Arguing Assurance in Trusted Execution Environments using Goal Structuring Notation / Argumentera assurans i trusted execution environment med goal structuring notation

Cole, Nigel

January 2021

A trusted execution environment (TEE) is an isolated environment used for trusted execution. TEE solutions are usually proprietary and specific for a certain hardware specification, thereby limiting developers that use those TEEs. A potential solution to this issue is the use of open-source alternatives such as the TEE framework Keystone and the Reduced Instruction Set Computer V (RISC-V) hardware. These alternatives are rather young and are not as well established as the variants developed by ARM and Intel. To this end, the assurance in Keystone and RISC-V are analysed by studying a remote attestation assurance use case using the goal structuring notation (GSN) method. The aim is to investigate how GSN can be utilised to build assurance cases for TEEs on RISC-V. This thesis presents a process of how GSNs can be created to argue assurance for a TEE solution. Furthermore, Keystone operates under a specific threat model with made assumptions that may have a large impact depending on the use case. Therefore, Keystone is analysed to understand whether the framework mitigates existing vulnerabilities in TEEs. It is concluded that GSN is a viable method for arguing assurance in TEEs, providing great freedom in the creation of the GSN model. The freedom is also its weakness since the argument composition has a high impact on the argument. Furthermore, we conclude that Keystone mitigates multiple known vulnerabilities primarily through made assumptions in its threat model. These cases need to be considered by developers utilising Keystone to determine whether or not the assumptions are valid for their use case.

Assurance

Trusted Execution Environment

TEE

Goal Structuring Notation

GSN

Keystone

Computer Sciences

Datavetenskap (datalogi)

A CASE STUDY IN ASSURANCE CASE DEVELOPMENT FOR SCIENTIFIC SOFTWAR

Sayari Nejad, Mojdeh

January 2017

Assurance Cases have been effectively used for improving the safety of real-time safety systems. However, until now, Assurance Case techniques have not been applied to building confidence in the correctness of Scientific Computing (SC) software. Our approach is to employ Assurance Case techniques to the case of a specific medical image analysis software, 3dfim+, and then generalize the results/template for other medical and SC software. Using the Goal Structuring Notation (GSN), we develop an Assurance Case to support the top goal that "Program 3dfim+ delivers correct outputs when used for its intended use/purpose in its intended environment." This claim is supported by several sub-claims, including the claims that high-quality requirements exist and that the implementation complies with the requirements. The full argument decomposes each sub-claim further until at the bottom level evidence is provided. The evidence provided includes the requirements documentation, test cases and expert review. To simplify the Assurance Case diagram, a new generic module, parameterized over quality, was developed to argue that each quality has been achieved. Evaluation of the full Assurance Case shows that this approach is feasible for building confidence in SC software, even in the practical situation where confidence is sought, but redesign and reimplementation are not possible. The exercise uncovered issues with the original documentation for 3dfim+, including missing assumptions, and ambiguity with the chosen sign convention. Furthermore, although no errors in output were found, the Assurance Case highlights that confidence in the original 3dfim+ software could be improved through additional checks for input validity. / Thesis / Master of Science (MSc)