- This event has passed.
Towards Sustainable Security in Systems-of-Systems
25/04/2023 – 26/04/2023
You are all invited to join the ASSURED Scientific Workshop on Sustainable Security and future proofing of ICT Trust Chains, to be held on April 25th-26th, 2023 hosted by the Computer Science department of TU Darmstadt at the Welcome Hotel Darmstadt in Germany.
The overarching vision of future-proofing the next-generation of Smart Connectivity “Systems-of-Systems”, comprising a multitude of heterogeneous embedded systems, is of paramount importance for cementing Europe’s vision towards secure and sustainable service graph chains. In this context, considering the diversity of involved stakeholders with varying security and privacy requirements, the endmost goal is to enable the long-term transformation of such distributed environments with security solutions that can cover all the layers of the deployed application stack; from network security to application security and data security, each element plays an important role into the system’s overall security posture.
As such, security should be implemented in a sustainable way, namely achieving limiting energy and computational resources consumption, and being at least capable of supporting crypto-agility (so as to allow updates of security primitives rather than replacement of whole devices). These two properties are challenging to offer in security, since several attacks and weaknesses are discovered every day and simple updates could not be sufficient to defeat them. In recent years, we are observing the discovery of a growing number of hardware design and implementation vulnerabilities that could be exploited by unprivileged software, leading to potential exposure of sensitive data or compromise of whole computing systems. This new attack paradigm casts a long shadow on decades of research on system security and disrupts the traditional threat models, thus, highlighting the pressing need for a new breed of flexible runtime assurance mechanisms based on system adaptation and enabling dynamic system re-configuration.
The situation is further complicated by the fact that, in this moment, families of cryptographic algorithms are being replaced by novel standards (such as the post quantum one). Security can even be of great help to support sustainability, for instance by allowing secure update of devices and enabling maintenance that would extend the devices live. Yet, support for these features should be studied in depth and fully understood to avoid the involuntary insertion of security weaknesses. Unfortunately, existing solutions are often ad-hoc, limited, inefficient, and address only specific problems.
In this context, the ASSURED project aims to develop a novel (formally verified) runtime assurance framework capable of establishing and managing trust between entities, starting from bi-lateral interactions between two single system components and continuing as such systems get connected to even larger system entities. This is achieved through novel, highly efficient attestation schemes aiming at converting edge devices into trust anchors capable of proving verifiable evidence for their configuration and operational state against cross-layer vulnerabilities and even zero-day exploits. Beyond the needs of sustainable security and functional safety, ASSURED also considers methodologies for agile certification towards verifying those system attributes that are best suited for depicting the required level of trust.
This two-day interactive workshop aims at bringing together industry, academia and standardization bodies for addressing the relation between sustainability and security from both sides; discussing what can be done to make security more sustainable and presenting new research security directions in making electronic devices more sustainable. Interesting discussions will be held on exploring new ideas for tackling the challenges related but not limited to security-by-design for embedded systems, scalable assurance and verification methodologies for system security and resilience (both software and hardware), and security-aware policy enforcement and deployment that pave the way for establishing sustainable security for computing platforms.
