Periodic Reporting for period 2 - ASSURED (Future Proofing of ICT Trust Chains: Sustainable Operational Assurance and Verification Remote Guards for Systems-of-Systems Security and Privacy)
Reporting period: 2022-03-01 to 2023-08-31
The scope of ASSURED is to provide a formally verified runtime assurance framework for securing the next-generation of “Systems-of-Systems” comprising multiple heterogeneous devices operating under the Zero Trust principle. Towards this direction, ASSURED investigates the adoption of key technologies, in the fields of trusted computing and lightweight cryptographic trust anchors, as enablers for the secure configuration, deployment, operation, orchestration and verifiable computing of safety-critical programmable components running at the edge and secure communication and data sharing amongst them and with other interested (and authenticated) stakeholders acting as data seekers. From the trusted boot and integrity measurement of a CPS to the runtime behavioral attestation of those safety-critical components of a system providing strong guarantees on the correctness of the control- and information-flow properties, thus, enhancing the performance and scalability when composing secure systems from potentially insecure components. This will enable the system to generate a secure root of trust that can be used for e.g. interacting with cloud services, accessing corporate services and performing banking and eCommerce transactions. This architecture will also be enhanced with detailed threat modelling and risk assessment (both during design- and run-time) functionalities so as to provide a holistic solution capturing the strict security and privacy requirements of all deployed edge and infrastructure assets considered in various application domains. Furthermore, the entire architecture will be complemented by the design of a policy-compliant Blockchain infrastructure for providing auditable and certifiable security (attestation) policy deployment and enforcement as well as the secure recording of all attestation results. Accompanying with the ASSURED security enablers design and implementation, the project will demonstrate four use cases, in the domains of Smart Manufacturing, Smart Aerospace, Smart Cities, and Smart Satellites, which will be used to validate the feasibility and performance of the ASSURED solution in these three selected real-world systems that may be affected by the advent of more advanced attack vectors.
In the ASSURED project, we have investigated technical and security, privacy and operational assurance requirements for the new generation of “Systems-of-Systems”, that comprise multiple heterogeneous cyber-physical systems, running a multitude of mixed-criticality applications and services. We have also conceptualized four industry-driven use cases that will allow the validation of the project research results in real-world scenarios and how the overall ASSURED solution can serve vertical industry needs. These contributions have been published in the deliverables of WP1.
The ASSURED threat modelling, risk assessment, runtime risk assessment and policy recommendation are the first important artifacts of the project and have been designed in WP2. Research has culminated to the development of a holistic risk assessment framework capable of providing functionalities during both design-time, where an initial risk graph of all possible threats and risks are identified, and run-time, where the risk graph can be updated in order to achieve the required security, trust and privacy properties in the case of newly identified (e.g. zero-day) vulnerabilities. The current results have been published as part of WP2.
We have also designed and implemented a new set of lightweight attestation enablers targeting both the software and hardware layers and covering all phases of a device’s execution. These security enablers are also enhanced with the design of a novel Direct Anonymous Attestation scheme for providing privacy-preserving platform authentication and anonymous interaction by leveraging short-term anonymous credentials (pseudonyms). A common denominator is the support for real-time execution stream monitoring capabilities necessary for tracing the control- and information-flow execution paths needed by the runtime attestation enablers. In ASSURED, such dynamic tracing capabilities are supported in a non-intrusive manner. These achievements have been reported in the first deliverables of WP3.
We have also designed and implemented a policy-compliant Blockchain infrastructure for supporting the automated security (attestation) policy enforcement and deployment as well as the secure and auditable sharing of both operational- and attestation data. This architecture comprises of the appropriate components required for supporting lightweight crypto operations, capturing the required on-chain interactions, needed when devices trying to access a resource; i.e. Attribute-based Access Control, Searchable Encryption, Authentication, Authorization, etc. All such functionalities are enabled through the ASSURED TPM-based Wallet as the underlying trust anchor. These milestones have been reported in the first deliverables of WP4.
We have implemented all the aforementioned core ASSURED building blocks and instantiated the first version of the overall framework in the context of the four envisaged use cases. The current results have been documented in the deliverables of WP5 and WP6, respectively.
