The Manufacturer Usage Description (MUD) standard enables enforcement of network restrictions for IoT devices based on their expected network traffic, as specified by manufacturers in an online MUD file. Devices advertise a URL pointing to this file, yet the standard does not define how to securely bind the issuing device to its profile. As a result, malicious devices can manipulate network policy enforcement by advertising valid URLs referencing genuine MUD profiles, but not intended for that device. Although MUD defines a certificate-based secure issuance method, current deployments rely on the insecure DHCP-based extension due to simpler integration. Existing solutions either depend on Public Key Infrastructure (PKI), break standard compliance, require excessive active manufacturer involvement, or overlook secure profile updates. In this paper, we present FIDEM, a standard-compliant framework for securing DHCP-based MUD URL issuance. FIDEM provides cryptographic binding between IoT devices and their MUD profiles by leveraging Zero-Knowledge-Proof authentication, eliminating PKI reliance, minimizing manufacturers' involvement, and supporting secure profile updates. Formal analysis shows that FIDEM withstands stronger adversaries than in prior work, including supply-chain compromise and attacks using legitimate devices as cryptographic oracles. Our real-world evaluation on two reference constrained devices (ESP32-S3 and ESP32-C6) demonstrates minimal overhead compared to standard DHCP (approximately 5ms and 20mJ) and significant improvements over certificate-based benchmarks (approximately x20 faster, and 35% less energy).

翻译：制造商使用说明（MUD）标准能够根据制造商在在线MUD文件中指定的预期网络流量，对物联网设备实施网络限制。设备会广告一个指向该文件的URL，但标准并未定义如何安全地将发起请求的设备与其配置文件绑定。因此，恶意设备可通过广告引用真实MUD配置文件的有效URL（但并非为该设备设计）来操纵网络策略实施。尽管MUD定义了基于证书的安全签发方法，但由于集成更简单，当前部署仍依赖不安全的基于DHCP的扩展。现有解决方案要么依赖公钥基础设施（PKI）、破坏标准合规性、要求制造商过度主动参与，要么忽略安全配置文件更新。本文提出FIDEM，一种符合标准的框架，用于保护基于DHCP的MUD URL签发。FIDEM通过利用零知识证明认证，在物联网设备与其MUD配置文件之间提供加密绑定，从而消除对PKI的依赖、最小化制造商参与度，并支持安全配置文件更新。形式化分析表明，FIDEM能抵御比先前工作更强的对手，包括供应链妥协和利用合法设备作为加密预言机的攻击。我们在两个参考受限设备（ESP32-S3和ESP32-C6）上的实际评估显示，与标准DHCP相比，开销极低（约5毫秒和20毫焦耳），且相较于基于证书的基准方法有显著提升（速度提升约20倍，能耗降低35%）。