Security in Internet-of-Things (IoT) environments has become a major concern. This is partly due to a large number of remotely exploitable IoT vulnerabilities in service authentication and access control combined with the lack of timely technical support. To reduce the threat surface of remote vulnerability exploitation, we propose CMXsafe, a secure-by-design application-agnostic proxy layer that can be updated and managed independently of the IoT device application. CMXsafe places IoT devices behind gateways operating as 4th OSI transport layer relayers to offload security concerns of IoT network communications into the proxy layer. Specifically, the proxy layer produces secure communication paths between IoT applications and platforms while enforcing mutual authentication and access control to proxied services. We evaluate the performance of our architecture on the MQTT protocol used in a standard publisher-broker-subscriber configuration provided by Eclipse Mosquitto. We compare the performance penalty on the protocol when securing communications with TLS following a monolithic implementation and with CMXsafe. The experimental results suggest that CMXsafe outperforms integrated security by providing at least a 25% latency reduction and a 22% bandwidth improvement.

中文翻译：

---

CMXsafe：用于保护物联网通信的代理层


物联网 (IoT) 环境中的安全性已成为一个主要问题。部分原因是服务身份验证和访问控制中存在大量可远程利用的物联网漏洞，以及缺乏及时的技术支持。为了减少远程漏洞利用的威胁面，我们提出了 CMXsafe，这是一种设计安全、与应​​用程序无关的代理层，可以独立于物联网设备应用程序进行更新和管理。 CMXsafe 将物联网设备置于网关后面，作为第四个 OSI 传输层中继器运行，以将物联网网络通信的安全问题转移到代理层。具体来说，代理层在物联网应用程序和平台之间生成安全通信路径，同时对代理服务实施相互身份验证和访问控制。我们在 Eclipse Mosquitto 提供的标准发布者-代理-订阅者配置中使用的 MQTT 协议上评估了我们的架构的性能。我们比较了采用整体实施后的 TLS 和 CMXsafe 保护通信时协议的性能损失。实验结果表明，CMXsafe 的延迟至少降低了 25%，带宽提高了 22%，性能优于集成安全性。