway to enforce that only TEE-validated packets can be sent.