WireTrust: A TrustZone-Based Non-Bypassable VPN Tunnel
Abstract
We introduce WireTrust, a VPN architecture for ARMv8-A devices that leverages ARM TrustZone to mitigate OS-level vulnerabilities. Contrary to commodity VPNs, WireTrust does not rely on the security of the OS, its network stack, or its routing tables to provide a secure VPN full tunnel. WireTrust operates transparently to applications on the device and enforces that all IP traffic is routed exclusively through the VPN tunnel, blocking attempts to bypass it even if the OS has been compromised. WireTrust ensures that packets outside the tunnel are discarded before they reach the OS, significantly reducing the device’s attack surface that is exposed to the public internet. Extending the WireGuard VPN, we implement a proof of concept on real hardware, show that WireTrust's additions to the trusted computing base account for 6.61%, and measure a performance penalty of 2.12% - 5.50% on TCP throughput and 1.40% on latency compared to stock WireGuard.
Mehr zum Titel
| Titel | WireTrust: A TrustZone-Based Non-Bypassable VPN Tunnel |
|---|---|
| Medien | The 30th Nordic Conference on Secure IT Systems (NordSec 2025) |
| Verlag | Springer Nature, Lecture Notes in Computer Science (LNCS) |
| Band | 2025 |
| Verfasser | Jonas Röckl, Julian Funk, Prof. Dr. Tilo Müller |
| Seiten | 1-20 |
| Veröffentlichungsdatum | 12.11.2025 |
| Zitation | Röckl, Jonas; Funk, Julian; Müller, Tilo (2025): WireTrust: A TrustZone-Based Non-Bypassable VPN Tunnel. The 30th Nordic Conference on Secure IT Systems (NordSec 2025) 2025, 1-20. |