An Integrated Framework for Multi-layer Certification- based Assurance Rajesh Harjani University of Malaga Malaga (Spain) rajesh@lcc.uma.es Antonio Maña University of Malaga Malaga (Spain) amg@lcc.uma.es Marcos Arjona University of Malaga Malaga (Spain) marcos@lcc.uma.es Antonio Muñoz University of Malaga Malaga (Spain) amunoz@lcc.uma.es Javier Espinar University of Malaga Malaga (Spain) espinar@lcc.uma.es Hristo Koshutanski University of Malaga Malaga (Spain) hristo@lcc.uma.es ABSTRACT Complexity, dynamism and overlays in networks and systems are some of the main challenges we face nowadays when reasoning on systems’ assurance and behavior. Security certification has shown to be a solid foundation to provide assurance and trust about system properties. This paper presents a certification framework for composite, layered and evolving systems, such as cloud systems or cyber physical systems. The framework's certification-based methodology defines a solid ground to provide security assurance aspects of these systems. The framework integrates two main domains of research: (i) certification, models and mechanisms (based on testing, monitoring, trusted computing, and hybrid evidences) for providing assurance of the system components and attesting properties of the composite systems; and (ii) software engineering, process, methodology and tools to enable developers engineer cloud applications with strong awareness and requirements on security assurance of underlying cloud platforms and services. Keywords Assurance, Security, Multi-layer Certification, Engineering Process, Monitoring, Testing, Trusted Computing. 1. INTRODUCTION Most of the current trends and paradigms in computing systems (notably cyber-physical systems, Internet of Things or cloud computing) share a series of characteristics that greatly complicate the tasks of guaranteeing their behavior, especially in terms of security, dependability, privacy, etc. Among these characteristics, we highlight three essential ones: Dynamism. Systems are not static anymore. At design time, system engineers do not have all the information they would need to design systems that fulfill their requirements, especially the non-functional ones like security, dependability, performance, etc. Moreover, they have to design systems that have both adaptation capabilities (involving short term reaction to better fit the current context and the system state) and evolution capabilities (involving long term reactions to keep the system aligned to its design goals and the external situation). In this situation there is no permanent and complete system implementation that can be used to apply thorough and rigorous code reviewing, testing, formal analysis, and other techniques to verify (ensure its quality and correctness) and validate (ensure fulfillment of requirements) these systems as a whole. Composition: Most of the new computing paradigms and trends follow a component-based approach. Systems are created by integrating components both statically at development time and dynamically at runtime. These components are frequently coming from different providers, and sometimes remain under the control of such providers instead of the system owner. The evolution of these components is decoupled from the evolution of the systems in which they are used. Composition in these systems happens both vertically (between what we normally call layers) and horizontally (between components at the same layer). Complexity: We have already mentioned that systems are larger, include more functionalities, require more guarantees, are interconnected to other systems forming Systems-of-Systems, are in continuous evolution, etc. The combination of these characteristics results inevitably in levels of complexity scaling up quickly. Providing a practical approach to support assurance in complex, composite, layered and evolving systems requires the combination of different elements in a coherent and integrated way. In particular, a practical assurance approach for these types of systems requires at least mechanisms: (i) to provide static assurance based for the system components; (ii) to attest the dynamic state of system components (including the supporting hardware infrastructure); and (iii) to derive properties of the composite system based on the state and properties offered by components. In addition to these, we also believe that any successful approach must be complemented with engineering processes, methods and tools to support developers of such systems to take full advantage of the approach. Recent extensions and improvements to several existing technologies like certification, trusted computing, monitoring and reconfiguration provide a solid basis to develop an integrated layered assurance framework to support the assurance of complex, composite, layered and evolving systems in practice. In this paper, we present such approach, show how it is applied to cloud computing and discuss the challenges of future application to other types of systems, with a particular focus on cyber-physical systems. 2. INTEGRATED CERTIFICATION- BASED ASSURANCE FRAMEWORK A common approach in enhancing assurance and reducing risks in the light of such uncertainties is to rely on the certification of the