Comprehensive Security Assurance Solutions for Software-Dependent Systems

适用于软件相关系统的全面安全保障解决方案

• 批准号: RGPIN-2019-06306
• 负责人: Jaskolka, Jason
• 金额: $ 1.68万
• 依托单位: Carleton University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=765860
• 关键词: Comprehensive; Security; Assurance; Solutions; Software

There is an ever-growing need to assure the security of critical software-dependent systems, and the information that they use, store, and communicate, in the face of cyber-attacks and failures. As systems grow larger and more complex they become more susceptible to a variety of unforeseen security vulnerabilities. Security should therefore be considered at all stages of their development. The current approach of having security "bolted-on" to the systems that we build is not sufficient. Instead, we need to consider the increasingly critical security requirements for these systems and design them with security "baked-in" so that sufficient evidence to support security assurance claims can be generated and reasoned about alongside the system being developed. The overall aim of this research program is to establish comprehensive security assurance solutions by enhancing security-by-design approaches for engineering secure software-dependent systems. More specifically, it aims to develop more incremental, modular, and compositional solutions for securing systems from the outset and for generating sufficient evidence of their built-in resilience to a range of cyber-attacks and failures. This requires the integration of formal (mathematically rigorous) methods and security-by-design approaches to provide verifiable evidence to support security assurance claims from early stages of system development. We will achieve this by: (1) Developing formal modeling and analysis frameworks with which we can provide mathematical proofs of assurance of security properties of software-dependent systems at early stages of development; (2) Establishing system-level security evaluation methods and techniques for understanding and mitigating the risks to system assets posed by identified security vulnerabilities; and (3) Advancing techniques to support the management, evaluation, and presentation of sufficient evidence for developing incremental security assurance cases. Governments, businesses, and users want to be assured that the cyber systems they use offer adequate protections to mitigate the potential risks and associated losses if they experience an attack or failure. The anticipated outcomes will help in establishing-at all stages of system development-sufficient evidence to provide this assurance. This will contribute to alleviating some of the challenges of reasoning about the security of large and complex software-dependent systems and the high-costs associated with security assurance and certification. This research supports Canada's strategic investment to position itself as a global leader in cybersecurity. The obtained results have the potential to impact and influence the development of standards, regulations, and guidelines pertaining to development, evaluation, and certification practices for high-assurance secure software-dependent systems enabling Canadians to have higher confidence in the cyber systems that underpin their daily lives.

面对网络攻击和故障，确保关键软件相关系统及其使用、存储和通信信息的安全性的需求日益增长。随着系统变得越来越大、越来越复杂，它们变得更容易受到各种不可预见的安全漏洞的影响。因此，在其发展的各个阶段都应考虑安全性。当前将安全性“附加”到我们构建的系统上的方法还不够。相反，我们需要考虑这些系统日益重要的安全要求，并在设计时考虑“内置”安全性，以便在开发系统的同时生成和推理足够的证据来支持安全保证声明。 该研究计划的总体目标是通过增强用于工程安全软件依赖系统的安全设计方法来建立全面的安全保证解决方案。更具体地说，它的目标是开发更多增量、模块化和组合式解决方案，从一开始就保护系统，并生成足够的证据证明其对一系列网络攻击和故障的内置弹性。这需要将形式（数学上严格的）方法和安全设计方法相结合，以提供可验证的证据来支持系统开发早期阶段的安全保证声明。我们将通过以下方式实现这一目标：(1) 开发正式的建模和分析框架，通过这些框架，我们可以在开发的早期阶段提供软件相关系统安全属性保证的数学证明； (2) 建立系统级安全评估方法和技术，以了解和减轻已识别的安全漏洞对系统资产造成的风险； (3) 推进技术以支持管理、评估和提供足够证据以开发增量安全保证案例。政府、企业和用户希望确保他们使用的网络系统能够提供足够的保护，以减轻遭受攻击或故障时的潜在风险和相关损失。预期结果将有助于在系统开发的所有阶段建立足够的证据来提供这种保证。这将有助于减轻大型复杂依赖软件系统的安全性推理的一些挑战以及与安全保证和认证相关的高成本。这项研究支持加拿大的战略投资，将自己定位为网络安全的全球领导者。所获得的结果有可能影响和影响与高保证安全软件依赖系统的开发、评估和认证实践相关的标准、法规和指南的制定，使加拿大人对支撑他们日常生活的网络系统有更高的信心。