ENTRUST End-To-End Trust Management: Some Challenges And Possible Solutions
The ENTRUST project aims at developing novel end-to-end trust management and remote attestation mechanisms that will ensure the secure, safe, and correct operation of connected medical devices at runtime. Although these primary goals mainly touch on aspects of cybersecurity, under the surface the project is a complex amalgamation of various state-of-the-art technologies and computer science domains that go beyond security. This blog post is a short overview of some of the project challenges with software engineering flavor and provides an outline of possible solutions.
The concept of trust is central to the ENTRUST vision. Trust can be established among two or more interacting parties and is usually defined as a subjective belief that an entity will perform a given service as expected. The concept of trust inherently admits the possibility that, due to many possible reasons, the service provider deviates from the expected behavior. Computer science provides a number of ways to measure and represent trust formally by accommodating its uncertainty aspect. ENTRUST envisions a trust management framework based on subjective logic to capture and manipulate trust values in a network of communicating devices. To this end, the project will develop advanced trust management middleware that will manage the trust in the entire IoT network of connected medical devices. Such a mechanism is by itself a potential target of adversaries and it must be designed and implemented in a secure way.
One of the goals of the project is to provide a trust management framework that is secure by design, that is, its implementation is based on formally verified trust models created at design time. Again, a number of techniques are applicable to this challenge. For example, security protocols that will be designed and verified usually involve a behavioral part (the allowed order of messages between the parties) and a cryptographic part (used keys and crypto algorithms). The cryptographic aspect can be verified by mathematical proofs that show the strength of the solution. The behavioral part can be modeled in several state-of-the-art specification languages and verified in general-purpose model checkers or in dedicated security protocol verifiers. Furthermore, this novel trust management framework will be accompanied by a reference architecture and guidelines that facilitate its application and tailoring in specific software and hardware context.
Even if a design model is proven to be correct with regards to its requirements, there is no guarantee that the implementation follows the design. The implementation still needs to be thoroughly tested or its behavior needs to be monitored. ENTRUST will rely on both approaches. Concerning testing, fuzzing is a popular technique to detect security-related defects in software. Another approach in the project's focus area is concolic testing based on static analysis and symbolic execution of software.
Runtime verification and monitoring is a dynamic analysis technique in which the behavior of a system is observed at runtime and is checked if satisfies given conditions. This technique is applicable in highly dynamic environments where not all potential changes can be anticipated, modeled, and verified. Clearly, an ecosystem of connected medical devices is such an example with devices coming from multiple vendors, with different hardware/software capabilities and not always verified software and firmware updates. To this end, runtime monitoring techniques will be used as the basis for the runtime attestation.
Finally, the project envisages the usage of digital twins (DT) as a testbed for simulating various attack scenarios and testing the device software before its actual deployment. Historical data about device behavior captured by the DT can also be used for machine learning purposes and detecting anomalies in devices.