CHECK THE AGENDA
Day 1 Workshop Program | 9:00 – 18:15 CEST | |||
From – To | Topic | Speaker | |
9:00 – 9:15 | Introduction to ASSURED | Thanassis Giannetsos, Dimitris Papamartzivanos (UBITECH) | |
WPs Technical RoadMap | |||
9:15-10:15 |
“CASU: Compromise Avoidance via Secure Update for Low-End Embedded Systems” Guaranteeing runtime integrity of embedded system software is an open problem. Trade-offs between security and other priorities (e.g., cost or performance) are inherent, and resolving them is both challenging and important. The proliferation of runtime attacks that introduce malicious code (e.g., by injection) into embedded devices has prompted a range of mitigation techniques. One popular approach is Remote Attestation (RA), whereby a trusted entity (verifier) checks the current software state of an untrusted remote device (prover). RA yields a timely authenticated snapshot of prover’s state that verifier uses to decide whether an attack/compromise has occurred. Current schemes require verifier to explicitly initiate RA, based on some unclear criteria. Thus, in case of prover’s compromise, verifier only learns about it late, upon the next RA instance. While sufficient for compromise detection, some applications would benefit from a more proactive, prevention-based approach. To this end, we construct CASU: Compromise Avoidance via Secure Updates. CASU is an inexpensive hardware/software co-design enforcing: (i) runtime software immutability, thus precluding any illegal software modification, and (ii) authenticated updates as the sole means of modifying software. In CASU, a successful RA instance serves as a proof of successful update, and continuous subsequent software integrity is implicit, due to the runtime immutability guarantee. This obviates the need for RA in between software updates and leads to unobtrusive integrity assurance with guarantees akin to those of prior RA techniques, with better overall performance. |
Gene Tsudik (University of California) | |
10:15 – 11:00 | “Trusted Environment for Future Consumer Devices” | Jan-Erik Ekberg (Huawei) | |
11:00 – 11:15 | Coffee Break | ||
11:15 – 12:00 |
“System Tracing: From Cloud to IoT” Virtual Machine Introspection (VMI) is an essential technique for monitoring the runtime state of a virtual machine. VMI systems enable a wide range of applications, such as malware detection. Existing VMI systems rely on privileged software, e.g., a hypervisor, to ensure a trustworthy operation. Thus, they compete with the introspected VMs for shared CPU resources and impact their performance. Moreover, malware may detect these systems via side-channel leakage and hide their presence or compromise the systems by exploiting vulnerabilities. During my presentation, I will showcase various methods for monitoring systems in cloud and IoT environments. Additionally, I will exhibit how specialized hardware can be used to address the limitations of traditional VMI systems in these contexts. |
Ahmad Atamli (NVIDIA) | |
12:00 – 12:45 |
“Efficient and Scalable Fuzzing of Complex Software Stacks” In this talk, I will give an overview of our recent progress in randomized testing (“fuzzing”) and present some of the methods we have developed in the last few years. These include fuzzing of operating system kernels / hypervisors and fuzz testing of embedded systems. The talk will focus on our recent work on Fuzztruction, a novel perspective on generating inputs in highly complex formats without relying on heavyweight program analysis techniques, coarse-grained grammar approximation, or a human domain expert. I will conclude the talk with an outlook on challenges yet to be solved. |
Thorsten Holz (CISPA Center for Information Security) | |
12:45 – 14:00 | Lunch Break | ||
14:00 – 14:45 |
“Financial Crime Detection with Privacy” Privacy-enhancing technologies, particularly MPC, have been questioned about their practicality. Last summer, a competition was organized by the USA and UK governments (U.S.-U.K. PETs Prize Challenges), where privacy researchers were tasked to solve the fraud detection problem using machine learning algorithms while providing privacy guarantees to banks and their users. For this purpose, we developed the cryptographic part of the solution, where the result is a custom protocol that allows payment providers to check whether a user’s credentials match the credentials in a bank’s database without the bank learning any information about the user. At the same time, the payment provider never has access to the bank’s database. These seemingly-impossible constructions are made possible using a particular type of encryption called homomorphic encryption. The competition results show that privacy-enhancing technologies are fast enough to be practically deployable. They provide solutions for problems that are otherwise hard to address without exposing private data. We are glad to announce that our team from the Delft University of Technology and researchers from the University of Washington Tacoma won second place as the “PPML Huskies” team. In this talk, we will investigate the proposed approach that wins a prize and the competition itself. |
Zeki Erkin (Cyber Security Group, Delft University of Technology) | |
