In the series of webinars co-organised by REWIRE and ENTRUST, as a result of the collaboration between the two projects, representatives from the projects focused on cybersecurity awareness for IT ecosystems. Both initiatives share a joint vision for enhancing trust in the compute continuum. While current efforts focus on device integrity, both projects aim to cover a wider range of trustworthiness properties like reliability and safety. The vision of both projects is to converge trust with safety, avoiding resource-heavy security controls that disrupt normal system behavior.
More specifically, the Trust Concepts in REWIRE and ENTRUST elaborated on two types of trust: node-centered trust (device-based) and data-centered trust (communication-based). Both projects seek to combine these to assess the trust level of devices and the overall service graph. A common element is the need for verifiable evidence from devices to characterize trust, emphasizing that uncertainty in evidence necessitates secure lifecycle management mechanisms. Notably, REWIRE focuses on operational assurances through various mechanisms, while ENTRUST concentrates on medical devices, both aiming for secure information exchange and security by design using formal verification.
In addition, both projects manage and achieve their goal of providing protection mechanisms supported by hardware-assisted roots-of-trust to convert devices into hardware-based security tokens for verifiable evidence. The main challenges identified occur when characterizing trust levels with contradictory data from adjacent devices, while ENTRUST uses subjective logic for trust assessment. To this end, the core aim remains to minimize the evidence required for applying an accurate trust assessment, focusing on remote attestation mechanisms without being overkill. So, the significant challenge in trust assessment is the handling of contradicting evidence from different sources and determining which properties to monitor without excessive performance overhead.
Under this scope, the projects share some common objectives, with a distinct focus on the operational phases. REWIRE primarily focuses on runtime attestation and verifiable monitoring on open hardware, while ENTRUST emphasizes medical devices, with emphasis on expanding attestation and trust assessment frameworks with advanced cryptography. During the operational phases of both projects, the partners managed to provide detailed processes from design-time to trust-auditing, with a focus on device onboarding and runtime trust assessment for Trust.