SecurEval
Improving Digital Systems Security Evaluation
The second plenary meeting of the SecurEval project was held on 18th September at Campus Cyber near Paris.
Best poster award was received at GDR GPL 2023 for works on incremental safety analysis with CEA and Sorbonne Université.
Matthéo Vergnolles was awarded for his research internship at CEA for his work on relational analysis and hidden channels.
The SecurEval project is part of the Systems Security theme of this PEPR and concerns the assessment of the security of digital systems. Digital system security assessment relies on compliance and vulnerability analyses to provide recognized cybersecurity assurances: it is a fundamental element of digital sovereignty and of the European autonomy strategy. France has built an international leadership in this field, but with the drastic increase in the complexity of attacks and systems to be assessed, it is now essential to support its experts with new scientific and technical tools and techniques, covering both hardware and software assessments.
Within the framework of SecurEval, innovative tools will be designed around new digital technologies in order to verify the absence of hardware and software vulnerabilities, and to carry out the required proof of conformity. These developments will be based on a double approach: theoretical and founded on the French school of symbolic reasoning first, and second applied and anchored in the practice of tool development and security assessment techniques. In addition, by exploring new techniques for security assessments, this project will also allow France to remain at the state-of-the-art in terms of assessment capabilities, by anticipating the evolution of international certification schemes.
In order to deal effectively with modern digital systems, code analysis techniques, which originated in the world of critical systems, must be overhauled to adapt to the objectives of security assessments and to scale up to complex systems, combining dedicated functionalities and third-party libraries. For example, the design of new fault models, the support of emerging languages, the visualization of formal guarantees, the use of learning techniques to automate repetitive actions or optimize the extraction of relevant information, or the development of approaches combining static and dynamic analyses.
Downstream of the evaluation, the proof of conformity and respect of standards remains today a manual and very time-consuming step. This priority project will aim to research methodologies and tools to provide proof of compliance of software systems, including when they evolve in response to a vulnerability testing campaign (bug bounty) for example.
The aim of the project is to design tools based on new digital technologies in order to verify the absence of hardware and software vulnerabilities, and to provide the required proof of conformity. These innovative developments will be based on a dual approach, firstly theoretical and founded on the French school of symbolic reasoning, and secondly applied and rooted in the practice of developing security assessment tools and techniques. In addition, by exploring new techniques for safety assessments, this project will also enable France to maintain its world-leading assessment capabilities, by anticipating changes in international certification schemes.
Furthermore, to deal effectively with modern digital systems, code analysis techniques, which originated in the world of critical systems, need to be overhauled to adapt to the objectives of security assessment and to scale up to complex systems, combining dedicated functionalities and third-party libraries. Examples include the design of new fault models, support for emerging languages, the visualisation of formal guarantees, the use of learning techniques to automate repetitive actions or optimise the extraction of relevant information, and the development of approaches combining static and dynamic analyses.
Downstream of the evaluation, proof of conformity and compliance with standards remains a manual and very time-consuming stage today. The priority project will aim to research methodologies and tools for providing proof of compliance for software systems, including when they evolve in response tò a vulnerability testing campaign (bug bounty), for example.
The project will pay particular attention to the potential impact of its results on the security assessment professions. The involvement of the CESTI CEA teams, particularly in the needs analysis and benchmarking phases, is a strong differentiating feature of this project.