Trustworthy IoT: An evidence collection approach based on smart contracts

Today, Internet of Things (IoT) implements an ecosystem where a panoply of interconnected devices collect data from physical environments and supply them to processing services, on top of which cloud-based applications are built and provided to mobile end users. The undebatable advantages of smart IoT systems clash with the need of a secure and trustworthy environment. In this paper, we propose a service-based methodology based on blockchain and smart contracts for trustworthy evidence collection at the basis of a trustworthy IoT assurance evaluation. The methodology balances the provided level of trustworthiness and its performance, and is experimentally evaluated using Hyperledger fabric blockchain

Open source systems security certification

Open source systems security certification provides an introduction to the notion of the Security Certification, including test-based and model-based approaches to the certification of software products. Several Security Certification standards are presented, including the international standard for the certification of IT products Common Criteria (ISO/IEC 15408) (CC 2006), a certification officially adopted by the governments of 18 nations. This book discusses Security Certification as a way to foster adoption and deployment of Open Source Software (OSS) in security-sensible markets, such as telecommunications, government and the military. Scientific and technical issues of OSS security certification are highlighted through case studies. This volume is designed for professionals and companies trying to implement an Open Source Systems (OSS) aware IT governance strategy, and SMEs looking for ways to use OSS in order to enter new security-conscious markets traditionally held by proprietary products. This book is also suitable for researchers and advanced-level students interested in OSS development, deployment and adoption issues

WS-certificate

Assessing the correct operation of individual web services or of entire business processes hosted on a Service Oriented Architecture (SOA) is one of the major challenges of SOA research. The unique features of WS/SOA require new quality assessment approaches, including novel testing and monitoring techniques. In this paper, we present a framework for assessing the correct functioning of WS/SOA systems by introducing a third party certifier as a trusted authority that checks and certifies WS/SOA systems. Our certifications are based on signed test cases and their respective results and operate at different level of granularity, providing a sound basis for run-time service selection and process orchestration decisions

Modeling time, probability, and configuration constraints for continuous cloud service certification

Cloud computing proposes a paradigm shift where resources and services are allocated, provisioned, and accessed at runtime and on demand. New business opportunities emerge for service providers and their customers, at a price of an increased uncertainty on how their data are managed and their applications operate once stored/deployed in the cloud. This scenario calls for assurance solutions that formally assess the working of the cloud and its services/processes. Current assurance techniques increasingly rely on model-based verification, but fall short to provide sound checks on the validity and correctness of their assessment over time. The approach in this paper aims to close this gap catching unexpected behaviors emerging when a verified service is deployed in the target cloud. We focus on certification-based assurance techniques, which provide customers with verifiable and formal evidence on the behavior of cloud services/processes. We present a trustworthy cloud certification scheme based on the continuous verification of model correctness against real and synthetic service execution traces, according to time, probability, and configuration constraints, and attack flows. We test the effectiveness of our approach in a real scenario involving ATOS SA eHealth application deployed on top of open source IaaS OpenStack

An assurance model for OSS adoption in next-generation telco environments

The open source paradigm is giving rise to new methodologies, competences and processes that need to be investigated both from the technical and the organizational point of view. Many organizations are investigating the possibility to adopt open source software or migrate their systems to open frameworks also in critical environments. In this paper, we shows how the assurance has been elevated as a primary design requirement for organizations wishing to adopt open source products, and we describe the experience of a big telecommunication player in the process of implementing an assurance evaluation platform

Mapping Linux Security Targets to Existing Test Suites

The Common Criteria standard provides an infrastructure for evaluating security functions of IT products and for certifying that security policies claimed by product suppliers are correctly enforced by the security functions themselves. Certifying Open Source software (OSS) can pave the way to OSS adoption in a number of security-conscious application environments. Recent experiences in certifying Linux distributions has pointed out the problem of finding a mapping between descriptions of OSS security functions and existingtest suites developed independently, such as the Linux Test Project. In this paper, we describe a mechanism, based on matching techniques, which semiautomatically associates security functions to existing test suite such as the ones developed by Open Source communities

Certification-Based Cloud Adaptation

Performance and dependability levels of cloud-based computations are difficult to guarantee by-design due to segregation of visibility and control between applications, data owners, and cloud providers. Lack of predictability increases users' uncertainty about the service levels they will actually achieve. Cloud tenants compete for shared resources/services at all layers of the cloud stack, and pose heterogeneous and conflicting non-functional requirements over them. These requirements have implications for platform and infrastructure layers, which have to be configured to satisfy inter-tenants requirements. We argue that adaptation techniques can play a crucial role in providing a reliable cloud, supporting definite behavior of applications and stable quality of service. We propose a multi-tenant, general-purpose adaptation technique for the cloud, based on evidence collected by means of a trustworthy certification process. We depart from traditional heavy and comprehensive certification processes and consider a flexible and lightweight certification process for the cloud. It is based on authentic evidence and provides accountable validation on the compliance of a cloud-based system. Our approach adapts the cloud at all layers to maintain stable non-functional properties in certificates over time, by continuously verifying certificate validity. We assess performance and quality of our approach in a wide range of settings