Periodic Reporting for period 1 - SecOPERA (Secure OPen source softwarE and hardwaRe Adaptable framework)
Berichtszeitraum: 2023-01-01 bis 2024-06-30
SecOPERA will provide a one-stop hub for complex open-source software and open-source hardware (OSS/OSH) solutions delivering to system designers and operators and OSS/OSH developers and testers the means to analyze, assess, secure/harden, and share open-source solutions. The SecOPERA hub will offer an open-source framework supporting the DevSecOps lifecycle and generate solutions along with appropriate, verifiable security guarantees. The main objectives of the project are:
*Provide a complete security auditing-testing toolbox.
*Research and develop security hardening and enhancement of open-source solutions.
*Deliver adaptable security solutions for the open-source community.
*Establish the SecOPERA hub with a pool of open-source solutions & develop the SecOPERA framework with the tools to support the secure development lifecycle.
*Validate SecOPERA solution in two industrial pilots across several use cases.
*Provide a viable, open-source compliant exploitation.
*Provide a complete security auditing-testing toolbox.
*Research and develop security hardening and enhancement of open-source solutions.
*Deliver adaptable security solutions for the open-source community.
*Establish the SecOPERA hub with a pool of open-source solutions & develop the SecOPERA framework with the tools to support the secure development lifecycle.
*Validate SecOPERA solution in two industrial pilots across several use cases.
*Provide a viable, open-source compliant exploitation.
WP1 defined SecOPERA's general management procedures, including quality assurance, risk analysis, the Data Management Plan, Innovations, and Open-source Legal Management. The SecOPERA Advisory Board, with four external members, was established, and their initial feedback has been received.
WP2 conducted an initial market and SWOT analysis. Dissemination KPIs are progressing, with participation in 24 events and 17 scientific papers published. Individual exploitation plans were gathered. Current and emerging standards were reviewed, fostering two-way interaction between SecOPERA and standardisation bodies.
WP3 focused on deriving relevant threat models for the SecOPERA platform alongside technology and user requirements. It produced the first version of the SecOPERA reference architecture. The threat models required an initial threat model reduction to derive meaningful attacks for the project. Given SecOPERA's broad scope, which decomposes an application into four layers, each layer was analysed for potential vulnerabilities. To achieve this, we reviewed popular threat-modelling approaches and opted to extend STRIDE with enhanced matrices incorporating the SecOPERA layering perspective.
For technology requirements, a comprehensive analysis identified the components/engines associated with each SecOPERA framework pillar. Each partner owning technical components of the SecOPERA infrastructure completed a series of data collection documents. Technical requirements aligning with the framework's objectives were extracted for each component. For user requirements, we provided an overview of various end users who benefit from SecOPERA’s security features, grouped into categories. This categorisation ensures that the framework is applicable to a wide array of users.
WP4 focuses on the research and development of security-related primitive modules, providing core functionality for SecOPERA engines and populating the secure module pool. In RP1, various primitive modules were identified for each SecOPERA layer. The architecture of each primitive module and initial versions were evaluated and tested. Plans were sketched for how these modules should operate in their final versions, identifying their inputs and outputs for integration into the overall SecOPERA solution. Each module’s implementation maturity varies, with hardware-focused modules taking longer to develop.
WP5 started at the very end of RP1. WP5 will build upon WP4 components, coordinate with WP6, and ensure all engines can transmit results to the SecOPERA dashboard in an appropriate format.
WP6 focuses on the integration and validation of the SecOPERA framework. The work includes integrating SecOPERA components and services into a unified framework, defining use cases, adjusting the framework to pilot needs, and aligning SecOPERA outputs with project objectives. During RP1, the SecOPERA MVP was released.
WP2 conducted an initial market and SWOT analysis. Dissemination KPIs are progressing, with participation in 24 events and 17 scientific papers published. Individual exploitation plans were gathered. Current and emerging standards were reviewed, fostering two-way interaction between SecOPERA and standardisation bodies.
WP3 focused on deriving relevant threat models for the SecOPERA platform alongside technology and user requirements. It produced the first version of the SecOPERA reference architecture. The threat models required an initial threat model reduction to derive meaningful attacks for the project. Given SecOPERA's broad scope, which decomposes an application into four layers, each layer was analysed for potential vulnerabilities. To achieve this, we reviewed popular threat-modelling approaches and opted to extend STRIDE with enhanced matrices incorporating the SecOPERA layering perspective.
For technology requirements, a comprehensive analysis identified the components/engines associated with each SecOPERA framework pillar. Each partner owning technical components of the SecOPERA infrastructure completed a series of data collection documents. Technical requirements aligning with the framework's objectives were extracted for each component. For user requirements, we provided an overview of various end users who benefit from SecOPERA’s security features, grouped into categories. This categorisation ensures that the framework is applicable to a wide array of users.
