Scalable trust establishment and attestation

RAINBOW will include the provision of secure, robust, and efficient run-time behavioural attestation and verification methods to check the internal state of an untrusted fog-based environment towards establishing its trustworthiness and privacy. The endmost goal is to establish “fog/edge node communities of trust”. To do so, RAINBOW will develop a trusted framework for attestation and system assurance. At a high level, the framework will enable fog/edge entities to establish and maintain trust during the entire system life-cycle. Thus, by leveraging the concept of a trusted community, communities can be networked in a trusted manner, effectively creating trusted “supercommunities” within a fog-based environment.

Figure: RAINBOW Trust Protocol Framework

For privacy, RAINBOW will leverage advanced crypto primitives, namely Direct Anonymous Attestation (DAA) [1], whereas for security and operational assurance, it will enable the provision of Control Flow Attestation.

The reason behind employing attestation mechanisms as a means of operational assurance is twofold: First of all, one of the main challenges in managing device and network security in today’s heterogeneous and scalable infrastructures is the lack of adequate containment and sufficient trust when it comes to the behaviour of a remote  system that generates and processes mission-critical and/or sensitive data.

An inherent property in RAINBOW is the codification of trust among computing entities, that potentially are composed of heterogeneous hardware and software components, are geographically and physically widely separated, and are not centrally administered or controlled.

By leveraging the artefacts of traditional security infrastructure (such as digital signatures, certificates and assurance statements) coupled with advanced crypto primitives (such as run-time property-based attestation) and building upon emerging trusted computing technologies and concepts, RAINBOW will convey trust evaluations and guarantees for each network entity.

This high level of trustworthiness which will not only include integrity of system hardware and software but also the correctness and integrity of the generated data flows will, in turn, reduce the overall attack vector and allow for the more effective operation of the RAINBOW security framework. This will allow the secure configuration, deployment and operation of distributed, scalable service graph chains.

Geo-distributed data processing

Geo-distributed data analytics have gained ground due to their ability to achieve fast response time, high privacy level and easier failure recovery, while capitalizing on resources that are physically located at different places and might be heterogeneous. In thesesettings, data is being produced and analyzed in data sources and computing nodes that are distributed in locations all over the world, therefore latency, data transmission, fault tolerance and privacy issues arise.

Some of the most common tools used for geo-distributed analytics include customized flavors of Apache Spark which is used mainly for batch processing, although a streaming extension exists, Apache Storm (which allows for easier DAG creation and set-up) and Apache Flink.

However, these solutions, building upon extensions of MapReduce and focusing on massive parallelism, might not be suitable for a for/edge analytics setting, especially when the computing nodes might be resource-constraint devices.

On the other hand, the main effort in fog analytics is still in the area of programming models and appropriate deployment abstractions [2], which prohibit the community to benefit from the big advances in distributed analytics by offering users with the tooling for hiding most of the complexity related to machine scheduling, task coordination, and fault tolerance.

In RAINBOW, the efforts are focusing to explore current state-of-the-art frameworks for geo-distributed edge analytics and also build upon partner expertise in multi-objective geo-distributed and streaming analytics, e.g. [3] [4] to jointly take into consideration data placement and task analysis to determine which data chunks (e.g., metadata required for orchestration) to move and where to place processing tasks given multiple alternatives.

—————————————————————————————————————–

[1] E. F. Brickell, J. Camenisch and L. Chen, “Direct anonymous attestation,” in ΑCM
Conference on Computer and Communications Security (CCS)
, 2004.

[2] P. Patel, M. I. Ali and A. Sheth, “On using the intelligent edge for IoT analytics.,” IEEE Intelligent Systems, 2017

[3] M. Anna-Valentini and G. Anastasios, “Bi-objective traffic optimization in geodistributed data flows.,” Big Data Research, 2019

[4] Z. Georgiou, M. Symeonides, D. Trihinas, G. Pallis and M. D. Dikaiakos, “Streamsight: A query-driven framework for streaming analytics in edge computing.,” in 2018 IEEE/ACM 11th International Conference on Utility and Cloud Computing, 2018

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

Rainbow Project ©2021 All rights reserved

Log in with your credentials

Forgot your details?