Systems that include IoT devices are particularly difficult to protect against security threats. Each connection point can create opportunities for hackers to attack. In critical infrastructures, the consequences can be disastrous. To make matters worse, these complex systems include more and more software with a whole new set of unknowns—like who developed the software and how—that make it very difficult to guarantee security with any degree of assurance. And, because IoT systems are modular, every time software is added, new vulnerabilities are potentially introduced into the system.
The LEIA project, winner of a French government Grand Défi grant for technology projects, is providing an opportunity for smart digital systems specialist CEA-List and Systerel to pool their knowledge of formal methods, language analysis, and artificial intelligence. The partners have come up with an original approach that will leverage their powerful software analysis tools and learning algorithms to hone in on pertinent security targets. The Grand Défi offers a unique framework to identify and exploit breakthrough opportunities in the combination of formal methods and AI techniques.
The cost-effective IoT security platform they are developing will be capable of automatically and incrementally analyzing IoT software and software updates. It will also speed up the time-consuming software validation process.
The future platform will bring key tools and capacities in support of France’s digital sovereignty and the EU’s strategic autonomy. The first versions will be marketed in the second half of year 2022, thanks to the experience of CEA in technological transfer and Systerel in the industrialization of formal verification solutions.
The main objective of the LEIA project is to develop a highly automated software security validation platform that can be integrated into agile development cycles. At a time when demand for software security is growing faster than ever, this project will deliver analysis tools capable of providing exhaustive security guarantees, at scale.
To effectively address this challenge and, specifically, provide formal verification of the security of a wide range of software applications at a competitive cost, the project will focus on two main issues. First, state-of-the-art parsers will be extended to improve scalability and enable incremental analysis of software. Second, the use of artificial intelligence in the implementation of analysis tools will be investigated for purposes such as translating requirements expressed in natural language into formal specifications so as to ensure that security aspects are more effectively addressed from the very earliest stages of the development process.
The partners’ respective areas of expertise round each other out particularly well on this project, allowing them to address the full range of topics involved. Systerel brings deep knowledge of artificial intelligence and will harness learning algorithms to home in on pertinent security targets with a high degree of precision. The scientists at CEA-List will contribute software analysis tools like Frama-C (C/C++) and Binsec (binary code). Their research also includes technologies to describe and understand multimedia (image, text, speech) and multilingual content, including at large scales. Finally, CEA-List scientists design and develop artificial intelligence software solutions. These tools are part of CEA-List’s long-standing toolkit and play a vital role in the institute’s mission of transferring new technologies to businesses.