Related papers: TPM-Based Continuous Remote Attestation and Integrity Verification for 5G VNFs on Kubernetes

TPM-Based Continuous Remote Attestation and Integrity Verification for 5G VNFs on Kubernetes

URL: http://arxiv.org/abs/2510.03219v1
Date: Fri, 03 Oct 2025 17:54:15 GMT
Title: TPM-Based Continuous Remote Attestation and Integrity Verification for 5G VNFs on Kubernetes
Authors: Al Nahian Bin Emran, Rajendra Upadhyay, Rajendra Paudyal, Lisa Donnan, Duminda Wijesekera,
Abstract summary: We present a TPM 2.0-based continuous remote attestation solution for core 5G components deployed on runtime.<n>We integrate the open-source Keylime framework with a custom IMA template that isolates pod-level measurements, allowing per-pod integrity verification.<n>The experimental results show that the system detects unauthorized modifications in real time, labels each pod's trust state, and generates detailed audit logs.
Score: 0.8427427828815586
License: http://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract: In the rapidly evolving landscape of 5G technology, the adoption of cloud-based infrastructure for the deployment of 5G services has become increasingly common. Using a service-based architecture, critical 5G components, such as the Access and Mobility Management Function (AMF), Session Management Function (SMF), and User Plane Function (UPF), now run as containerized pods on Kubernetes clusters. Although this approach improves scalability, flexibility, and resilience, it also introduces new security challenges, particularly to ensure the integrity and trustworthiness of these components. Current 5G security specifications (for example, 3GPP TS 33.501) focus on communication security and assume that network functions remain trustworthy after authentication, consequently lacking mechanisms to continuously validate the integrity of NVFs at runtime. To close this gap, and to align with Zero Trust principles of 'never trust, always verify', we present a TPM 2.0-based continuous remote attestation solution for core 5G components deployed on Kubernetes. Our approach uses the Linux Integrity Measurement Architecture (IMA) and a Trusted Platform Module (TPM) to provide hardware-based runtime validation. We integrate the open-source Keylime framework with a custom IMA template that isolates pod-level measurements, allowing per-pod integrity verification. A prototype on a k3s cluster (consisting of 1 master, 2 worker nodes) was implemented to attest to core functions, including AMF, SMF and UPF. The experimental results show that the system detects unauthorized modifications in real time, labels each pod's trust state, and generates detailed audit logs. This work provides hardware-based continuous attestation for cloud native and edge deployments, strengthening the resilience of 5G as critical infrastructure in multi-vendor and mission-critical scenarios of 5G.

Related papers

Post-Quantum Identity-Based TLS for 5G Service-Based Architecture and Cloud-Native Infrastructure [0.5735035463793009]
We present a certificate-free authentication framework for private distributed systems based on post-quantum Identity-Based Encryption (IBE)<n>Our design replaces certificate and signature based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation.<n>We apply this framework to cloud-native application deployments and latency-sensitive 5G Core networks.
arXiv Detail & Related papers (2026-02-04T05:55:41Z)
Cross-Service Token: Finding Attacks in 5G Core Networks [58.86003502940164]
We present FivGeeFuzz, a grammar-based fuzzing framework designed to uncover security flaws in 5G core SBIs.<n>Using FivGeeFuzz, we discovered 8 previously unknown vulnerabilities in free5GC, leading to runtime crashes, improper error handling, and unauthorized access to resources.
arXiv Detail & Related papers (2025-09-10T20:40:33Z)
Reinforcing Secure Live Migration through Verifiable State Management [1.6204399921642334]
We present TALOS, a lightweight framework for verifiable state management and trustworthy application migration.<n> TALOS integrates memory introspection and control-flow graph extraction, enabling robust verification of state continuity and execution flow.<n>Thereby achieving strong security guarantees while maintaining efficiency, making it suitable for decentralized settings.
arXiv Detail & Related papers (2025-09-05T14:41:48Z)
AlDBaran: Towards Blazingly Fast State Commitments for Blockchains [52.39305978984572]
AlDBaran is an authenticated data structure capable of handling state updates efficiently at a network throughput of 50 Gbps.<n>AlDBaran provides support for historical state proofs, which facilitates a wide array of novel applications.<n>On consumer-level portable hardware, it achieves approximately 8 million updates/s in an in-memory setting and 5 million updates/s with snapshots at sub-second intervals.
arXiv Detail & Related papers (2025-08-14T09:52:15Z)
Zero-Trust Foundation Models: A New Paradigm for Secure and Collaborative Artificial Intelligence for Internet of Things [61.43014629640404]
Zero-Trust Foundation Models (ZTFMs) embed zero-trust security principles into the lifecycle of foundation models (FMs) for Internet of Things (IoT) systems.<n>ZTFMs can enable secure, privacy-preserving AI across distributed, heterogeneous, and potentially adversarial IoT environments.
arXiv Detail & Related papers (2025-05-26T06:44:31Z)
Secure IVSHMEM: End-to-End Shared-Memory Protocol with Hypervisor-CA Handshake and In-Kernel Access Control [6.340823095250312]
This paper presents Secure IVSHMEM, a protocol that provides end-to-end mutual authentication and fine-grained access enforcement with negligible performance cost.<n>In microbenchmarks, Secure IVSHMEM completes its one-time handshake in under 200ms and sustains data-plane round-trip latencies within 5% of the unmodified baseline.<n>We believe this design is ideally suited for safety and latency-critical in-host domains, such as automotive systems, where both performance and security are paramount.
arXiv Detail & Related papers (2025-05-25T07:02:41Z)
Standing Firm in 5G: A Single-Round, Dropout-Resilient Secure Aggregation for Federated Learning [19.014890294716043]
Federated learning (FL) is well-suited to 5G networks, where many mobile devices generate sensitive edge data.<n>Secure aggregation protocols enhance privacy in FL by ensuring that individual user updates reveal no information about the underlying client data.<n>We propose a lightweight, single-round secure aggregation protocol designed for 5G environments.
arXiv Detail & Related papers (2025-05-11T23:37:07Z)
Establishing Trust in the Beyond-5G Core Network using Trusted Execution Environments [4.235733335401408]
We review the security implications introduced in B5G networks, and the security mechanisms that are supported by the 5G standard. We propose a vertical extension of Zero Trust, namely, Zero Trust Execution, to model untrusted execution environments. We provide an analysis on how to establish trust in Beyond-5G network architectures using Trusted Execution Environments.
arXiv Detail & Related papers (2024-05-20T17:02:18Z)
Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers [3.423623217014682]
This paper presents an architecture that enrolls edge devices as trusted worker nodes. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap. We provide both a qualitative and a quantitative evaluation of the architecture.
arXiv Detail & Related papers (2024-05-16T14:29:28Z)
Penetration Testing of 5G Core Network Web Technologies [53.89039878885825]
We present the first security assessment of the 5G core from a web security perspective. We use the STRIDE threat modeling approach to define a complete list of possible threat vectors and associated attacks. Our analysis shows that all these cores are vulnerable to at least two of our identified attack vectors.
arXiv Detail & Related papers (2024-03-04T09:27:11Z)
HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z)
Putting a Padlock on Lambda -- Integrating vTPMs into AWS Firecracker [49.1574468325115]
Software services place implicit trust in the cloud provider, without an explicit trust relationship. There is currently no cloud provider that exposes Trusted Platform Module capabilities. We improve trust by integrating a virtual TPM device into the Firecracker, originally developed by Amazon Web Services.
arXiv Detail & Related papers (2023-10-05T13:13:55Z)

This list is automatically generated from the titles and abstracts of the papers in this site.