AutoSCA: Automated vulnerability analysis of cryptographic protocols

achelos improves software development in security-relevant industrial projects

Developments related to Industry 4.0 are driving the networking of plants and machines, the Industrial Internet of Things (IIoT), ever further. This increase in networking is an important factor on the way to the smart, changeable "factory of the future" and opens up remarkable potential for optimising processes. At the same time, however, it also increases the attack surface on a company's IT infrastructure. Continuously effective IT security protection in companies, in order to be able to quickly identify and assess existing and new security risks, is thus becoming increasingly important.

Some facts and figures about AutoSCA:

The objective:

Continuously checking the effectiveness of protective measures taken is a major challenge in complex and heterogeneous system environments. This applies in particular to the security of software with its often hardly manageable number of lines of code. Automated testing of the correctness of software implementations is therefore a necessary step to make technical staff’s lives easier. In the AutoSCA project, new methods for the automatic detection of vulnerabilities are being researched and further developed. Effective and efficient automation is made possible by combining new findings in IT security with the methods of artificial intelligence (AI). We focus on vulnerabilities that are based on physical or logical side effects of the implementations, so-called side channels. The developed methods will be implemented as a tool for the automated detection of software side channels and can thus be evaluated.

Classification in the Reference Architecture Model Industry 4.0 (RAMI 4.0)

achelos builds up knowledge in the fundamentals of machine learning and suitable machine learning methods being part of an interdisciplinary team with cryptographers and machine learning experts. This knowledge is used to uncover further cryptographic vulnerabilities with the achelos test suites for secure network protocols.

The tasks for achelos:

Within the framework of AutoSCA, achelos pursues the following goals:

• To build up knowledge in the basics and suitable procedures of machine learning through cooperation with the specialist groups involved, in order to be able to uncover further cryptographic vulnerabilities
• Improving the quality, especially the test coverage, of existing test suites through the algorithms developed in this funded project
• Automated creation of test data that can be transferred to existing test environments
• Practical testing in order to verify the practical suitability

Further Information:

Projekt-Website AutoSCA (In German)

Plattform INDUSTRIE 4.0

Contact:

Dr. Claudia Priesterjahn
Project manager

claudia.priesterjahn@achelos.de
T: +49 5251 14212-0

AI-DevAssist: AI-assisted secure software development

achelos improves software development in security-relevant industrial projects

Digitalisation is advancing ever further into all areas of life. Critical vulnerabilities in software development pose an enormous security risk and are rapidly on the rise. The project looks into methods for using artificial intelligence (AI) which detects vulnerabilities in software. The total investment volume of the project is €2.24 million, including funds provided by the project partners.

Some facts and figures about AI-DevAssist:

The objective:

Developing secure and reliable software is a major and as yet unsolved challenge. The number of critical vulnerabilities is growing despite all attempts to curb it, as the diagram shows using the increase in CVE (Common Vulnerabilities and Exposures⁽¹⁾) from 2006 to 2018 as an example. An analysis by Microsoft Research shows that developers are largely making the same mistakes as they did 20 years ago⁽²⁾. The objective of this project is to research AI-supported methods for identifying vulnerabilities which enable simpler and more secure software development for developers.

More specifically, the aim is to push forward state-of-the-art security analysis using the example of Java. This will involve the development of artificial intelligence methods which expand existing static analysis and fuzzing tools and enable direct interaction between software developers and AI. Fuzzing is a dynamic software analysis that already uses rudimentary machine learning approaches. 

In order to achieve this goal, AI-DevAssist brings together the expertise of leading global teams of experts from the research fields of artificial intelligence, secure software engineering, and usable security. Usable security essentially deals with the human factor in security and how technology can support humans in developing secure software. The solution approach taken by AI-DevAssist consists in the development of AI components that assume this task and identify software errors. AI-DevAssist uses innovative methods of Secure Software Engineering — in particular automated code analysis — to develop an AI assistant that is able to effectively identify vulnerabilities on the basis of semantic programme properties. In addition, methods will be researched and developed for the interaction between AI and software developers in order to optimise the transfer of knowledge between developer and security tool.

