Periodic Reporting for period 1 - RESCALE (Revolutionised Enhanced Supply Chain Automation with Limited Threats Exposure)
Okres sprawozdawczy: 2023-10-01 do 2025-03-31
RESCALE aims at designing, building, and demonstrating secure-by-design supply chains. RESCALE will (i)~automate the evaluation processes of both software and hardware components, (ii)~ensure that third-party segments are free from vulnerabilities, (iii)~offer effective audit procedures for cybersecurity testing, and (iv)~enable the construction of secure systems with the strongest possible guarantees, by generating a novel TBOM mechanism the project will systematically analyse and extend every hardware and software layer in a computing system and apply state-of-the-art tools and methodologies at every step of the entire supply chain.
O1-Design and develop a complete toolbox to audit and increase the security of supply chain based on emerging technologies for both hardware and software modules.
O2-Detect and safeguard the hardware elements of supply chain systems detecting vulnerabilities against implementation attack at the pure IP Core level and the processors level (like side-channel, cache, and microarchitectural attacks), and extend the security capabilities of software modules via innovative fuzzy hashing techniques, symbolic execution methods, static and dynamic analysis.
O3-Provide a Trusted BOM approach that will infuse trust in software and hardware supply chain and promote trusted updates.
O4-Demonstrate and validate the effectiveness and accuracy of the proposed solutions in two complementary use cases with the active engagement of several stakeholders accomplishing at the end of the project a TRL4 for the entire platform.
O5-Ensure wide visibility and raise awareness on the security of software and hardware components in supply chains through communication and dissemination of the projects' results along with the business exploitation of the proposed tools and processes towards the rapid adoption of \project solutions.
O1-Design and develop a complete toolbox to audit and increase the security of supply chain based on emerging technologies for both hardware and software modules.
O2-Detect and safeguard the hardware elements of supply chain systems detecting vulnerabilities against implementation attack at the pure IP Core level and the processors level (like side-channel, cache, and microarchitectural attacks), and extend the security capabilities of software modules via innovative fuzzy hashing techniques, symbolic execution methods, static and dynamic analysis.
O3-Provide a Trusted BOM approach that will infuse trust in software and hardware supply chain and promote trusted updates.
O4-Demonstrate and validate the effectiveness and accuracy of the proposed solutions in two complementary use cases with the active engagement of several stakeholders accomplishing at the end of the project a TRL4 for the entire platform.
O5-Ensure wide visibility and raise awareness on the security of software and hardware components in supply chains through communication and dissemination of the projects' results along with the business exploitation of the proposed tools and processes towards the rapid adoption of \project solutions.
The work started by definining an initial set of use case with the user requirements. In parallel we performed a SotA analysis, identifying key technologies and defined the initial Technical Requirements. Based on these outcomes, the Initial High Level Architecture was outlined along with the user types and user journeys.
With these achievements we started working on assessment tools within WP3. These tools include Static Code Analysers and Formal Verification Methods, such as SASTer, a bundle of static analysis tools tailored for Python and C/C++, leveraging ML to identify security issues, CodeBERT, a transformer-based language model adapted to code, to enhance vulnerability detection, SAVE-ME, to identify vulnerabilities in Erlang code, DetectEr which is a runtime verification tool for Erlang, and IVEE, the Intelligent Vulnerabilities Exposure Engine, using symbolic execution to provide a thorough assessment of software components. Also, we researched and developed RAISE, a comprehensive API fuzzing tool to include an ML model to optimize fuzzing efficiency and precision, and EvoMaster an API fuzzer tool that can automatically generate system level test cases for web and enterprise applications. Also the Dynamic Hardware Analyzer to perform side channel leakage assessment on cryptographic IP Cores, SafeFetch, a detection and protection system for kernel double-fetch bugs, InSpecter Gadget that uses symbolic execution to reason about exploitability of usable gadgets for transient execution attacks is developed and FATex to analyze embedded firmware. Also the Static and Dynamic Supply Chain Guarantee (SSCG & DSCG) generators to develop the necessary portions of the Trusted BOM (TBOM). Also in parallel, in RESCALE, we conducted a thorough and detailed analysis of the current state of the art of existing BOM formats, and selected CycloneDX. Using CycloneDX as the BOM speficication language for the TBOM, we designed and specified the structure of the TBOM, detailing its fields, formats, and functionalities. To provide additional security assurances after a TBOM has been generated we have incorporated the Continuous Security Assurance Platform, which monitors existing TBOMs and potential new vulnerabilities reported into CVE and CWE databases in order to generate new vulnerability alerts and notify TBOM users. Also to provide security and trust mechanisms for authenticity and accountability of TBOM Information, we selected Hyperledger BESU out of a number of various potential blockchain frameworks, and implemented smart contracts for storing and retrieving TBOMs in the blockchain. Once all these modules and technologies were at an MVP level of maturity, we started integrating them and developing the Trust Orchestrator and the TBOM validator along with the RESCALE dashboard in order to create the first RESCALE MVP implementation. Meanwhile we identified how the pilots were going to start experimenting with RESCALE platform and the static and dynamic analysis modules using CI/CD techniques and performed some initial validation and evaluation of the current RESCALE platform and existing modules.