14:45 – 15:30 |
“Post-Quantum Direct Anonymous Attestation (PQ-DAA)” Direct Anonymous Attestation (DAA) is a group type of anonymous signature scheme, which allows users in a group to sign messages such that the signatures can be verified using a group public key, and the actual signers’ identities are not revealed (beyond the fact that they belong to the group). DAA was originally designed to support anonymous attestation using a Trusted Platform Module TPM, which is a small component embedded in a host computer platform. A unique feature of DAA is that a group signer’s role is split into two entities, a principal signer and an assistant signer; the former is the TPM, and the latter is the host platform. Currently standardized DAA schemes have their security supported on the factoring and discrete logarithm problems. Should a quantum-computer become available in the next few decades, these schemes will be broken. There is therefore a need to start developing post-quantum DAA schemes. Our research into quantum-resistant DAA has resulted in several Lattice-based schemes, the security of our schemes is proved in the Universally Composable (UC) security model under the hardness assumptions of the Ring Inhomogeneous Short Integer Solution (Ring-ISIS) and Ring Learning with Errors (Ring-LWE) problems. Our current work is designing the first post-quantum DAA scheme from symmetric primitives with a full security analysis of the proposed scheme in the UC model. |
Nada El Kassem (University of Surrey) | |
15:30 – 15:45 | Coffee Break | ||
15:45 – 16:30 |
Panel Discussion “Towards Sustainable Security – Converging Software and Adaptable Hardware Security” |
||
16:30 – 17:15 |
“A software-based approach to secure bare-metal devices” Recently, several hardware-assisted security architectures have been proposed to mitigate the ever-growing cyberattacks on Internet-connected devices. However, such proposals are not compatible with a large portion of the already deployed resource-constrained embedded devices due to hardware limitations. The vast majority of such devices are bare-metal, where they execute programs in fully-accessible and unprotected memories without any operating system and even without any form of security. To fill this gap we propose a pure software-based trusted computing architecture that provides embedded devices that lack hardware-based memory protection units with memory isolation using software virtualisation and assembly-level code verification. Its design has been formally proven to preserve memory isolation as well as the implementation to be memory-safe and crash-free. The solution fully supports critical features such as Direct Memory Access (DMA) and interrupts. We then show how memory isolation enables many security services, such as remote attestation and secure code updates that could be fully implemented in software and provide similar security guarantees of implementations that rely on hardware features. |
Bruno Crispo (Department of Computer Science and Information Engineering, University of Trento) | |
17:15 – 17:45 | “PrivateAI – Protecting security and privacy for the life-cycle of machine learning” | Matthias Schunter (INTEL) | |
17:45 – 18:25 |
“Are the Trust Frameworks ready? Towards achieving Digital Sovereignty in Decentralized Ecosystems and its role in Credentials Exchange” Decentralized ecosystems involve coordination across multiple parties, all exercising their sovereignty while respecting their obligations upon which others may rely. However, there is a lack of open standards specifications and vendor-neutral technology components from which transacting parties can choose what is needed to meet the requirements of their trust community. The above concerns also impact interoperability and transitive trust while maximizing the risk of vendor lock-in. This talk gives a brief overview of Trust Frameworks for decentralized ecosystems and the need for policies and rules to enable governance to ensure automation and extensibility amongst the stakeholders to achieve Digital Sovereignty. In addition, the talk covers the need for credential exchange to bridge trust across ecosystem transactions and data flows and the role of Trust Framework in enabling it. |
Bithin Alangot (Huawei) | |
18:25 – 18:30 | Closing Remarks | Jean-Baptiste Milon (MARTEL) |
Day 2 Workshop Program | 9:00 – 15:30 CEST | |||
From – To | Topic | Speaker | |
9:00 – 9:45 |
“Securing location and reducing device exposure” A broad gamut of Internet of Things (IoT) and mobile applications are location-based or, in fact, their operation relies on real-time, precise position information. This brings forth a dual challenge: how to secure position information and how to limit device traceability. In this talk we discuss recent results on each front. First, methods to secure Global Navigation Satellite System (GNSS)-based position (and time) services and, second, methods to reduce device position exposure in location-based systems. |
Panagiotis Papadimitratos (Networked Systems Security Group, KTH Royal Institute of Technology) | |
9:45 – 10:30 | “Asynchronous Remote Key Generation and its Applications” | Mark Manulis (Department of Computer Science, Universität der Bundeswehr München) | |
