Zero Trust IoT library
Loading...
Searching...
No Matches
Functions | Variables
mitm-mitigation.cc File Reference

NS-3 simulation demonstrating Zero Trust principles using secure communication and policy enforcement. More...

#include "ns3/core-module.h"
#include "ns3/network-module.h"
#include "ns3/internet-module.h"
#include "ns3/point-to-point-module.h"
#include "ns3/applications-module.h"
#include "ns3/zt-certificate.h"
#include "ns3/zt-policy-engine.h"
#include "ns3/zt-encryption-utils.h"
#include "ns3/zt-logger.h"
#include "ns3/zt-tls-handshake.h"
Include dependency graph for mitm-mitigation.cc:

Go to the source code of this file.

Functions

void ReceiveAtGateway (Ptr< Socket > socket)
 Receives an encrypted packet at the gateway and performs decryption and validation.
 
void SendFromSensor (Ptr< Socket > socket, Address gatewayAddr, uint32_t nodeId)
 Simulates a sensor device sending an encrypted payload to the gateway after policy and handshake validation.
 
void AttackerSpoof (Ptr< Socket > socket, Address gatewayAddr)
 Simulates an attacker sending a spoofed plaintext message to the gateway without encryption.
 
int main (int argc, char *argv[])
 Main entry point for the simulation. Sets up network topology, installs security components, and executes events.
 

Variables

Ptr< ZtTlsHandshakehandshake
 TLS handshake manager for establishing secure sessions.
 
Ptr< ZtPolicyEnginepolicyEngine
 Policy engine for authorization based on identity and roles.
 
CertificateAuthority ca
 Certificate authority for signing identity certificates.
 
uint16_t port = 9000
 UDP communication port used by gateway.
 

Detailed Description

NS-3 simulation demonstrating Zero Trust principles using secure communication and policy enforcement.

Definition in file mitm-mitigation.cc.

Function Documentation

◆ AttackerSpoof()

void AttackerSpoof ( Ptr< Socket >  socket,
Address  gatewayAddr 
)

Simulates an attacker sending a spoofed plaintext message to the gateway without encryption.

Parameters
socketThe attacker's socket used to send the spoofed message.
gatewayAddrThe address of the gateway.

Definition at line 107 of file mitm-mitigation.cc.

108{
109 std::string fakeData = "temperature=99.9";
110 socket->Connect(InetSocketAddress(InetSocketAddress::ConvertFrom(gatewayAddr).GetIpv4(), port));
111 socket->Send(reinterpret_cast<const uint8_t *>(fakeData.c_str()), fakeData.size(), 0);
112
113 ZtLogger::Log("ATTACKER", "Sent spoofed plaintext");
114}
ZtLogger::Log
static void Log(const std::string &tag, const std::string &message)
Logs a general message with a specified tag.
Definition zt-logger.cc:25
port
uint16_t port
UDP communication port used by gateway.
Definition mitm-mitigation.cc:31
Here is the call graph for this function:
Here is the caller graph for this function:

◆ main()

int main ( int  argc,
char *  argv[] 
)

Main entry point for the simulation. Sets up network topology, installs security components, and executes events.

Topology: Sensor <-> Gateway <-> Attacker
Demonstrates: Certificate signing, Zero Trust policy enforcement, secure TLS handshake, encrypted communication, and spoofing attempt.

Definition at line 122 of file mitm-mitigation.cc.

