User-controlled hardware security anchors: evaluation and designs
Lead Research Organisation:
University of Birmingham
Department Name: School of Computer Science
Abstract
Many modern processors are equipped with hardware extensions that enable some kind of Trusted Execution Environment (TEE). This allows programs to run securely - protected from other programs or operating system software running on the processor. By establishing a secure interface between the user and the hardware-anchor, we can make user platforms and devices more resilient to malware and other types of cyber attacks.
One of the main goals of this project is to promote and facilitate the adoption of TEE as the main trust anchor for our security architectures. As such, the security of the TEEs themselves is of paramount importance. We will perform a thorough evaluation of the security features of different TEE implementations to determine their suitability as trust anchors. This includes assessing cryptographic protocols, side-channel vulnerabilities, and implementation weaknesses.
Hardware supported TEEs aim to ensure that code can execute securely. However, user interface devices (for example, a keyboard, display or touch screen) are usually not connected directly to the secure hardware, which means that the user cannot interact securely with the TEE. We will address the limitations of users interacting directly with TEEs through analysing use cases and developing secure interfaces using auxiliary devices and dedicated features.
Authentication today is largely based on user supplied information like passwords or biometrics. These approaches often use information that is easy to steal or brute force. The industry has been moving towards multi-factor authentication as a means of spreading risk, but these approaches impose usability challenges while still relying on weak factors. We will investigate opportunities to leverage strong hardware-based security mechanisms to improve both the strength and usability of authentication. We will also build an architecture for designing protocols and user experiences that leverage these hardware security primitives to enhance the security, manageability, and usability of user authentication over existing approaches.
The analysis and applications of our research findings will be demonstrated and implemented on suitable platforms including secure hardware, smart devices and integration with authentication tokens.
One of the main goals of this project is to promote and facilitate the adoption of TEE as the main trust anchor for our security architectures. As such, the security of the TEEs themselves is of paramount importance. We will perform a thorough evaluation of the security features of different TEE implementations to determine their suitability as trust anchors. This includes assessing cryptographic protocols, side-channel vulnerabilities, and implementation weaknesses.
Hardware supported TEEs aim to ensure that code can execute securely. However, user interface devices (for example, a keyboard, display or touch screen) are usually not connected directly to the secure hardware, which means that the user cannot interact securely with the TEE. We will address the limitations of users interacting directly with TEEs through analysing use cases and developing secure interfaces using auxiliary devices and dedicated features.
Authentication today is largely based on user supplied information like passwords or biometrics. These approaches often use information that is easy to steal or brute force. The industry has been moving towards multi-factor authentication as a means of spreading risk, but these approaches impose usability challenges while still relying on weak factors. We will investigate opportunities to leverage strong hardware-based security mechanisms to improve both the strength and usability of authentication. We will also build an architecture for designing protocols and user experiences that leverage these hardware security primitives to enhance the security, manageability, and usability of user authentication over existing approaches.
The analysis and applications of our research findings will be demonstrated and implemented on suitable platforms including secure hardware, smart devices and integration with authentication tokens.
Planned Impact
A key aim for the UK National Cyber Security Strategy is engaging government, industry, researchers and users in promoting 'secure by default' for future software and hardware. This is in response to the inherent insecurity of any information that passes over the internet and its ramifications for all sectors of society. For example, internet banking fraud rose by 64% in 2015 to £133.5m, and there are increasing numbers of high profile cases involving, for example, NHS services in malware incidents. This project aims to tackle issues such as phishing, malware, and user credential compromise by improving hardware security anchors in user devices through:
1. Performing thorough security evaluations on a variety of hardware security anchors or enclaves being developed and marketed for user devices such as laptops and smartphones (WP1).
2. Enhancing those security mechanisms for user-centric applications, by providing user interfaces which establish a secure channel with the hardware security anchor. (WP2).
