Skip to main content
University of Oxford Department of Computer Science
  Contact Us     Search  
  1. Home
  2. Research
  3. Security
  4. Projects
  5. Secure Networking by Design (SNbD)

Secure Networking by Design (SNbD)

1st June 2022 to 31st December 2024

According to a recent industry report, routers account for over 75% of infected devices. An infected router is more dangerous than infected IOT devices, phones or PCs. A router is both an intermediary for almost all networking traffic and a line of defence from external attack (firewall); a compromised router therefore has the potential to both open the floodgates to new attacks and act as a jump off point for secondary attacks. Because the router essentially controls the network, it has insidious ability to mount man-in-the-middle attacks on entire portfolios of devices. 

A review of disclosed vulnerabilities shows that the list of current and historical memory related vulnerabilities in routing components is enormous, and inevitably the most dangerous vulnerability is the one not yet publicly disclosed.  

The Secure Networking by Design (SNbD) project directly addressed this threat. Building on recent advances in router security (from our previous Innovate UK project ManySecured), and working with project partners we have been exploring the application of CHERI/Morello in this context.  The project has demonstrated the straightforwardness of hardening commodity router software by porting to the Morello platform, and the consequent elimination of a significant whole class of vulnerabilities. 

Whilst this is a useful demonstration, it raises many questions about the practicality of such a step for a product manager, and the extent of the real benefits which can be realised.  We have published work on the process and drivers of such decisions, and are undertaking empirical work to quantify the benefits of this approach more accurately. 

SNbD is a collaboration between NquiringMinds, the University of Oxford and TechWorks (IoTSF), organisations which both individually and collectively have an exemplary track record of delivering positive security impact at scale. 

Reference: 

George Chalhoub and Andrew Martin. 2023. But is it exploitable? Exploring how Router Vendors Manage and Patch Security Vulnerabilities in Consumer-Grade Routers.
In Proceedings of the 2023 European Symposium on Usable Security (EuroUSEC '23). Association for Computing Machinery, New York, NY, USA, 277–295. 
https://dl.acm.org/doi/10.1145/3617072.3617110

NquiringMinds: https://nquiringminds.com/ 
TechWorks: https://www.techworks.org.uk/
IotSF: https://iotsecurityfoundation.org/

Principal Investigator

Andrew Martin

Share this:

Sponsors

See also

Back to Top