10:30 – 10:45 | Coffee Break | ||
10:45 – 11:15 |
“GNNs-Based Zero-Assumption Control-Flow Attestation” Control-Flow Attestation (CFA) methods enable a verifier to verify the integrity of code execution on a remote prover’s system. However, existing CFA schemes have limitations, such as relying on unrealistic assumptions or needing a considerable amount of memory measurements. Additionally, they are not suitable for attesting resource-constrained systems because of their high computational overhead and resource usage. To address these limitations we designed a lightweight and privacy-enhancing CFA method capable of detecting Code Reuse Attacks (CRAs), including control- and non-control-data attacks (i.e., DOP attacks). It extracts features from one execution trace without assuming completeness and uses Unsupervised Graph Neural Networks (GNNs) to identify malicious execution paths. |
Marco Chilese (Technical University of Darmstadt) | |
11:15 – 11:45 | “Are we there Yet? Decentralized Trust Anchors as the Future of Digital Identity Verification” | Benjamin Larsen (Technical University of Denmark) | |
11:45 – 12:15 | “Enhanced DAA flavors and Trust Revocation in Distributed Environments” | Dimitris Papamartzivanos, Stefanos Vasileiadis (UBITECH) | |
12:15 – 12:45 |
“Searchable Symmetric Encryption and its attacks” Searchable Symmetric Encryption (SSE) is a powerful cryptographic primitive that enables users to delegate keyword searches over encrypted databases to a server that may be trustworthy but inquisitive, while maintaining the confidentiality of the keywords and the encrypted documents. In this presentation, we will provide an overview of the fundamental concepts, mechanisms, and security principles associated with SSE. Additionally, we will examine existing threats to SSE and outline some of the outstanding challenges in this field. |
Kaitai Liang (Technical University of Delft) | |
12:45 – 14:00 | Lunch Break | ||
14:00 – 14:45 |
“Beyond Physical: Revisiting the Interplay of Side-channel analysis and AI” Side-channel analysis has changed the field of cryptography and security and it became the most common cause of real-world security applications failing today. In this talk we give an overview of side-channel attacks on implementations of cryptography and countermeasures. We discuss the ways in which Machine learning and AI changed the side-channel analysis landscape and attackers’ capabilities in particular. We survey several examples of AI assisting with leakage evaluation and discuss the impact of it on the field and security evaluations in particular. We also describe the way side-channel analysis threatens AI implementations e.g. neural nets architectures that are commonly used in practice. In the end, we identify some avenues for future research. |
Lejla Batina (Digital Security Group, Radboud University) | |
14:45 – 15:00 |
“Edge Computing and Systems-of-Systems: Security through Zero Trust – Overview” The concept of trust is used in many different ways in Cybersecurity, from something you can trust because it has been proven to comply with certain security guarantees, to something you have to trust for everything to work (this is similar to what in psychology is known as the Stockholm syndrome). “Zero Trust principles and architectures are a response to significant problems in the traditional perimeter-based security model, which primarily tries to prevent attacks against the system from the outside. Zero Trust does away with the assumption that all systems, processes and components inside a well defined boundary can be trusted. There are several definition of Zero Trust Architectures, but most identify a few core principles, e.g. Microsoft identifies three core principles: Explicit verification of all actors in the system, Adhere to the principle of least privilege and Assume breach. To understand the meaning of Zero Trust, we look at the role trust plays in existing security policies and technologies. We give a brief overview of the main elements of a Zero Trust Architecture and discuss the underlying trust assumptions and challenges that face Zero Trust Architectures. |
Christian D. Jensen (Technical University of Denmark) |
|
Session – The use of Trusted Computing towards Enhanced Security and Privacy | |||
15:00 – 15:15 |
“Security challenges and trusted computing in the Smart Satellites domain” Smart satellites are increasingly relied upon for critical functions such as communication, navigation, and earth observation. However, the security of these systems is under constant threat from cyberattacks, and a single successful attack could have devastating consequences. Trusted computing provides advanced security measures that can enhance the security and reliability of safety-critical systems in space. By establishing a secure foundation for a satellite’s software and hardware components, trusted computing can protect against attacks that attempt to compromise the integrity or confidentiality of sensitive data. |
Emmanouil Bakiris (SPACE HELLAS) | |
15:15 – 15:30 | ASSURED Workshop Closing Remarks | Dimitris Papamartzivanos, Jean-Baptise Milon, Thanassis Giannetsos |