WireTrust: A TrustZone-Based Non-bypassable VPN Tunnel

Röckl J, Funk J, Müller T (2026)

Publication Type: Conference contribution

Publication year: 2026

Journal

Lecture Notes in Computer Science Springer Verlag

Publisher: Springer Science and Business Media Deutschland GmbH

Book Volume: 16325 LNCS

Pages Range: 287-306

Conference Proceedings Title: Lecture Notes in Computer Science

Event location: Tartu EE

ISBN: 9783032147813

DOI: 10.1007/978-3-032-14782-0_16

Abstract

We introduce WireTrust, a VPN architecture for ARMv8-A devices that leverages ARM TrustZone to mitigate OS-level vulnerabilities. Contrary to commodity VPNs, WireTrust does not rely on the security of the OS, its network stack, or its routing tables to provide a secure VPN full tunnel. WireTrust operates transparently to applications on the device and enforces that all IP traffic is routed exclusively through the VPN tunnel, blocking attempts to bypass it – even if the OS has been compromised. WireTrust ensures that packets outside the tunnel are discarded before they reach the OS, significantly reducing the device’s attack surface that is exposed to the public internet. Extending the WireGuard VPN, we implement a proof of concept on real hardware, show that WireTrust’s additions to the trusted computing base account for 6.61%, and measure a performance penalty of 2.12%-5.50% on TCP throughput and 1.40% on latency compared to stock WireGuard.

Authors with CRIS profile

Jonas Röckl Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Julian Funk Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

Involved external institutions

Hochschule für Angewandte Wissenschaften Hof DE Germany (DE)

How to cite

APA:

Röckl, J., Funk, J., & Müller, T. (2026). WireTrust: A TrustZone-Based Non-bypassable VPN Tunnel. In Raimundas Matulevicius, Mubashar Iqbal, Liina Kamm (Eds.), Lecture Notes in Computer Science (pp. 287-306). Tartu, EE: Springer Science and Business Media Deutschland GmbH.

MLA:

Röckl, Jonas, Julian Funk, and Tilo Müller. "WireTrust: A TrustZone-Based Non-bypassable VPN Tunnel." Proceedings of the 30th Nordic Conference on Secure IT Systems, NordSec 2025, Tartu Ed. Raimundas Matulevicius, Mubashar Iqbal, Liina Kamm, Springer Science and Business Media Deutschland GmbH, 2026. 287-306.

BibTeX: Download