DDS Security+: Enhancing the Data Distribution Service with TPM-based Remote Attestation

The Data Distribution Service (DDS) is a widely accepted industry standard for reliably exchanging data over the network using a publish-subscribe model. While DDS already includes basic security features such as participant authentication and access control, the possibilities of leveraging Trusted Platform Modules (TPMs) to increase the security and trustworthiness of DDS-based applications have not been sufficiently researched yet. In this work, we show how TPM-based remote attestation can be effectively integrated into the existing DDS security architecture. This enables application developers to verify the code integrity of remote DDS participants during the operation of the distributed system. Our solution transparently extends the DDS secure channel handshake, while cryptographically binding the established communication channels to the attested software stacks. We show the security properties of our proposal by formally verifying the resulting remote attestation protocol using the Tamarin theorem prover. We also implement our solution as a fork of the popular eProsima FastDDS library and evaluate the resulting performance impact when conducting TPM-based remote attestations of DDS applications.