Universally Composable Firewall Architectures Using Trusted Hardware

Abstract

Network firewalls are a standard security measure in computer networks that connect to the Internet. Often, ready-to-use firewall appliances are trusted to protect the network from malicious Internet traffic. However, because of their black-box nature, no one can be sure of their exact functionality.

We address the possibility of actively compromised firewalls. That is, we consider the possibility that a network firewall might collaborate with an outside adversary to attack the network. To alleviate this threat, we suggest composing multiple firewalls from different suppliers to obtain a secure firewall architecture. We rigorously treat the composition of potentially malicious network firewalls in a formal model based on the Universal Composability framework. Our security assumption is trusted hardware.

We show that a serial concatenation of firewalls is insecure even when trusted hardware ensures that no new packages are generated by the compromised firewall. Further, we show that the parallel composition of two firewalls is only secure when the order of packets is not considered. We prove that the parallel composition of three firewalls is insecure, unless a modified trusted hardware is used.

Appendices

A Serial Composition of Two Firewalls

We prove the previously stated Theorem 1 here. First, we provide the protocol of the serial architecture and define the ideal network function (Fig. 11).

Definition 9

(The protocol of the serial firewall architecture \(\pi _{\mathsf {serial}}\) ) . The protocol the parties are following is defined as follows:

• \(\mathrm {split}\): Upon receiving \((\mathsf {input},p)\): Call \(\mathcal {F}_{\mathsf {serial}}(\mathsf {send},\mathrm {out_{fw}},\mathrm {out_{hw}},p)\).

• \(\mathrm {fw}_k\): Upon receiving \((\mathrm {in},p)\): Calculate \(F_{fw_k}(p,\mathrm {in},s)=(p',i',s')\). If \(p'\ne \bot \) and \(i'\ne \bot \), call \(\mathcal {F}_{\mathsf {serial}}(\mathsf {send},i',p')\). Save the new internal state \(s'\).

• \(\mathrm {hw}\): Check whether there are two entries \((p,\mathrm {in})\) and \((q,\mathrm {in_{cmp}})\) in the local storage (with \(p\equiv q\)). If so, write p to the output tape and delete the entries.

We now show that the serial concatenation of firewalls is not secure, even with a trusted comparator. To prove the statement, it suffices to show that there exists an attack which can not be simulated. We describe such an attack. The general idea is that if \(\mathrm {fw_2}\) is corrupted, it could output a malicious packet just at the same time this packet arrives at \(\mathrm {split}\) (sent by the environment). This would force \(\mathrm {hw}\) to output the packet, even though it was blocked by \(\mathrm {fw_1}\).

Theorem 1

\(\pi _{\mathsf {serial}}\) does not UC realise \(\mathcal {F}_{\mathsf {ideal}}\) in the \(\mathcal {F}_{\mathsf {serial}}\)-hybrid model.

Proof

Let \(\mathrm {fw}_2\) be corrupted and \(\mathrm {fw}_1\) be honest. Let p be a packet that is blocked by \(\mathrm {fw}_1\). The environment inputs p to \(\mathrm {split}\). This will cause \((p,\mathrm {in_{cmp}})\) to be send to \(\mathrm {hw}\) from \(\mathrm {split}\). In its next activation the adversary uses \(\mathrm {fw_2}\) to call \(\mathcal {F}_{\mathsf {serial}}(\mathsf {send},\mathrm {out},p)\) and advises the ideal functionality to deliver \((p,\mathrm {in})\) to \(\mathrm {hw}\). \(\mathrm {hw}\) will now have two identical packets on different interfaces (one from \(\mathrm {split}\) and one from \(\mathrm {fw_2}\)) in its storage and output p, even though p has been blocked by \(\mathrm {fw_1}\).

There is no simulator which can simulate this attack, since \(\mathrm {fw_1}\) will block the packet in the ideal model and the output of \(\mathrm {fw_2}\) will not be considered.    \(\square \)

B Parallel Composition of Three Firewalls

Theorem 5

\(\pi _{\mathsf {parallel}_4}\) UC realises \(\mathcal {F}_{\mathsf {ideal}_4}\) in the \(\mathcal {F}_{\mathsf {parallel}_3}\)-hybrid model.

