SEI-ACE Implementation Supports Secure IoT in Edge Environments
January 14, 2018—The SEI has released an implementation for authentication and authorization of Internet of Things (IoT) devices for use in edge environments. As part of the SEI’s mission to transition the technologies it develops to the larger software engineering community, the SEI has made this implementation, SEI-ACE, freely available in its open-source code repository on GitHub.
SEI researchers Sebastián Echeverría, Dan Klinedinst, and Grace Lewis based this implementation on an Internet Engineering Task Force (IETF) proposal for authentication and authorization in resource-constrained environments (ACE).
First responders, the military, medics, and other field personnel increasingly rely on IoT devices to support operations in edge environments in which network connectivity is often disconnected, intermittent, and limited (DIL). Threats in these environments often include sabotage, capture, and the impersonation of both IoT devices and their clients. To address these challenges, strong yet decentralized authentication and authorization mechanisms are necessary. This is what motivated the SEI team to develop SEI-ACE.
“The SEI-ACE code, and especially the resource-constrained version, are a crucial contribution to the IETF standardization process, because they allow interoperability testing with other implementations of the ACE framework, which is a condition for the IETF standardization process to move forward,” said Dr. Ludwig Seitz, senior researcher at the Security Lab of the RISE Research Institutes of Sweden. Seitz is the main author of the ACE draft. “The constrained implementation is especially important because all other publicly available implementations are aimed at less-constrained device classes,” said Seitz.
The constrained resource server implementation is targeted at Class 2 IoT devices, which are limited to approximately 50KB of memory and 250KB of storage. “This enables secure deployment of very low power sensors and actuators and supports common IoT networks such as Bluetooth Low Energy and Zigbee,” said Klinedinst.
“SEI-ACE can be used by anyone interested in the secure integration of IoT devices in their systems,” said Lewis, principal investigator for the Authentication and Authorization for IoT Devices in Edge Environments research project that created SEI-ACE.
Echeverría notes the team developed a number of new extensions to ACE to add functionality. “Besides being an implementation of ACE, SEI-ACE adds optional functionalities that are out-of-scope for ACE but needed in hostile DIL environments. These include support for bootstrapping and securely distributing credentials as well as the ability to revoke tokens due to devices being compromised. SEI-ACE implements this while still being fully ACE compliant,” said Echeverría.
“As ACE continues to make progress through the IETF standardization process we will continue to create awareness that not all IoT devices operate in stable and connected environments, such as home and industry, and that standards need to account for less stable edge environments,” said Lewis.
The SEI-ACE implementation contains code for the ACE client, authorization server, unconstrained resource server, constrained resource server, and supporting libraries.
Interested developers can download the code from the SEI GitHub repository: https://github.com/SEI-TTG/ace-client/wiki.
SCSS 2019 Explores Acquisition, Security, and the Supply Chain
January 14, 2019—Registration is open for the Software Engineering Institute's Software and Cyber Solutions Symposium (SCSS) 2019, a two-day event focusing on acquisition, security, and the supply chain. The symposium, which is free to attendees, will be held on Wednesday, February 13, in Arlington, Va. Four optional tutorials will be offered on February 14.
SCSS will present two dynamic keynote speakers, Shannon Lietz, DevSecOps Leader and director at Intuit; and Dr. Will Roper, assistant secretary for Acquisition, Technology and Logistics, U.S. Air Force, who will discuss the risks facing the supply chain in today’s world.
Other topic experts on the SCSS program include
David Danks, Carnegie Mellon University researcher on moving beyond correlations and predictions to causal knowledge that can guide action, policy, and plans
Derek Weeks, vice president at Sonatype and world-renowned researcher on securing software supply chains
Ceci Albert, Software Engineering Institute expert on how software development processes affect your acquisition strategy
Grace Lewis, Software Engineering Institute expert who will give a mini-tutorial on emerging technologies for software-reliant systems
Four affordably priced half-day tutorials are available on Thursday, February 14:
Secure DevOps: Build Secure Deployment Pipeline to Deploy Secure Application
Software Assurance for the Supply Chain
Scaling Agile Metrics to Large Complex Programs
Understanding Software Architecture, Quality, and Security through Code
Tutorials are free to U.S. government employees using the promotional code GOVMIL.
Non-government employees can use the promotional code BONUS20 to receive 20 percent off the standard tutorial fee of $250 if purchasing more than one tutorial.
