As the number of IoT devices increases, so does the amount of IoT-related software. And more software means considerably more vulnerabilities to contend with. The CEA and Systerel are working together to develop a powerful and original smart analysis platform to guarantee the security not only of IoT devices, but also of the software associated with these devices. The research is taking place under the LEIA project, which was awarded funding through the French government’s Grand Défi instrument for technology projects.
Systems that include IoT devices are particularly difficult to protect against security threats. Each connection point creates an additional vulnerability that hackers can exploit. For critical infrastructures, the consequences can be disastrous. To make matters worse, these complex systems include more and more software with a whole new set of unknowns—like who developed the software and how—that make it nearly impossible to guarantee security with any degree of assurance. And, because IoT systems are modular, every time software is added, new vulnerabilities are potentially introduced into the system.
The LEIA project, winner of a French government Grand Défi grant for technology projects, is providing a framework for smart digital systems specialist CEA-List and Systerel to pool their knowledge of formal methods, language analysis, and artificial intelligence. The partners have come up with an original approach that will leverage their powerful software analysis tools and learning algorithms to home in on pertinent security targets.The Grand Défi offers a unique framework to identify and exploit breakthrough opportunities in the combination of formal methods and AI techniques.
The cost-effective IoT security platform they are developing will be capable of automatically and incrementally analyzing IoT software and software updates. It will also speed up the time-consuming software validation process.
The future platform will play a key role in supporting France’s digital sovereignty and the EU’s strategic autonomy. The CEA’s proven tech transfer processes and Systerel’s experience scaling up formal verification solutions will be instrumental in releasing the components of the future platform as they are built. A complete final version will be released at the end of the project.
The main objective of the LEIA project is to develop a highly automated software security validation platform that can be integrated into agile development cycles. At a time when demand for software security is growing faster than ever, this project will deliver analysis tools capable of providing solid security guarantees.
To effectively address this challenge and, specifically, provide formal verification of the security of a wide range of software applications at a competitive cost, the project will focus on two main issues. First, state-of-the-art parsers will be extended to improve scalability and enable incremental analysis of software. Second, the use of artificial intelligence in the implementation of analysis tools will be investigated for purposes like translating requirements expressed in natural language into formal specifications so as to ensure that security aspects are more effectively addressed from the very earliest stages of the development process.
The partners’ respective areas of expertise round each other out particularly well on this project, allowing them to address the full range of topics involved. Systerel brings deep knowledge of artificial intelligence and will harness learning algorithms to home in on pertinent security targets with a high degree of precision. The scientists at CEA-List will contribute software analysis tools like Frama-C (C/C++) and Binsec (binary code). Their research also includes technologies to describe and understand multimedia (image, text, speech) and multilingual content, including at large scales. Finally, CEA-List scientists design and develop artificial intelligence software solutions. These tools are part of CEA-List’s long-standing toolkit and play a vital role in the institute’s mission of transferring new technologies to businesses.