CEST - Confidential Evaluation of Software Trustworthiness

Purpose and goal:

Due to increased softwarerization of critical infrastructures governments are issuing security regulations on software security assurance. Manufacturer of, e.g. telco equipment must disclose their proprietary software code to 3rd party evaluators. But proprietary software contains intellectual property and disclosing source code across jurisdictions increases the risk of piracy and zero-day attacks.

The project main goal was to research a solution that would allow the evaluation of software security and collection of assurance evidence without source code disclosure. Expected results and effects:

The project has designed a service that allows software vendors to submit their encrypted proprietary software to a secure platform, where the software is confidentially evaluated, and only evaluation results are exposed to authorized 3rd party evaluators. The source code is never disclosed. Two emerging technologies make the approach feasible: confidential computing and AI-powered software analysis tools.

The project has implemented a proof-of-concept that shows the feasibility of the approach for Telco security assurance, but the approach applies to other industry sectors. Approach and implementation:

The project lasted 2-years May 2021 May 2023 with 4 partners: atsec, Ericsson, Hyker and RISE. Ericsson took the roles of project management and technical coordination. The work was divided into 4 working packages (WPs) and each WP consisted of several tasks.

For each task, one partner was assigned to drive it according to the partner skills and competence. The major bulk of work was on the development and implementation of the proof-of-concept (PoC) that took extra time and resources to complete. The PoC is deployed as a Service for interested parties.