This repository contains the two central components of our TEE-assisted remote denial-of-sleep defense, namely the Filtering host app and TEE. Other components are scattered across these repositories:

• https://github.com/kkrentz/contiki-ng
• https://github.com/kkrentz/libcoap
• https://github.com/kkrentz/filtering-keystone
• https://github.com/kkrentz/micro-ecc
• https://github.com/kkrentz/libcoap-minimal

We also use tinyalloc (© 2016 - 2017 Karsten Schmidt - Apache Software License 2.0).

Please find our paper here.

Getting Started

Installing Dependencies

sudo apt install autoconf \
  automake \
  build-essential \
  curl \
  doxygen \
  git \
  libtool \
  makeself \
  net-tools \
  openjdk-21-jdk \
  pip \
  pkg-config \
  rlwrap \
  srecord \
  wireshark
pip install pyserial

Install the ARM compiler. Download and extract Gradle, too.

Cloning Repositories

Switch to a directory where you like to store the repositories in.

git clone https://github.com/kkrentz/contiki-ng.git
pushd contiki-ng
git submodule update --init --recursive
popd
git clone https://github.com/kkrentz/filtering-keystone.git
pushd filtering-keystone
git submodule update --init --recursive
popd
git clone https://github.com/kkrentz/filtering-proxy.git
pushd filtering-proxy
git submodule update --init --recursive
popd
git clone https://github.com/kkrentz/libcoap-minimal.git

Setting up Environment Variables

Add this to ~/.bashrc:

export CNG_PATH=<path to contiki-ng>
export KEYSTONE_PATH=<path to filtering-keystone>
export FILTERING_PROXY_PATH=<path to filtering-proxy>
export LD_LIBRARY_PATH=/usr/local/lib
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
PATH=/opt/gradle-8.3/bin:$PATH

CNG_PATH and KEYSTONE_PATH are only used within the bash snippets of this README.

Building Keystone

For an introduction to Keystone's build system, see here.

cd $KEYSTONE_PATH && make

For inspecting build errors, run less build-generic64/build.log. It sometimes already helps to clean a package, e.g., make BUILDROOT_TARGET=filtering-proxy-dirclean.

Building libcoap

cd $CNG_PATH/os/net/app-layer/libcoap/ \
  && ./autogen.sh \
  && ./configure \
    --disable-documentation \
    --disable-dtls \
    --with-epoll \
    --disable-examples \
    --disable-examples-source \
    --disable-tcp \
    --disable-oscore \
    --enable-oscore-ng \
    --disable-q-block \
  && make -j$(nproc) \
  && sudo make install

When installing libcoap with a custom prefix (./configure --prefix=foo), LD_LIBRARY_PATH and PKG_CONFIG_PATH have to be adapted accordingly.

Running the Middlebox in QEMU

cd $KEYSTONE_PATH \
  && pushd build-generic64 \
  && rm -rf overlay/root/.ssh \
  && mkdir -p overlay/etc/network \
  && cp $FILTERING_PROXY_PATH/overlay/interfaces overlay/etc/network/ \
  && popd \
  && make \
  && sudo make run

Log in as root with password sifive.

Once logged in, run:

./run.sh

Note: You can stop QEMU using CTRL+A,X

To establish a network connection with QEMU:

cd $FILTERING_PROXY_PATH && ./connect.sh

Running Filtering Clients in Cooja

Start Cooja:

cd $CNG_PATH/tools/cooja \
  && gradle run --args='../../examples/filtering/basic.csc'

Open a terminal and run:

cd $CNG_PATH/examples/filtering/aggregator/ \
  && make TARGET=openmote BOARD=openmote-cc2538 BOARD_REVISION=REV_A1 savetarget \
  && make connect-router-cooja

To check if networking works, ping the border router and the IoT device like so:

ping6 fd00::ff:fe00:1
ping6 fd00::ff:fe00:2

Running an OSCORE-NG Client

cd <path to libcoap-minimal>
make -j${nproc}
./client

Running Filtering Clients on OpenMotes

• As for flashing OpenMotes, see here.

Note: client.cc and smor-l3.c contain hardcoded addresses. These need to be adapted to the real hardware.