The tasks for achelos:

achelos will create a benchmark and support the evaluation of secure software development on the basis of artificial intelligence (AI)

The aim of the achelos sub-project is to ascertain requirements for the analysis software to be developed, create a benchmark, and evaluate the solutions developed in the project. In doing this, achelos builds on its many years of experience in the development of security-relevant software in industrial projects and brings this expertise into the project.

Main task: To create the benchmark

achelos uses vulnerabilities from known benchmarks and supplements them with vulnerabilities that cannot be detected using current tools. achelos will integrate the benchmark in a training and evaluation infrastructure and thus enable constant evaluation of the solutions developed in the project. An expert team from the achelos development department with experience in security relevant industrial projects will be involved in the evaluation of the human–AI interface.

achelos brings expertise to the development of security-relevant software

achelos possesses many years of experience in consulting, development, and testing for software from security-critical application areas. The achelos portfolio includes automated test suites for secure network protocols, security of certificates, and high-security components. Our test suites are used specially for acceptance testing of products that need to be certified in line with Common Criteria. During certification to a specific Evaluation Assurance Level (EAL 1 - 7), looking into secure implementation and vulnerabilities are important criteria. achelos' expertise in the field of test suites is particularly relevant for the design and creation of the benchmark.

In the 'it’s OWL' transfer project 'Integration of CogniCrypt', achelos was able to gather experience in static code analysis with the CogniCrypt tool. In the project, CogniCrypt was integrated into achelos' continuous integration environment and as a plug-in into the Eclipse software development environment and supplemented with rules for the BouncyCastle cryptolibrary.

Furthermore, achelos is working together with the project partners on the BMBF project AutoSCA to automatically analyse side channel attacks against cryptographic protocols for the first time. In this project, achelos is collaborating in an interdisciplinary team of cryptographers and machine learning experts in order to build up knowledge on the basics of machine learning and to establish suitable machine learning procedures with a view to detecting further cryptographic vulnerabilities with its test suites for secure network protocols.

⁽¹⁾ http://1https://cve.mitre.org/ ⁽²⁾ Matt Miller. Trends, Challenges, and Strategic Shifts in the Software Vulnerability Mitigation Landscape. In BlueHat IL, 2019.

Further Information:

www.forschung-it-sicherheit-kommunikationssysteme.de/projekte/ki-gestuetzte-sichere-softwareentwicklung-ai-devassist (in German)

Contact:

Dr. Claudia Priesterjahn
Project manager

claudia.priesterjahn@achelos.de
T: +49 5251 14212-0

KogniHome: a smart apartment for life

achelos contributes expertise on security tokens and key management

The door welcomes visitors, the wardrobe mirror reminds you to take your keys with you, while the stove warns you when the milk threatens to overcook. These ideas may sound like something from Alice in Wonderland, but they actually represent just a selection of the capabilities of the smart apartment developed at the KogniHome innovation cluster by 14 partners from the fields of science, industry, as well as social welfare and healthcare. Germany's Federal Ministry of Education and Research (BMBF) sponsored the project with €8 million up to 2017. The total investment volume was €11.3 million, including project partner’s own funds.

Some facts and figures about KogniHome:

The objective:

An apartment that supports people in their day-to-day activities – equipped with intelligent and learning technology that can be easily operated by speech or gestures. The intuitive control in particular offers senior citizens and people with disabilities an opportunity to live longer in their own four walls.

The achelos tasks:

achelos managed the sub-project  "Development and implementation of a security token"

The basis for acceptance of the KogniHome is authenticated and confidential communication between individual devices and components. In order to guarantee secure communication channels, it is vital for the communication partners to be able to identify and authenticate one another before starting communication of actual content.

The objective of the sub-project managed by achelos was to develop a security token for the identification and authentication process, as well as the key management between devices and components in the apartment.

achelos contributes security expertise

The achelos team has in-depth knowledge for the resource-efficient and hardware-oriented implementation of the relevant security processes in the KogniHome. achelos has defined these processes in full - all the way up to the Public Key Infrastructure (PKI). achelos implemented and adjusted the cryptographic processes developed by the Codes and Cryptography department at the University of Paderborn, as well as other known processes, and managed their implementation on suitable hardware platforms.

The prototype:

A smart apartment for life

The special feature of the KogniHome project is that the apartment can accompany its users throughout their entire life, as it learns from their needs and abilities. The technologies are invisibly integrated into the familiar living environment. A uniform security standard needs to be guaranteed for interaction of the various devices from different manufacturers with regard to authenticity and confidentiality. A research apartment is installed in a building of the von Bodelschwinghschen Stiftungen Bethel in Bielefeld.

