Presenter: Panos Louridas, Dimitris Mitropoulos Date: 08 September 2022
The SecOPERA project (Secure Open-source softwarE and hardwaRe Adaptable framework), which was recently accepted for funding by the EU, aims at improving the security of Open Source solutions. It will use a number of different approaches, contributed by the different partners, in order to provide a functional toolbox for security assessment.
SecOPERA will tackle the security problem by recognising that it can be divided in four layers, all of which can be present in today's systems:
Cognitive: attacks on systems using Machine Learning and Artificial Intelligence.
These different levels call for different techniques. For instance, adversarial attacks on Neural Networks are very different from vulnerabilities in IP (Intellectual Property) cores. Trying to prevent attacks on software, and in particular system libraries, is not the same as securing network devices or pieces of the network stack in an operating system. That said, well-developed principles can apply to the different levels and SecOPERA aims exactly at developing a holistic solution, leveraging the knowledge brought by the different partners of the project.
The partners will follow the SecOPERA Secure Flow, which will be developed in detail in the project, and which will consist of the following activities:
Decompose an open source solution to its components, map them in the four layers described above, associate components with their source repositories, create dependency graphs.
Audit/Assess by performing vulnerability scans both against known vulnerabilities and by using techniques that may indicate problems beyond those.
Secure by creating a pool of secure modules that will contain both secured components and tools for securing components.
Adapt existing open source solutions by combining SecOPERA secure modules that can harden open source solutions with the actual audited components of an open source solution.
Update/Patch open source software and hardware using formal verification mechanisms.
The SecOPERA approach will run for 36 months and will be validated with two user-pilots, one concerning automotive software. The first pilot involves partner Voxel from Austria who develops such software and KTM, also from Austria, who embeds the software in the motorcycles it produces. The second pilot involves Greencityzen, who offers an IoT (Internet of Things) water management system.