European Commission logo
English English
CORDIS - EU research results

Trusted Apps for open CPS

Periodic Reporting for period 2 - TAPPS (Trusted Apps for open CPS)

Reporting period: 2016-07-01 to 2017-12-31

Cyber-physical systems (CPS) are devices with sensors and actuators which provide the link between the physical and the virtual world. An example is a connected vehicle able to read information from the road and combine it with cloud computing to provide new services to the driver. In many areas of CPS devices, there is a strong trend towards open systems, which can be extended during operation by instantly adding functionalities on demand. In this area, the Trusted Apps for Open Cyber-Physical Systems (TAPPS) project focuses on the functional extension provided by apps, as it is already common for mobile and other consumer devices. However, there are considerable security issues for such devices, as shown for many other IT systems like mobile devices and apps. Considering the sensitive interactions of CPS systems, including security, safety and privacy aspects, we see trust for such devices as a major societal challenge, which goes beyond the current role of computing in society.

The main goal of the TAPPS project is to extend and customize CPS devices with new 3rd party services and features in an efficient, secure and trusted apps platform. This extensibility is an important differentiator that enables new market extensions to keep pace with user expectations and latest technology. For instance, current apps for automotive vehicles provide infotainment functionality or control basic settings, both of which are not safety critical. The TAPPS solution is validated in three application domains, i.e. automotive, medical and industrial automation.

The TAPPS architecture – we are developing - provides several independent layers of security. The main characteristic security features are: (1) Computing and network virtualization based on novel, flexible hardware security mechanisms, while maintaining stringent real-time constraints in Cyber-Physical Systems (CPS) and their internal networks, (2) fine-grained access control to off-chip network resources of the smart cyber-physical device to ensure safety and privacy, and (3) formally verified applications (apps) to ensure correct and secure behavior.
For the last feature, we plan an end-to-end solution for development and deployment of trusted apps. The implementation will consist of (1) an application store for management and for deployment of CPS apps, supporting different execution environments, and (2) a model-based development toolchain for designing and implementing trusted apps including APIs and verification tools. The toolchain design will follow and extend existing standards.
During the first reporting period (M1-M18) the project has performed a comprehensive requirements analysis, both from technical as well as application point of view. The architectural framework proposed by the project includes: (1) the overall analysis of requirements for the cyber physical architecture considering both industry-driven requirements (“market pull”) and technology-push requirements, (2) a common notion of basic terms and concepts, (3) a definition of the different security layers and the components needed therefore, (4) a detailed description of the tool chain for the development of apps and the methods for the verification of these apps.

The TAPPS architecture, shown in the attached figure, addresses all necessary layers from hardware over software to an app store ensuring security and full real-time support for the applications. This includes three dedicated execution environments as the main security features of the connected TAPPS architecture. The TAPPS novel architecture is based on three pillars. The first pillar is the basic concept of trusted execution platforms. While other virtual execution platforms (e.g. Java) provide full separation of apps, we propose a multi-faceted approach consisting of isolated execution environments, a trusted toolchain, and a trusted install and boot process. This optimally exploits the given hardware capabilities like the virtualization, STNoC (Network on Chip) security and ARM TrustZone features, and provides a secure end-to-end solution from the development until the usage of an app. The concept ensures that apps are intensively checked and verified by the toolchain, e.g. with the help of a model checker or a trusted third party, before they are submitted to the app store.

The second pillar includes the trusted and real-time capable resource management. This resource management performs the runtime checks and provides a provisioning of the system with respect to resource utilization and timing constraints of individual apps. The Safety Integration Layer (SIL) is in charge of enforcing the timing and resource requirements of the different apps and guaranteeing an overall sane system schedule. This is achieved through configuring the hardware partitions and resource assignments within the STNoC and the ARM TrustZone worlds.

To integrate TAPPS-based systems in larger cyber-physical systems, the TAPPS architecture considers two different trusted interconnections as the third pillar of the architecture. A secure CAN bus derivate, the sCAN, and a deterministic Ethernet. Both aim to integrate the communication of multiple apps of different security levels on a single bus, while still maintaining the requested real-time behavior. As above, the SIL is in charge of the resource control.
The technical achievements of the project can be summarized as follows: A novel architecture for trusted apps was design, based on a novel classification of apps into three different categories with corresponding execution environments. This includes a novel multi-layer security model, as well as an end-to-end deployment and apps management approach, including a development tool chain. Secure boot up as well as resource management for real-time environments are included in a seamless way.

Regarding the project innovations, we have developed novel concepts for efficient execution of trusted apps, specifically with respect to the mapping of resources and hardware requests to the underlying system. Different execution environments have been developed by extending the way ARM Virtualization and Security (TrustZone) extensions are used and deployed on ARMv8 platforms. Each execution environment matches with a specific level of criticality thanks to extensions developed for KVM (API remoting) and for the TrustZone monitor mode (VOSYSmonitor). Also secure local communication havehas been developed for both on Ethernet and CAN standards. The execution environments exploit and enhance existing hardware mechanisms like ARM Trustzone, STNoC security extensions and virtualization techniques. Novel IPR and publications have been achieved.

In addition, a novel tool chain based on existing open source software such as the 4DIAC modeling tool and the NuSMV model checker have been designed and developed to enable app verification. Furthermore, an innovative concept for an app store integration has been designed.

Extensive and systematic evaluation of the results has beed done for automotive, automotive and health applications in the form of concrete industrial prototypes. The wider societal implication of such trusted platforms can go beyond the specific application domains and contributes towards a safe and secure digital society, for cyber-physical systems as well as other critical IT systems.