The partners:

14 partners from OWL worked on the apartment of the future

The Cluster of Excellence Cognitive Interactive Technology (CITEC) at the University of Bielefeld managed the KogniHome project. Alongside achelos, 13 other partners were involved in the project, including domestic appliance manufacturer Miele, the von Bodelschwinghschen Stiftungen Bethel and the company Hella from Lippstadt.

For more information:
www.kogni-home.de 

Press release from the University of Bielefeld on project conclusion with results of the project partners

Contact:

Dr. Lutz Martiny
Senior Consultant

lutz.martiny@achelos.de
Phone: +49 5251 14212-310

CogniCrypt transfer project improve quality for secure software implementation

CogniCrypt transfer project improves quality for secure software implementation

CogniCrypt is a tool that can detect security vulnerabilities early in software development using highly accurate and efficient static code analysis. CogniCrypt is the result of a long-term research project and is actively being further developed by Fraunhofer IEM. CogniCrypt warns of misuse of crypto libraries and thus ensures software quality. In the it's OWL transfer project, Fraunhofer IEM and achelos GmbH spent five months working together on further developing CogniCrypt. The results were incorporated in the open source product in the form of a knowledge transfer and added support for other cryptographic libraries.

Some facts and figures about CogniCrypt:

The Eclipse CogniCrypt plug-in detects misuse of cryptography directly in the development environment. (Photo: Copyright: Fraunhofer IEM)

The starting position:

Many security holes in software solutions are misimplementations of cryptography, which are often related to the large number of encryption algorithms and their configuration (key length, block modes or padding). In software development there is often a lack of knowledge about which algorithm to choose and when. This inevitably leads to security gaps.

That's what CogniCrypt does:

Static code analysis verifies secure use of cryptography.
The static code analysis function of CogniCrypt continuously checks the code for correct implementations during development. When the code is saved in the editor, a static analysis is triggered in the background and warns of incorrect use of a cryptographic programming interface (API).

The achelos tasks

The aim of the project was to integrate the CogniCrypt tool into the software development process of achelos GmbH at several points. In order to avoid incorrect implementations, the Fraunhofer IEM specified rules for the correct use of software libraries. In the course of the project, CogniCrypt was extended by new rules to detect errors in the implementation of other libraries (Bouncy Castle) and to avoid security gaps at an early stage. The achelos team possesses complex knowledge in cryptography and its application and was able to contribute to the further development of CogniCrypt through continuous feedback.

About CogniCrypt

The CogniCrypt tool was developed within the scope of the CROSSING Collaborative Research Initiative at the Technical University of Darmstadt and in cooperation with the Heinz Nixdorf Institute at the University of Paderborn. It allows companies operating in the field of security and cryptography to identify and then eliminate security-critical misuse of cryptographic libraries quickly and reliably, as well as to generate secure cryptographic integration code for various common usage scenarios fully automatically. With the support of the Fraunhofer IEM, CogniCrypt was further developed to market maturity and can be integrated into the Eclipse development environment.

www.eclipse.org/cognicrypt/

The partners:

About the Fraunhofer IEM:

From its location in Paderborn, Germany, the Fraunhofer Institute for Mechatronic Systems Design IEM offers expertise for intelligent mechatronic solutions in the context of Industry 4.0. Scientists from the fields of mechanical engineering, software engineering and electrical engineering engage in interdisciplinary collaboration here, researching innovative methods and tools for development of intelligent products, production systems and services.

www.iem.fraunhofer.de/en.html

About the "It’s OWL" technology network

In the "It's OWL – intelligent technical systems OstWestfalenLippe" technology network, over 200 companies, research institutes and organisations develop solutions for intelligent products and production methods. With the support of the State of North Rhine-Westphalia, projects with a total value of €100 million are set to be implemented between 2018 and 2022. The key focus topics are artificial intelligence, digital platforms, digital twins and work in the fourth industrial revolution, Industry 4.0. Having won awards in the German government's Top Cluster competition, the "It's OWL" network ranks as one of the largest SME initiatives for Industry 4.0.

www.its-owl.com/home/

For more information:
www.eclipse.org/cognicrypt/ 

Press release  on project conclusion

Contact:

Thomas Freitag
Managing Director

thomas.freitag@achelos.de
Phone: +49 5251 14212-304

Energy efficiency as a driver of new business models

achelos: security and efficiency through rule-compliant implementation

In future, smart home technologies will change life and business in buildings. New fields of application for software and hardware promise exciting design options for landlords, tenants and owner-occupiers of buildings.

