Leveraging cryptographic techniques and Trusted Components, such as Trusted Platform Modules (TPM), towards protecting and proving the authenticity and integrity of fog nodes is one of the core objectives of RAINBOW and serves as the foundation on which cloud-based services can start building a well-rounded cybersecurity strategy.
In order to support enhanced system and network trust assurance, RAINBOW has defined the security protocols that are necessary for providing a range of secure attestation services in order to support verifiable evidence on the correct configuration state and/or execution of a remote platform; ranging from secure boot to run-time integrity referring to the entire life-cycle of the platform.
As part of the comprehensive RAINBOW attestation toolkit, the main goal is to allow the creation of privacy- and trust-aware service graph chains (managed by the Orchestration Lifecycle Manager and established by the RAINBOW Deployment Manager) through the provision of zero-touch configuration functionalities: fog nodes, wishing to join a fog cluster, adhere to the compiled attestation policies by providing verifiable evidence on their configuration integrity and correctness. In other words, the framework guarantees that a node can join a network (and participate in the underlying dynamic routing scheme as well as the privacy-preserving key management process) if and only if it can prove to the Orchestrator that it is at a “correct state”‘, without, however, having to disclose its configuration details. This allows RAINBOW to support the secure enrollment and integration of heterogeneous devices and platforms equipped with different computing resources and operating systems.
The failure of such an attestation process may indicate a zero-day vulnerability (or another detected exploit) and/or malfunction, thus prohibiting the on-boarding of the target node in the fog cluster and already deployed service graph chain. If any of the enforced security policies fail, from malicious intent or faulty behavior, the next logical step is to identify the cause of this event. This will enable better situation awareness adaptation for re-calculating the overall risks and threats of the entire ecosystem (considering the newly identified vulnerability), allowing policy adjustments and the compilation of updated mitigation strategies and attestation policies.
The goal is to observe, model, and monitor the trust level of each TPM-equipped fog node and the strong trust relations that must be established among interacting entities. This requires the consideration of different aspects in each case; for instance, trusting a TPM first requires trusting that it operates correctly, and in particular that sequences of TPM commands are executed correctly while ensuring that the interactions between attested entities is secure is required in ensure to maintain the trust between them. Thus, the best approach – as has been adopted by RAINBOW – is to use a combination of remote attestation protocols towards achieving both load- and run-time integrity of a device’s execution: The assurance that a device works correctly after loading is known as load-time integrity, while run-time integrity refers to the whole process lifecycle.
Load-time Configuration Integrity Verification
In collaboration with the European Research Center of Huawei Technologies in Germany, RAINBOW partners from DTU and UBITECH published a preprint entitled “BLINDTRUST: Oblivious Remote Attestation for Secure Service Function Chains” at the arXiv open-access repository (read more here), which presents a lightweight and privacy-respecting protocol for dynamic configuration integrity verification that enables inter and intra-device attestation without disclosing any configuration information and can be applied on both resource-constrained edge devices and cloud services. The execution of the proposed protocol is utilized in the context of RAINBOW to securely enroll nodes.