Periodic Reporting for period 2 - TAPPS (Trusted Apps for open CPS)
Reporting period: 2016-07-01 to 2017-12-31
The main goal of the TAPPS project is to extend and customize CPS devices with new 3rd party services and features in an efficient, secure and trusted apps platform. This extensibility is an important differentiator that enables new market extensions to keep pace with user expectations and latest technology. For instance, current apps for automotive vehicles provide infotainment functionality or control basic settings, both of which are not safety critical. The TAPPS solution is validated in three application domains, i.e. automotive, medical and industrial automation.
The TAPPS architecture – we are developing - provides several independent layers of security. The main characteristic security features are: (1) Computing and network virtualization based on novel, flexible hardware security mechanisms, while maintaining stringent real-time constraints in Cyber-Physical Systems (CPS) and their internal networks, (2) fine-grained access control to off-chip network resources of the smart cyber-physical device to ensure safety and privacy, and (3) formally verified applications (apps) to ensure correct and secure behavior.
For the last feature, we plan an end-to-end solution for development and deployment of trusted apps. The implementation will consist of (1) an application store for management and for deployment of CPS apps, supporting different execution environments, and (2) a model-based development toolchain for designing and implementing trusted apps including APIs and verification tools. The toolchain design will follow and extend existing standards.
The TAPPS architecture, shown in the attached figure, addresses all necessary layers from hardware over software to an app store ensuring security and full real-time support for the applications. This includes three dedicated execution environments as the main security features of the connected TAPPS architecture. The TAPPS novel architecture is based on three pillars. The first pillar is the basic concept of trusted execution platforms. While other virtual execution platforms (e.g. Java) provide full separation of apps, we propose a multi-faceted approach consisting of isolated execution environments, a trusted toolchain, and a trusted install and boot process. This optimally exploits the given hardware capabilities like the virtualization, STNoC (Network on Chip) security and ARM TrustZone features, and provides a secure end-to-end solution from the development until the usage of an app. The concept ensures that apps are intensively checked and verified by the toolchain, e.g. with the help of a model checker or a trusted third party, before they are submitted to the app store.
The second pillar includes the trusted and real-time capable resource management. This resource management performs the runtime checks and provides a provisioning of the system with respect to resource utilization and timing constraints of individual apps. The Safety Integration Layer (SIL) is in charge of enforcing the timing and resource requirements of the different apps and guaranteeing an overall sane system schedule. This is achieved through configuring the hardware partitions and resource assignments within the STNoC and the ARM TrustZone worlds.
To integrate TAPPS-based systems in larger cyber-physical systems, the TAPPS architecture considers two different trusted interconnections as the third pillar of the architecture. A secure CAN bus derivate, the sCAN, and a deterministic Ethernet. Both aim to integrate the communication of multiple apps of different security levels on a single bus, while still maintaining the requested real-time behavior. As above, the SIL is in charge of the resource control.
Regarding the project innovations, we have developed novel concepts for efficient execution of trusted apps, specifically with respect to the mapping of resources and hardware requests to the underlying system. Different execution environments have been developed by extending the way ARM Virtualization and Security (TrustZone) extensions are used and deployed on ARMv8 platforms. Each execution environment matches with a specific level of criticality thanks to extensions developed for KVM (API remoting) and for the TrustZone monitor mode (VOSYSmonitor). Also secure local communication havehas been developed for both on Ethernet and CAN standards. The execution environments exploit and enhance existing hardware mechanisms like ARM Trustzone, STNoC security extensions and virtualization techniques. Novel IPR and publications have been achieved.
In addition, a novel tool chain based on existing open source software such as the 4DIAC modeling tool and the NuSMV model checker have been designed and developed to enable app verification. Furthermore, an innovative concept for an app store integration has been designed.
Extensive and systematic evaluation of the results has beed done for automotive, automotive and health applications in the form of concrete industrial prototypes. The wider societal implication of such trusted platforms can go beyond the specific application domains and contributes towards a safe and secure digital society, for cyber-physical systems as well as other critical IT systems.