With these achievements we started working on assessment tools within WP3. These tools include Static Code Analysers and Formal Verification Methods, such as SASTer, a bundle of static analysis tools tailored for Python and C/C++, leveraging ML to identify security issues, CodeBERT, a transformer-based language model adapted to code, to enhance vulnerability detection, SAVE-ME, to identify vulnerabilities in Erlang code, DetectEr which is a runtime verification tool for Erlang, and IVEE, the Intelligent Vulnerabilities Exposure Engine, using symbolic execution to provide a thorough assessment of software components. Also, we researched and developed RAISE, a comprehensive API fuzzing tool to include an ML model to optimize fuzzing efficiency and precision, and EvoMaster an API fuzzer tool that can automatically generate system level test cases for web and enterprise applications. Also the Dynamic Hardware Analyzer to perform side channel leakage assessment on cryptographic IP Cores, SafeFetch, a detection and protection system for kernel double-fetch bugs, InSpecter Gadget that uses symbolic execution to reason about exploitability of usable gadgets for transient execution attacks is developed and FATex to analyze embedded firmware. Also the Static and Dynamic Supply Chain Guarantee (SSCG & DSCG) generators to develop the necessary portions of the Trusted BOM (TBOM). Also in parallel, in RESCALE, we conducted a thorough and detailed analysis of the current state of the art of existing BOM formats, and selected CycloneDX. Using CycloneDX as the BOM speficication language for the TBOM, we designed and specified the structure of the TBOM, detailing its fields, formats, and functionalities. To provide additional security assurances after a TBOM has been generated we have incorporated the Continuous Security Assurance Platform, which monitors existing TBOMs and potential new vulnerabilities reported into CVE and CWE databases in order to generate new vulnerability alerts and notify TBOM users. Also to provide security and trust mechanisms for authenticity and accountability of TBOM Information, we selected Hyperledger BESU out of a number of various potential blockchain frameworks, and implemented smart contracts for storing and retrieving TBOMs in the blockchain. Once all these modules and technologies were at an MVP level of maturity, we started integrating them and developing the Trust Orchestrator and the TBOM validator along with the RESCALE dashboard in order to create the first RESCALE MVP implementation. Meanwhile we identified how the pilots were going to start experimenting with RESCALE platform and the static and dynamic analysis modules using CI/CD techniques and performed some initial validation and evaluation of the current RESCALE platform and existing modules.
In WP3 we centered on enhancing the technical capabilities of security analysis tools such as the development of comprehensive static and dynamic testing frameworks. The Static Code Analysis Module leverages state-of-the-art machine learning and deep learning techniques to detect software vulnerabilities with high precision, significantly reducing false positives, supported by formal verification methods and symbolic execution, ensuring that software components meet critical behavioral and safety requirements. The module also facilitates the creation of the SSCG, to aggregate static analysis results into a structured, verifiable format for the TBOM.
Also, dynamic testing capabilities have been advanced through the development of specialized tools such as RAISE and EvoMaster. These tools conduct real-time vulnerability assessments using fuzzing and runtime behavioral analysis, for the DSCG. Also, the project has focused on the security of low-level system components through innovations like SafeFetch, FATex, and InSpectre Gadget addressing vulnerabilities at the firmware and microarchitectural levels, such as double-fetch issues and Spectre-type attacks. Finally the Dynamic Hardware Analyzer performs side-channel leakage assessments on hardware components, especially in cloud-based FPGA environments, adding another layer of protection against hardware-based threats. These technologies mark a significant advancement in secure-by-design methodologies for complex digital supply chains.
WP4 also has yielded a significant innovation in the form of the TBOM specification along with the formal definition of the lifecycle and the incorporation of a vulnerability level. These elements contribute to the TBOM’s robustness and adaptability, enhancing its utility within secure supply chain frameworks. Its modular and flexible nature ensures it can be adapted to and integrated with a wide array of existing BOM formats, thereby offering a far more generic and widely applicable solution.
Also, dynamic testing capabilities have been advanced through the development of specialized tools such as RAISE and EvoMaster. These tools conduct real-time vulnerability assessments using fuzzing and runtime behavioral analysis, for the DSCG. Also, the project has focused on the security of low-level system components through innovations like SafeFetch, FATex, and InSpectre Gadget addressing vulnerabilities at the firmware and microarchitectural levels, such as double-fetch issues and Spectre-type attacks. Finally the Dynamic Hardware Analyzer performs side-channel leakage assessments on hardware components, especially in cloud-based FPGA environments, adding another layer of protection against hardware-based threats. These technologies mark a significant advancement in secure-by-design methodologies for complex digital supply chains.
WP4 also has yielded a significant innovation in the form of the TBOM specification along with the formal definition of the lifecycle and the incorporation of a vulnerability level. These elements contribute to the TBOM’s robustness and adaptability, enhancing its utility within secure supply chain frameworks. Its modular and flexible nature ensures it can be adapted to and integrated with a wide array of existing BOM formats, thereby offering a far more generic and widely applicable solution.