For more information about SCSS or to register, visit https://resources.sei.cmu.edu/news-events/events/scss/.
Registration Now Open for 15th Annual SATURN Conference
December 18, 2018—Registration is now open for SATURN 2019, a premier software architecture conference in its 15th year, designed for practitioners who are responsible for producing robust software architectures as well as for those who view software architecture as a critical element in the achievement of their business or organizational missions. SATURN 2019 will take place at the Sheraton Pittsburgh Hotel at Station Square from May 6 to 9.
The SATURN 2019 program includes a full day of courses to start the week and three days of conference sessions and networking opportunities.
Early-bird registration is open now through March 22 with additional discounts available to those in government and academic organizations, current full-time students, and groups of three or more within the same organization. Sponsorship packages, most of which include free conference registration, are also available.
If you want to be part of the SATURN 2019 program, submit a proposal by January 11 to the online submission system. For information about tracks, session types, and session lengths, see the SATURN 2019 Call for Submissions. Presenters whose proposals are accepted will receive free or discounted admission to the conference depending on the submission type.
For more information about SATURN 2019, visit the SATURN 2019 website.
Collaborative Solution Earns Top-Five Spot in DIUX Challenge
November 15, 2018—A team of researchers from the Carnegie Mellon University and the University of Pittsburgh scored a top-five finish in the 2018 Defense Innovation Unit Experimental (DIUx) xView Detection Challenge. The challenge, conducted by the Pentagon in partnership with the National Geospatial-Intelligence Agency, sought innovative uses of computer vision techniques in a disaster response scenario to more quickly and accurately read satellite data imagery. The Pittsburgh team applied a “chipping” technique to earn one of the competition’s top scores.
The team included Ritwik Gupta, a machine learning researcher at the Emerging Technologies Center at the Carnegie Mellon University Software Engineering Institute; 2d Lt Alex Fulton, a graduate student at the U.S. Air Force Institute of Technology and Carnegie Mellon’s Information Networking Institute; and Kaylene Stocking, an undergraduate student at the University of Pittsburgh.
According to DIUx organizers, “xView is one of the largest publicly available datasets of satellite imagery.” It contains complex scenes from around the world and focuses on humanitarian assistance and disaster relief tasks. This year, the xView Detection Challenge looked to advance progress in the field of computer vision by identifying solutions that would
• reduce minimum resolution for detection
• improve learning efficiency
• enable discovery of more object classes
• improve detection of fine-grained classes
“Making sense of satellite imagery can be an enormous challenge, especially when the area involved is large, time is of the essence, and the objects populating that area are many and diverse,” said Gupta. “Manual analysis methods are slow and eat up far too many analyst hours.”
Gupta explained that the large image size, minute differences in class labels, and the density of objects contained in the xView dataset images make it difficult to accurately localize and classify objects using existing neural network techniques—the limitations associated with memory and processing-time are too great. However, Gupta and his collaborators were able to overcome some of these limitations by employing a chipping technique that split the images into 300-pixel chips that overlapped by 50 percent.
“Each chip was responsible for detecting a unique area in the image,” said Gupta, “but could use part of other nearby chips to provide better context and improved detection accuracy.”
The team found that this continuous-context scheme not only improved detection performance, but promises to be more feasible for real-world detection in very large satellite images. The effectiveness of the team’s detection technique was validated by the xView Challenge scoring system which automatically scored submissions based on accuracy of classification.
To learn more about the xView Detection Challenge, visit http://xviewdataset.org/.
SEI Launches New CERT Vulnerabilities Website
November 15, 2018—The Software Engineering Institute recently released a revamped CERT Coordination Center (CERT/CC) Vulnerabilities Database website at https://www.kb.cert.org/vuls. The Vulnerability Notes Database provides information about software vulnerabilities, including summaries, technical details, remediation information, and lists of affected vendors.
Changes to the website include improved visual design, page navigation, and organization of elements on the page. The aim of the changes is to provide a better user experience for visitors to the site. Functionality of the site remains much the same. Researchers can still report a vulnerability to CERT/CC, and anyone can access the details of Vulnerability Notes.
The CERT/CC is part of the larger CERT Division of the SEI, the world’s leading trusted authority dedicated to improving the security and resilience of computer systems and networks and a national asset in the field of cybersecurity.
Check out the new site at https://www.kb.cert.org/vuls/; to report a vulnerability, see https://www.kb.cert.org/vuls/report/.