With the excessive and continuous demand for real-time interactions, e.g., industrial automation, environmental monitoring, intelligent transportation systems, etc., the domain of ubiquitous computing is expanding. In this emerging area of technology, security, resilience and reliability are key criteria for system success. This is particularly true for IoT applications, comprising thousands of distributed cyber-physical components (i.e., algorithms, software and hardware CPSoS), enabling the new generation of fog-based ecosystems; networked embedded systems that interact with the real world, in high data rates, through sensors and actuators.
This unprecedented deployment rate of “smart things” (i.e., intelligent fog and edge devices), has also led to the expansion of new attack vectors targeting the correct execution of the services deployed to the edge; more and more vulnerabilities are increasingly being discovered in the software running on these devices. This brings a new set of issues that need to be tackled in their entirety, such as converging the security, safety and robustness of all cyber-physical systems that are part of this chain; ranging from how to safeguard the secure management of data assets captured by these edge CPSoS, from exposure and disclosure to unwanted parties, to how to secure all things connected. They must never endanger human life or the environment, even in the presence of sophisticated (or zero-day) attacks. To keep up with the number of services that must be vetted for vulnerabilities, an automated approach is required.
The fundamental issue of trust or trustworthiness breaks down to whether a remote platform behaves in a reliable and predictable manner or will be (or already has been) subject to subversion. A key challenge in this context is to establish and manage trust between entities, starting from bi-lateral interactions between two single system components and continuing as such systems get connected to ever larger entities. But how can we make sound statements on the security properties of single systems and transfer this to statements on the security properties of such hierarchical compositions of systems? Therefore, a holistic, integrated approach with end-to-end capabilities covering device integrity and trust, security management of data, software and timely patching as well as threat intelligence is necessary.
The objective of this research project is to engage the paramount need for a unified and scalable security overlay mesh network capable of encompassing both security and trust in current and emerging “Systems-Of-Systems” (SoS). This includes, but is not limited, to building security architectures that allow a given system to automatically detect whether it is under attack – and therefore intensify its protection mechanisms. To this end, the focus will be towards designing and developing cryptographically secure and scalable attestation mechanisms for enhancing the overall security and privacy posture of deployed edge devices as well as verifying the integrity of deployed software-based services.
The conducted research will, in addition to incorporating modern crypto approaches, advance the state-of-the-art in security, privacy and trust by investigating the integration of trusted computing techniques towards providing enhanced operational assurance. More explicitly, it will explore the use of secure elements – such as Trusted Platform Modules (TPMs) and the underlying TCG Software Stack (TSS) – for shifting the trust from the back-end infrastructure to the edge in order to create strong “chains of trust” with verifiable evidence on the correctness of the devices’ execution. Towards this direction, a detailed investigation will be conducted to correctly define and investigate hybrid layered attestation approaches for enabling the collective attestation of edge devices. This will include the design of advanced attestation enablers such as Direct Anonymous Attestation (DAA) and control- and information-flow attestation mechanisms.