Certification of Security Properties of Embedded Systems

This research project performs fundamental research on building blocks that increase the security and trustworthiness of embedded systems, and that support the generation of evidence to prove security properties of a device, thus supporting the certification of these properties by third parties. It will clarify the role of certification from a legal perspective and in particular perform research into the legal qualification of certification processes. Both software and hardware components play an essential role in the overall security of a device. The hardware typically implements low-level security building blocks such as efficient or compact cryptographic transformations, or memory protection logic. The software builds on these to provide higher-level guarantees such as process isolation, secure communication, or even application-specific security guarantees such as non-repudiation of transactions. Hence, this project will address both hardware and software security. More specifically, this project will focus on the following challenges and goals: High assurance implementation level security of embedded software Hardware assisted software security Implementation of integrated security solutions for embedded systems Role of certification in the security regulatory framework The activities of ICRI will mainly focus on the fourth objective, where we will perform research on the role of certification in order to ensure security and trust. Certification is usually the result of an evaluation performed by a third party. The legal rules with regard to the status of this third party are very fragmented. The requirements with regard to the certification process are, at least from a legal point of view, not very clear. In order to shorten the time-to-market legislators have progressively abandoned long and bureaucratic certification procedures via official state-controlled bodies and introduced notions such as self-certification. Instead of putting down detailed security requirements in legislative texts legislators have adopted technology-neutral provisions merely stating that products and services need to meet essential requirements. The result is a complex relationship and role distribution between legislation and technical standards/specifications. The objective of this track is to clarify the mutual relationship between laws and (technical) standards (in the widest sense), with the emphasis on the situation in the European Union.

Keywords:security, trust, certification, embedded

Disciplines:Law