The present blog comes from the presentations took place during the REWIRE Cybersecurity Awareness Webinar Series, entitled: “Trust or Bust: Reinforcing the IoT Interoperable Security Stack with Efficient Secure Lifecycle Management Capabilities – The RISC-V Opportunity”. Both REWIRE and ENTRUST projects aim to enhance cybersecurity in IT ecosystems by combining node-centered and data-centered trust concepts, utilizing hardware-assisted roots of trust and addressing challenges in trust assessment.
During the webinar session focusing on “Efficient and Scalable Attestation Mechanisms for RISC-V Devices”, Nikos Fotos on behalf of UBITECH team presented the ENTRUST’s Dynamic Trust Assessment Framework, showcasing a smart ambulance data transmission scenario where the framework reacted to abnormal evidence by lowering the trust level..
This framework is designed to integrate evidence from various sources to produce a real-time trust level for devices and data. To this end, the Dynamic TAF aims to connect all the topics discussed during the webinar regarding assessing device trustworthiness during onboarding and operational phases. In fact, the trust assessment framework works as a “black box” that receives evidence (such as attestation metrics and misbehavior detection) as input and produces as an output, an actual trust level (ATL), providing an assessment of whether a device or data is considered as trustworthy based on evidence, weights, and a series of calculations mechanisms.
More analytically, the Trust Assessment Framework manages to provide a trust characterization for secure software updates, acts as a control by triggering updates upon detecting low trust, unlocks the onboarding process by deeming a device trustworthy, conveys trust assessment results via conformity certificates, and utilizes attestation mechanisms as a crucial source of trustworthiness evidence.
Toward the establishment of this framework, a set of well-defined requirements for their trust assessment framework, with emphasis on the need for a dynamic nature in collecting evidence at runtime and reacting to topology changes. The framework produces a trust assessment derived from fresh and securely collected evidence, being able to cope with uncertainty from various trust sources, considering also the reputation-based requirements in multi-agent systems with potentially conflicting assessments. Furthermore, the framework exhibits a context awareness to cater to the needs of different domains with varying trust requirements.
The key aspects of the framework include the security properties (e.g., integrity, resilience), the trust object (the device being assessed), the trust proposition (statements about the trust object, e.g., “device has secure boot“), the trust relationships (mapping evidence to trust propositions), and trustworthiness evidence from the data generated and collected, and finally the actual trust level (the final output of the assessment). All these aspects are leveraged to model the device topologies and assess complex combinations of trust propositions. The conversion of evidence to belief is highly dependent on the domain’s requirements and methodology. For a different domain or set of requirements, the same evidence might lead to a different outcome.
The Internal Architecture of the Trust Assessment Framework includes three main components. The trust source manager collects evidence from various probes in the operational environment (e.g., attestation agents, misbehavior detection). The trust model manager maintains the graph of trust relationships and propositions. The trustworthiness level expression engine takes the trust model instance and the target trust proposition to derive the actual trust level using subjective logic operations to fuse and aggregate trust opinions.
Finally, the framework also considers a required trust level and thresholds to make a final trust decision (true/false) for a specific proposition. If the ATL is greater than the required trust level, the topology is considered trustworthy. In the opposite case, when the trust decision is evaluated as false, the system can automatically trigger different controls. These controls might include isolating the device or performing a software update to address the underlying vulnerability.