Some facts and figures about "green with IT":

The objective:

In the "green with IT" network, achelos will cooperate with innovative application partners from the housing and building management sectors to examine and, if suitable, proceed with introducing Smart Meter Gateways and Public Key Infrastructures, as well as extending the approach to include measurement of water and heat consumption within the scope of defined parameters. The results will be published, so that as many disruptive applications as possible are created and lead to widespread acceptance through attractive prices.

The technology:

Key role for the Smart Meter Gateway
The Smart Meter Gateway is the central communication unit of intelligent measuring systems in the energy sector. It is developed according to the specifications of Germany's Federal Office for Information Security (BSI).

 The Federal Office for Information Security (BSI) manages the technical guidelines

The German Federal Office for Information Security (BSI) has drawn up protection profiles and technical guidelines (TR 03109). These are binding as per the Measuring Point Operation Act (MsbG) and guarantee data protection, data security and interoperability of intelligent measuring systems based on the respective state-of-the-art. Among other things, they include the minimum requirements of the following:

• Intelligent measuring systems (§ 21)
• The Smart Meter Gateway (§ 22)
• Secure connection to the Smart Meter Gateway (§ 23)
• Certification of the Smart Meter Gateway according to Common Criteria (§ 24)
• Certification of the Smart Meter Gateway Administrator (§ 25)

As an authority, the BSI is responsible for a uniform safety level and interoperability and is responsible for the permanent further development of the documentation. It takes the initiative to update and revise existing protection profiles and technical guidelines in the event of possible new or technically advanced threat scenarios and other applications (e.g. the Smart Home).The tasks for achelos:

Security and efficiency through rule-compliant implementation

achelos supports the management of the housing and energy sectors in the make-or-buy decision for introduction of Smart Meter Gateways and Public Key Infrastructures, as well as during implementation.

Security for future IoT applications in day-to-day residential activities through:

• Definition of safety requirements as per ISO 27001 and basic protection as per the Federal Office for Information Security (BSI)
• Designing the IT security policy, as well as its strategies and guidelines
• Drafting the IT security concept
• Drafting the IT security architecture
• Developing the IT security organisation technical concept and necessary processes
• Analysing remaining risks
• Defining the back-up and contingency plan
• Preparing/supporting the CC evaluation and CC certification
• Drawing up requirements-compliant documentation

The partners:

achelos is an active member of the green with IT association alongside eleven other members.

For more information:

www.green-with-it.com

Contact:

Dr. Lutz Martiny
Senior Consultant

lutz.martiny@achelos.de
Phone: +49 5251 14212-310

System integrity for self-service systems (SiS)

Some facts and figures about SiS:

The objective:

achelos as an expert in smart card technology and security processes

The objective of the project was to improve protection of ATMs as a central self-service system. The project partners have drawn up a holistic concept to ensure the integrity of an ATM with regard to hardware and software. New identity-based cryptographic processes are used which allow the verification of software and hardware integrity. achelos actively supported the project in this field and was involved in the project as experts in smart card technology and security processes.

 The tasks for achelos:

• Analysis of existing security processes
• Definition of adapted security processes
• Prototype implementation

The partners:

Four companies from the German city of Paderborn are working together on the joint project for IT security research.

The Federal Ministry of Education and Research funded the SiS joint project for development of a security token to ensure system integrity of self-service machines. Alongside achelos, the University of Paderborn, Wincor Nixdorf International GmbH and Morpho Cards GmbH were all involved in the project with a total volume in excess of €2 million.

Further information:

31 August 2011 | Announcement from the Institute of Computer Science

Better protection for ATMs – Institute of Computer Science secures system integrity for self-service systems

The project partners were able to present their final report in 2013.

Contact:

Marcel Schriegel
Senior Consultant
marcel.schriegel@achelos.de
Phone: +49 5251 14212-312