Proof

The proof is similar to the proof of Theorem 3. We argue that the simulator behaves identically to the adversary and that the output of the ideal network is identical to the output of the real network. Let \(\mathcal {S}\) be a simulator with the following functionality:

• Upon activation, or when given a packet p, simulate the real model and observe its output. If the output of the real model is a packet p’, calculate (for the ideal functionality) the index of the memory structure in which p’ is saved as well as its position within the memory. Advise the functionality to deliver the packet on that index. (The case that p’ is not found in the internal memory structure of the ideal functionality need not be covered, as is proven below.)

The argument that \(\mathcal {S}\) will never mistakenly suppress a packet in the ideal model is identical to Case 1 in the proof of Theorem 3. We need to argue Case 2: It is impossible that \(\mathcal {S}\) is unable to schedule a packet it observes in the output of its internal simulation of the real network. Let p be such a packet that, after the input stream S is processed, is written to the output tape of hw in the real model but not to the internal memory structure of \({{\mathcal {F}}_{\mathsf {ideal}_4}}\).

Let \(m_{A}\), \(m_1\) and \(m_2\) be the lists the trusted hardware uses in the protocol for storing the packets output by the firewalls and marking the “negative” packets. Let \(m_\mathrm{hw}\) be the list of all packets it has ever output. Let \(m'_1\), \(m'_2\), \(m'_{\mathrm{out}}\) be the lists the ideal functionality uses for keeping track of the packets. Let \(|\!|m|\!|_p\) denote the number of packets p the list m contains. We then define \(|m|_p := |\!|m|\!|_p - |\!|m|\!|_{-p}\).

First, observe that \(\mathcal {S}\) only schedules packets it observes in its simulation of the real model. Hence, by the description of \(\mathrm{hw}\): \(|m_1|_p = |m'_1|_p - |m_\mathrm {hw}|_p\) and \(|m_2|_p = |m'_2|_p - |m_\mathrm {hw}|_p\). Via the argument from Case 1 (\(\forall p: |m'_{out}|_p \le |m_\mathrm {hw}|_p\)) we have:

$$\begin{aligned}&|m_1|_p \le |m'_1|_p - |m'_{out}|_p\end{aligned}$$

(1)

$$\begin{aligned}&|m_2|_p \le |m'_2|_p - |m'_{out}|_p \end{aligned}$$

(2)

For p to be output in the real model, one of the following conditions has to hold:

$$\begin{aligned}&|m_A|_{p} > 0 \text { and } |m_1|_p > 0 \end{aligned}$$

(3)

$$\begin{aligned}&|m_A|_p > 0 \text { and } |m_2|_p >0 \end{aligned}$$

(4)

$$\begin{aligned}&|m_1|_p > 0 \text { and } |m_2|_p >0 \end{aligned}$$

(5)

This is true because the trusted hardware will only forward packets which are in at least two of the packet lists. The functionality of hw can be restated in the following way: For every packet p which is output, insert a packet \(-p\) into the lists of the three firewalls. If there are two packets p and \(-p\) in the same list, both cancel each other out.

For p not to be written to the internal memory structure of \({{\mathcal {F}}}_{{\mathsf {ideal}}_4}\) in the ideal model, the following condition has to hold:

$$\begin{aligned}&|m'_{out}|_p \ge |m'_1|_p \text { and } |m'_{out}|_p \ge |m'_2|_p \end{aligned}$$

(6)

$$\begin{aligned} \Leftrightarrow \;&|m'_1|_p - |m'_{out}|_p \le 0 \text { and } |m'_2|_p - |m'_{out}|_p \le 0 \end{aligned}$$

(7)

This again describes the difference between the amount of packages p each individual firewall has output and the amount of packages p which got output in total after processing S.

Concluding the argument, conditions (1) to (5) give us \(|m'_1|_p - |m'_{out}|_p > 0\) and \(|m'_2|_p - |m'_{out}|_p > 0\), which contradict condition (7).    \(\square \)