123{
124 NodeContainer nodes;
125 nodes.Create(3);
126 Names::Add("sensor", nodes.Get(0));
127 Names::Add("gateway", nodes.Get(1));
128 Names::Add("attacker", nodes.Get(2));
129
130 InternetStackHelper stack;
131 stack.Install(nodes);
132
133 PointToPointHelper p2p;
134 p2p.SetDeviceAttribute("DataRate", StringValue("5Mbps"));
135 p2p.SetChannelAttribute("Delay", StringValue("2ms"));
136 p2p.Install(nodes.Get(0), nodes.Get(1));
137 p2p.Install(nodes.Get(2), nodes.Get(1));
138
139 Ipv4AddressHelper ip;
140 ip.SetBase("10.1.1.0", "255.255.255.0");
141 Ipv4InterfaceContainer interfaces1 = ip.Assign(p2p.Install(nodes.Get(0), nodes.Get(1)));
142
143 ip.SetBase("10.1.2.0", "255.255.255.0");
144 Ipv4InterfaceContainer interfaces2 = ip.Assign(p2p.Install(nodes.Get(2), nodes.Get(1)));
145
146 Ipv4GlobalRoutingHelper::PopulateRoutingTables();
147
148 // Setup Zero Trust components
149 policyEngine = CreateObject<ZtPolicyEngine>();
150 policyEngine->AddAuthorized(0, "client");
151 policyEngine->AddAuthorized(1, "server");
152 policyEngine->SetCaPublicKey(ca.GetPublicKey());
153
154 handshake = CreateObject<ZtTlsHandshake>();
155 handshake->SetPolicyValidator([](uint32_t nodeId, std::string role) {
156 return policyEngine->Authorize(nodeId, role);
157 });
158
159 ZtLogger::EnableTimestamps(true);
160
161 // Gateway listener
162 Ptr<Socket> recvSocket = Socket::CreateSocket(nodes.Get(1), TypeId::LookupByName("ns3::UdpSocketFactory"));
163 recvSocket->Bind(InetSocketAddress(Ipv4Address::GetAny(), port));
164 recvSocket->SetRecvCallback(MakeCallback(&ReceiveAtGateway));
165
166 // Legitimate sensor send
167 Ptr<Socket> sensorSock = Socket::CreateSocket(nodes.Get(0), TypeId::LookupByName("ns3::UdpSocketFactory"));
168 Simulator::Schedule(Seconds(1.0), &SendFromSensor, sensorSock, InetSocketAddress(interfaces1.GetAddress(1), port), 0);
169
170 // Attacker spoof
171 Ptr<Socket> attackerSock = Socket::CreateSocket(nodes.Get(2), TypeId::LookupByName("ns3::UdpSocketFactory"));
172 Simulator::Schedule(Seconds(1.5), &AttackerSpoof, attackerSock, InetSocketAddress(interfaces2.GetAddress(1), port));
173
174 Simulator::Run();
175 Simulator::Destroy();
176 return 0;
177}
CertificateAuthority::GetPublicKey
CryptoPP::RSA::PublicKey GetPublicKey() const
Retrieves the public RSA key of the CA.
Definition zt-certificate.cc:52
ZtLogger::EnableTimestamps
static void EnableTimestamps(bool enable)
Enables or disables timestamp logging.
Definition zt-logger.cc:16
SendFromSensor
void SendFromSensor(Ptr< Socket > socket, Address gatewayAddr, uint32_t nodeId)
Simulates a sensor device sending an encrypted payload to the gateway after policy and handshake vali...
Definition mitm-mitigation.cc:74
AttackerSpoof
void AttackerSpoof(Ptr< Socket > socket, Address gatewayAddr)
Simulates an attacker sending a spoofed plaintext message to the gateway without encryption.
Definition mitm-mitigation.cc:107
ca
CertificateAuthority ca
Certificate authority for signing identity certificates.
Definition mitm-mitigation.cc:28
policyEngine
Ptr< ZtPolicyEngine > policyEngine
Policy engine for authorization based on identity and roles.
Definition mitm-mitigation.cc:25
ReceiveAtGateway
void ReceiveAtGateway(Ptr< Socket > socket)
Receives an encrypted packet at the gateway and performs decryption and validation.
Definition mitm-mitigation.cc:37
handshake
Ptr< ZtTlsHandshake > handshake
TLS handshake manager for establishing secure sessions.
Definition mitm-mitigation.cc:22
Here is the call graph for this function:

◆ ReceiveAtGateway()

void ReceiveAtGateway ( Ptr< Socket >  socket)

Receives an encrypted packet at the gateway and performs decryption and validation.

Parameters
socketThe receiving socket on the gateway node.

Definition at line 37 of file mitm-mitigation.cc.