WP4 focuses on the research and development of security-related primitive modules, providing core functionality for SecOPERA engines and populating the secure module pool. In RP1, various primitive modules were identified for each SecOPERA layer. The architecture of each primitive module and initial versions were evaluated and tested. Plans were sketched for how these modules should operate in their final versions, identifying their inputs and outputs for integration into the overall SecOPERA solution. Each module’s implementation maturity varies, with hardware-focused modules taking longer to develop.
WP5 started at the very end of RP1. WP5 will build upon WP4 components, coordinate with WP6, and ensure all engines can transmit results to the SecOPERA dashboard in an appropriate format.
WP6 focuses on the integration and validation of the SecOPERA framework. The work includes integrating SecOPERA components and services into a unified framework, defining use cases, adjusting the framework to pilot needs, and aligning SecOPERA outputs with project objectives. During RP1, the SecOPERA MVP was released.
The main scientific result of WP3 is the enhanced STRIDE-based matrices describing the threat models addressed by SecOPERA. STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) were combined with SecOPERA layers, resulting in two-dimensional vectors for attacks. Other WP3 results include documentation-based research to derive requirements driving the implementation of technical WPs (WP4-WP6).
WP4’s main focus is designing the SecOPERA Technology/Enablers, including assessment and hardening primitive modules for SecOPERA engines and the secure module pool. In RP1, various components were developed across four layers, each advancing the SOTA. At the device layer, innovations include Hardware and Software IP Cores for Side Channel Assessment modules with a flexible and fast trace collection mechanism and a trace analysis engine using Post-Quantum Cryptography Deep Learning-based SCAs. Additionally, a Control Flow Integrity RISC-V soft core was developed. At the network layer, we offer a Network Dynamic Vulnerability Assessment that performs automatic network vulnerability tests and security protocol implementations with quantum attack resistance. We also provide a beyond-SOTA Trust-based Intrusion Detection and Prevention solution for assessing the runtime behaviour of networking entities.
At the application layer, we offer a Static C Source Code Analyser extending the Frama-C open-source framework with innovative plugins for code debloating, alias analysis, and AI-enriched fusser mutation prioritisation strategies for fast and effective fuzzing. A code debloating primitive generating Fine-Grained Project Dependency Graphs (FPDG) was introduced, enabling deeper code base reduction. At the cognitive layer, we provide an innovative ML Privacy and adversarial attack assessment toolbox extending existing methods, including modules like FastMLH for rapid protection against SOTA black-box privacy attacks, until a fully sanitised ML model is derived.
WP5 has been active for one month in RP1, with the most significant result being the design of the decomposition engine output format. This is crucial for WP5, as subsequent analyses rely on this decomposition to identify components and their respective layers. A first decomposition was done manually for each pilot and serves as the basis for initial experiments.
For SecOPERA component integration, a microservices architecture is used, facilitating the invocation of multiple tools and services within the framework. SOTA technologies were employed for the backend infrastructure, including an orchestrator component, an API gateway between the front-end and back-end, and a database with various repositories.
WP4’s main focus is designing the SecOPERA Technology/Enablers, including assessment and hardening primitive modules for SecOPERA engines and the secure module pool. In RP1, various components were developed across four layers, each advancing the SOTA. At the device layer, innovations include Hardware and Software IP Cores for Side Channel Assessment modules with a flexible and fast trace collection mechanism and a trace analysis engine using Post-Quantum Cryptography Deep Learning-based SCAs. Additionally, a Control Flow Integrity RISC-V soft core was developed. At the network layer, we offer a Network Dynamic Vulnerability Assessment that performs automatic network vulnerability tests and security protocol implementations with quantum attack resistance. We also provide a beyond-SOTA Trust-based Intrusion Detection and Prevention solution for assessing the runtime behaviour of networking entities.
At the application layer, we offer a Static C Source Code Analyser extending the Frama-C open-source framework with innovative plugins for code debloating, alias analysis, and AI-enriched fusser mutation prioritisation strategies for fast and effective fuzzing. A code debloating primitive generating Fine-Grained Project Dependency Graphs (FPDG) was introduced, enabling deeper code base reduction. At the cognitive layer, we provide an innovative ML Privacy and adversarial attack assessment toolbox extending existing methods, including modules like FastMLH for rapid protection against SOTA black-box privacy attacks, until a fully sanitised ML model is derived.
WP5 has been active for one month in RP1, with the most significant result being the design of the decomposition engine output format. This is crucial for WP5, as subsequent analyses rely on this decomposition to identify components and their respective layers. A first decomposition was done manually for each pilot and serves as the basis for initial experiments.
For SecOPERA component integration, a microservices architecture is used, facilitating the invocation of multiple tools and services within the framework. SOTA technologies were employed for the backend infrastructure, including an orchestrator component, an API gateway between the front-end and back-end, and a database with various repositories.