Finally, regarding dissemination, awareness, and standardization activities, it is worth noting the great effort of ASSURED consortium in clustering with other EU security- and privacy-related research project activities (e.g. C4IIOT, PUZZLE, RAINBOW, CYRENE, SANCUS, FISHY, MEDNIA, BIECO, IoTAC, and SIFIS-Home) towards improving “cyber security”. For the latter, a number of actions were taken for the promotion of the project results to the trusted computing community and close follow-up of standardization activities (i.e. Trusted Computing Group (TCG), ENISA, DIF, SSI, ISO/IEC) leading to the validation of the ASSURED results from a technical and business perspective.
The ASSURED threat modelling, risk assessment, runtime risk assessment and policy recommendation are the first important artifacts of the project and have been designed in WP2. Research has culminated to the development of a holistic risk assessment framework capable of providing functionalities during both design-time, where an initial risk graph of all possible threats and risks are identified, and run-time, where the risk graph can be updated in order to achieve the required security, trust and privacy properties in the case of newly identified (e.g. zero-day) vulnerabilities. The current results have been published as part of WP2.
We have also designed and implemented a new set of lightweight attestation enablers targeting both the software and hardware layers and covering all phases of a device’s execution. These security enablers are also enhanced with the design of a novel Direct Anonymous Attestation scheme for providing privacy-preserving platform authentication and anonymous interaction by leveraging short-term anonymous credentials (pseudonyms). A common denominator is the support for real-time execution stream monitoring capabilities necessary for tracing the control- and information-flow execution paths needed by the runtime attestation enablers. In ASSURED, such dynamic tracing capabilities are supported in a non-intrusive manner. These achievements have been reported in the first deliverables of WP3.
We have also designed and implemented a policy-compliant Blockchain infrastructure for supporting the automated security (attestation) policy enforcement and deployment as well as the secure and auditable sharing of both operational- and attestation data. This architecture comprises of the appropriate components required for supporting lightweight crypto operations, capturing the required on-chain interactions, needed when devices trying to access a resource; i.e. Attribute-based Access Control, Searchable Encryption, Authentication, Authorization, etc. All such functionalities are enabled through the ASSURED TPM-based Wallet as the underlying trust anchor. These milestones have been reported in the first deliverables of WP4.
We have implemented all the aforementioned core ASSURED building blocks and instantiated the first version of the overall framework in the context of the four envisaged use cases. The current results have been documented in the deliverables of WP5 and WP6, respectively.
Finally, regarding dissemination, awareness, and standardization activities, it is worth noting the great effort of ASSURED consortium in clustering with other EU security- and privacy-related research project activities (e.g. C4IIOT, PUZZLE, RAINBOW, CYRENE, SANCUS, FISHY, MEDNIA, BIECO, IoTAC, and SIFIS-Home) towards improving “cyber security”. For the latter, a number of actions were taken for the promotion of the project results to the trusted computing community and close follow-up of standardization activities (i.e. Trusted Computing Group (TCG), ENISA, DIF, SSI, ISO/IEC) leading to the validation of the ASSURED results from a technical and business perspective.
The ASSURED project has drawn a lot of attention from the trusted computing and Blockchain community towards increasing the trustworthiness of ICT services and products. Countless Internet of Things (IoT) devices are connected to the internet every day while people need to gather and process massive amounts of information from the real world. The advent of 3GPP 5G, allowing for a massive information exchange, is a game changer in IoT. However, enhanced connectivity and IoT’s low security have led to vast attacks, hindering a wide-spread adoption of IoT. This highlights the importance of proper IoT security management and the need for further enhancements of IoT infrastructures with continuous security improvements integrated into the IoT lifecycle management. All of these systems and applications will directly benefit from the research results produced from the ASSURED project.
Except from trusted computing, this project also has a strong impact on other applications of applied cryptography in general. For any application, which requires long-term security for data protection and user privacy, it can follow the outputted research results and technical guidance from this project to make a smooth transition to lightweight cryptographic trust anchors enabled by the underlying TPM-based Wallet. All these solutions will be implemented and heavily tested, thus, enabling the improvement in performance and efficiency of cryptography beyond the state of the art.
Except from trusted computing, this project also has a strong impact on other applications of applied cryptography in general. For any application, which requires long-term security for data protection and user privacy, it can follow the outputted research results and technical guidance from this project to make a smooth transition to lightweight cryptographic trust anchors enabled by the underlying TPM-based Wallet. All these solutions will be implemented and heavily tested, thus, enabling the improvement in performance and efficiency of cryptography beyond the state of the art.