38{
39 Ptr<Packet> packet = socket->Recv();
40 uint32_t size = packet->GetSize();
41 std::vector<uint8_t> buffer(size);
42 packet->CopyData(buffer.data(), size);
43 std::string encrypted(buffer.begin(), buffer.end());
44
45 uint32_t selfId = 1;
46 if (!handshake->HasSession(selfId)) {
47 ZtLogger::Log("GATEWAY", "Rejected packet: no valid session with sender.");
48 return;
49 }
50
51 std::string sessionKeyHex = handshake->GetSessionKey(selfId);
52 std::string decrypted;
53 try {
54 decrypted = ns3::DecryptPayload(encrypted, ns3::HexDecodeKey(sessionKeyHex).BytePtr());
55 } catch (...) {
56 ZtLogger::Log("GATEWAY", "Decryption failed: corrupted or spoofed packet.");
57 return;
58 }
59
60 if (decrypted.find("temperature") != std::string::npos) {
61 ZtLogger::Log("GATEWAY", "Valid encrypted payload received from Sensor.");
62 ZtLogger::Log("GATEWAY", "Valid encrypted payload received from Sensor: " + decrypted);
63 } else {
64 ZtLogger::Log("GATEWAY", "Rejected packet: payload failed validation.");
65 }
66}
ns3::DecryptPayload
std::string DecryptPayload(const std::string &cipher, const byte *key)
Decrypts a ciphertext string encrypted with EncryptPayload.
Definition zt-encryption-utils.cc:48
ns3::HexDecodeKey
SecByteBlock HexDecodeKey(const std::string &hex)
Decodes a hex-encoded AES key string into a raw key byte block.
Definition zt-encryption-utils.cc:71
Here is the call graph for this function:
Here is the caller graph for this function:

◆ SendFromSensor()

void SendFromSensor ( Ptr< Socket >  socket,
Address  gatewayAddr,
uint32_t  nodeId 
)

Simulates a sensor device sending an encrypted payload to the gateway after policy and handshake validation.

Parameters
socketThe socket used to send the encrypted message.
gatewayAddrThe address of the gateway node.
nodeIdThe ID of the sensor node.

Definition at line 74 of file mitm-mitigation.cc.

75{
76 std::string cert = ca.SignIdentity(nodeId, "IoTDevice", std::time(nullptr) + 300);
77 ZtLogger::LogCertIssued(nodeId, "IoTDevice", std::time(nullptr) + 300);
78
79 if (!policyEngine->AuthorizeWithCert(nodeId, "IoTDevice", cert)) {
80 ZtLogger::LogCertRejected("Sensor not authorized");
81 return;
82 }
83
84 handshake->StartHandshake(socket->GetNode(), NodeList::GetNode(1), nodeId, 1);
85
86 if (!handshake->HasSession(1)) {
87 ZtLogger::Log("TLS", "Handshake failed with gateway");
88 return;
89 }
90
91 std::string sessionKeyHex = handshake->GetSessionKey(1);
92 std::string ivOut;
93 std::string payload = "temperature=26.3";
94 std::string encrypted = ns3::EncryptPayload(payload, ns3::HexDecodeKey(sessionKeyHex).BytePtr(), ivOut);
95
96 ZtLogger::LogEncryption("[payload hidden]", ivOut);
97
98 socket->Connect(InetSocketAddress(InetSocketAddress::ConvertFrom(gatewayAddr).GetIpv4(), port));
99 socket->Send(reinterpret_cast<const uint8_t *>(encrypted.c_str()), encrypted.size(), 0);
100}
CertificateAuthority::SignIdentity
std::string SignIdentity(uint32_t nodeId, const std::string &role, time_t expiry)
Signs an identity certificate with node ID, role, and expiry.
Definition zt-certificate.cc:29
ZtLogger::LogCertRejected
static void LogCertRejected(const std::string &reason)
Logs a rejected certificate attempt with a reason.
Definition zt-logger.cc:75
ZtLogger::LogCertIssued
static void LogCertIssued(uint32_t nodeId, const std::string &role, time_t expiry)
Logs a certificate issuance event.
Definition zt-logger.cc:46
ZtLogger::LogEncryption
static void LogEncryption(const std::string &payload, const std::string &ivHex)
Logs an encryption event with payload and IV.
Definition zt-logger.cc:86
ns3::EncryptPayload
std::string EncryptPayload(const std::string &data, const byte *key, std::string &ivOut)
Encrypts a plaintext string using AES-CBC mode with a randomly generated IV.
Definition zt-encryption-utils.cc:22
Here is the call graph for this function:
Here is the caller graph for this function:

Variable Documentation

◆ ca

CertificateAuthority ca

Certificate authority for signing identity certificates.

Definition at line 28 of file mitm-mitigation.cc.

◆ handshake

Ptr<ZtTlsHandshake> handshake

TLS handshake manager for establishing secure sessions.

Definition at line 22 of file mitm-mitigation.cc.

◆ policyEngine

Ptr<ZtPolicyEngine> policyEngine

Policy engine for authorization based on identity and roles.

Definition at line 25 of file mitm-mitigation.cc.

◆ port

uint16_t port = 9000

UDP communication port used by gateway.

Definition at line 31 of file mitm-mitigation.cc.