Periodic Reporting for period 2 - REWIRE (REWiring the ComposItional Security VeRification and AssurancE of Systems of Systems Lifecycle)
Período documentado: 2024-04-01 hasta 2025-09-30
In a hyper-connected digital world, cyber threats are becoming a major issue, compromising the safety and privacy. the REWIRE project introduced a holistic cybersecurity platform that can continuously monitor open-source HW/SW IoT devices, assessing potential threats. The platform will protects throughout the IoT device lifetime. The novel solutions tested across 3 smart pilots – automotive, cities and satellites – paving the way for secure data exchange, cyber-resilience, interoperability and scalability in heterogeneous IoT ecosystems.
REWIRE has delivered a wide range of advanced technical and scientific innovations, fully integrated into its modular and lifecycle-oriented architecture. REWIRE's major contributions are integrated into the framework’s architecture, and are the following:
• Compositional Security at Design-time: As part of the design-time phase, REWIRE ensures the robust system designs through the delivery of the REWIRE formal verification toolchain.
• Zero-touch Onboarding (ZTO): REWIRE ensures autonomous commissioning of devices into networks while maintaining stringent security, privacy, and Trust standards. The ZTO mechanism ensures that only trusted devices, i.e. devices with correct configuration and identity credentials can be onboarded.
• Configuration Integrity Verification with Verifiable Policy Enforcement (VPE): A novel attestation mechanism has been developed to verify the integrity of device configuration and binaries, allowing VPE and the use of verifiable key restriction usage policies
• SW/FW Validation Service: REWIRE has developed a validation service for SW/FW, to detect potential issues before deployment, enhancing the security and reliability of system updates.
• SW Update Protocol: A secure software update protocol with side-channel resistance has been designed, ensuring that the confidentiality and authenticity of updates can be protected even against physical attackers.
• REWIRE Customizable TEE: REWIRE has extended the standard Keystone-based TEE with additional features. These enhancements, integrated with other REWIRE components, support secure runtime operations and augment edge devices.
• Real-time Tracing and Behavioral Attestation: Continuous monitoring and attestation of device behavior ensures real-time security and operational integrity. A new tracer is being designed based on the use of monitoring hooks, aspiring to minimize the overhead footprint on the target device’s system.
• Verifiable Presentations for Auditing and Certification: REWIRE has developed advanced cryptographic protocols, such as the signcryption scheme for the creation of verifiable presentations (VPs) to enable controlled privacy through the selective disclosure of verifiable attributes.
• Advanced cryptographic schemes and Access Control: REWIRE employs attribute-based encryption (ABE) and attribute-based access control (ABAC), along with a robust key management system within its Trusted Execution Architecture.
• Blockchain-based privacy-preserving data sharing and management: REWIRE delivers a BC infrastructure to facilitate secure and privacy-preserving data sharing and management, based on Secure Oracles, Hyperledger Besu, and Fabric Private Chain.
• AI-based Misbehavior Detection: The integration of AI for detecting anomalous events in systems’ operation, enhancing the ability to identify and respond to security threats.
• Continuous and Modular Risk and Trust Assessment: The project implements a dynamic risk assessment framework, allowing for ongoing evaluation and mitigation of potential risks.
Each of these components has been successfully developed, tested, and validated, contributing to a robust, scalable, and future-proof security SoS for IoT ecosystems.
• Compositional Security at Design-time: As part of the design-time phase, REWIRE ensures the robust system designs through the delivery of the REWIRE formal verification toolchain.
• Zero-touch Onboarding (ZTO): REWIRE ensures autonomous commissioning of devices into networks while maintaining stringent security, privacy, and Trust standards. The ZTO mechanism ensures that only trusted devices, i.e. devices with correct configuration and identity credentials can be onboarded.
• Configuration Integrity Verification with Verifiable Policy Enforcement (VPE): A novel attestation mechanism has been developed to verify the integrity of device configuration and binaries, allowing VPE and the use of verifiable key restriction usage policies
• SW/FW Validation Service: REWIRE has developed a validation service for SW/FW, to detect potential issues before deployment, enhancing the security and reliability of system updates.
• SW Update Protocol: A secure software update protocol with side-channel resistance has been designed, ensuring that the confidentiality and authenticity of updates can be protected even against physical attackers.
• REWIRE Customizable TEE: REWIRE has extended the standard Keystone-based TEE with additional features. These enhancements, integrated with other REWIRE components, support secure runtime operations and augment edge devices.
• Real-time Tracing and Behavioral Attestation: Continuous monitoring and attestation of device behavior ensures real-time security and operational integrity. A new tracer is being designed based on the use of monitoring hooks, aspiring to minimize the overhead footprint on the target device’s system.
• Verifiable Presentations for Auditing and Certification: REWIRE has developed advanced cryptographic protocols, such as the signcryption scheme for the creation of verifiable presentations (VPs) to enable controlled privacy through the selective disclosure of verifiable attributes.
• Advanced cryptographic schemes and Access Control: REWIRE employs attribute-based encryption (ABE) and attribute-based access control (ABAC), along with a robust key management system within its Trusted Execution Architecture.
• Blockchain-based privacy-preserving data sharing and management: REWIRE delivers a BC infrastructure to facilitate secure and privacy-preserving data sharing and management, based on Secure Oracles, Hyperledger Besu, and Fabric Private Chain.
• AI-based Misbehavior Detection: The integration of AI for detecting anomalous events in systems’ operation, enhancing the ability to identify and respond to security threats.
• Continuous and Modular Risk and Trust Assessment: The project implements a dynamic risk assessment framework, allowing for ongoing evaluation and mitigation of potential risks.
Each of these components has been successfully developed, tested, and validated, contributing to a robust, scalable, and future-proof security SoS for IoT ecosystems.
REWIRE introduces a next-generation, lifecycle-oriented trust architecture designed to strengthen the security and resilience of IoT and embedded systems across the compute continuum. It combines formally verified software/hardware co-design, policy-based runtime assurance, enhanced Trusted Execution Environment (TEE) capabilities, and blockchain-anchored trust evidence to deliver end-to-end system integrity. Through a security-by-design approach, REWIRE ensures protocol and system correctness at the design phase via a modern formal verification toolchain. At runtime, it enables trust-aware Zero-Touch Onboarding (ZTO) and continuous Configuration Integrity Verification, supported by a Verification Policy Engine (VPE) that guarantees enforceable and adaptable security policies throughout the device lifecycle. REWIRE significantly extends the open-source Keystone TEE, incorporating secure key management, TEE state migration, and secure software updates, particularly critical for unattended or remote IoT deployments. These are supported by secure openSBI-based interfaces that ensure robust communication between trusted and untrusted environments. Uniquely, REWIRE leverages confidential computing and blockchain to enable privacy-preserving smart contract execution via Hyperledger Besu, Fabric Private Chaincode, and secure oracles. This integration ensures both data confidentiality and verifiable trust, even in decentralized systems.