Trusted products and services for embedded security. Join-us on Linkedin


Secure firewalling to protect embedded systems

The need for firewalling

Connected devices are islands floating in an unpredictable sea of connectivity. Network are managing constant addition, removal and updating of devices, with each devices executing applications that can be added, removed or modified at any given time. In a real network the whole configuration is never controlled by a single entity. All this complexity creates vulnerabilities that hackers can exploit to perform successful attacks.

Nevertheless, connected devices must still communicate with peers. Applications must be able to receive and send messages with the outside world, but not all type of messages, to or from every device in the network. Applications can perform their own filtering and validation, but it is impossible to ensure that every application developer performs this task correctly and consistently.

Even devices that carry little value can present an important security risk if they can be used as stepping-stones toward larger attacks. Therefore, firewalls help to secure connected devices and networks as they:

  • Filter incoming and outgoing communications between a device and a peer (another device or a server).
  • Operate at the OS level to capture all exchanges.
  • Enforce formal security policies to dictate “Who can communicate with What and How”

Limitations of Traditional Device-level Firewalls

Firewalls must be protected from attacks performed by local applications to be trusted. If an application can modify the operating system or its configuration, the application can easily disable the firewall. Furthermore, when a successful attack is detected, the compromised device cannot be recovered as it is impossible to trust any application running on the device.

Device-level firewalls cannot be fully trusted because they run in the same address space as the underlying Rich OS (Android, Linux, etc). They are therefore vulnerable to the large numbers of local and remote attacks that affect traditional Rich OSs. This also means that compromised devices cannot be recovered or controlled remotely.

Why ProvenFilter

ProvenFilter is a secure software application that benefit from ProvenRun’s years of expertise in developing security applications for embedded systems. Its architecture relies on the use of a secure OS, to provide a secure execution environment that is protected from attacks that can be perform from the Rich OS, to securely filter TCP/IP communications coming in and out of a connected embedded device.


  • Secure boot
  • Secure OS protection
  • Ethernet driver
  • TCP/IP stack
  • Flexible and Configurable security policies


  • No OS modifications
  • Fit the requirements and architectures of most deployment
  • Cannot be bypassed
  • Even is the Rich OS is compromised, communications can still be turned off or restricted
  • Leverages on Hardware Root of Trust
  • High security assurance level

Supported architectures:

ProvenFilter is available for selected ARM Cortex-A microprocessors. The board should be equipped with an Ethernet controller that leverages the TrustZone hardware isolation.

Please contact us for more details.

Challenge coverage



Security needs to be integrated at the design stage (security-by-design) and embedded in the most effective way wherever it is required in the technical infrastructure. There are many ways to embed security in systems and devices and the selected solution will be the result of a trade-off between cost, security level and performance.

More info
Trusted Computing Base

Trusted Computing Base

Security engineers define the Trusted Computing Base (TCB) as the set of hardware, firmware and software components that are critical to the security of a system. In order to limit the risk of vulnerabilities, the TCB need to be well identified, as small as possible and made-up of components that can be really trusted.

More info

Other Secure Applications