In particular, we seek to address the challenges of user authentication in an IoT world, by designing secure protocols and procedures to provide easy-to-use secure enrolment and revocation of devices in authentication and authorisation realms (WP3).
3. Providing convincing demonstrators of our mechanisms and use cases (WP4).
The project outputs are expected to have an impact on Industry, academic researchers and Society in the following ways:
(1) Industry and government:
Our project partners HP Inc and Yubico AB will benefit by directly using the research outputs to build better products. For example, we expect that HP will build more secure laptops (Task 2.3). Our expected contributions to the FIDO standard will result in better Yubico authentication tokens (WP3).
More widely, other companies and government departments will benefit, by having these improved products and standards, and having access to the research.
(2) Academic researchers:
The outcomes of the project will provide
(a) Novel techniques for analysing hardware security primitives, which have applications in broader security contexts as well;
(b) New protocols and designs for user interfaces to TEEs, which can be used for broader user-centric applications besides the ones we develop in this proposal;
(c) New techniques and tools for verification.
These contributions are ideal for other academic researchers in cyber security, programming and verification (both within and outside the RI) to build upon.
(3) Society as a whole, through improved security and better products.
The impact of improved hardware security will improve usability and security for a wide range of devices and the means by which our many connected devices communicate with one another. This will enhance the readily available security features for individual users. By extension, the positive impact of increased security surrounding user authentication (including resilience to phishing and malware) will be felt across organisations of all sizes. Government in particular stands to benefit from increased security in all departments, as will any business that involves multiple users being authenticated to access information and systems. This will have further impact in specific sectors such as banking and health services that deal directly with private information that must have controlled access. By securing the underlying hardware systems and enabling more secure user interaction, all online activities will become more secure for all users.
1. Performing thorough security evaluations on a variety of hardware security anchors or enclaves being developed and marketed for user devices such as laptops and smartphones (WP1).
2. Enhancing those security mechanisms for user-centric applications, by providing user interfaces which establish a secure channel with the hardware security anchor. (WP2).
In particular, we seek to address the challenges of user authentication in an IoT world, by designing secure protocols and procedures to provide easy-to-use secure enrolment and revocation of devices in authentication and authorisation realms (WP3).
3. Providing convincing demonstrators of our mechanisms and use cases (WP4).
The project outputs are expected to have an impact on Industry, academic researchers and Society in the following ways:
(1) Industry and government:
Our project partners HP Inc and Yubico AB will benefit by directly using the research outputs to build better products. For example, we expect that HP will build more secure laptops (Task 2.3). Our expected contributions to the FIDO standard will result in better Yubico authentication tokens (WP3).
More widely, other companies and government departments will benefit, by having these improved products and standards, and having access to the research.
(2) Academic researchers:
The outcomes of the project will provide
(a) Novel techniques for analysing hardware security primitives, which have applications in broader security contexts as well;
(b) New protocols and designs for user interfaces to TEEs, which can be used for broader user-centric applications besides the ones we develop in this proposal;
(c) New techniques and tools for verification.
These contributions are ideal for other academic researchers in cyber security, programming and verification (both within and outside the RI) to build upon.
(3) Society as a whole, through improved security and better products.
The impact of improved hardware security will improve usability and security for a wide range of devices and the means by which our many connected devices communicate with one another. This will enhance the readily available security features for individual users. By extension, the positive impact of increased security surrounding user authentication (including resilience to phishing and malware) will be felt across organisations of all sizes. Government in particular stands to benefit from increased security in all departments, as will any business that involves multiple users being authenticated to access information and systems. This will have further impact in specific sectors such as banking and health services that deal directly with private information that must have controlled access. By securing the underlying hardware systems and enabling more secure user interaction, all online activities will become more secure for all users.
Publications
Chen Z
(2023)
PMFault: Faulting and Bricking Server CPUs through Management Interfaces: Or: A Modern Example of Halt and Catch Fire
in IACR Transactions on Cryptographic Hardware and Embedded Systems
Chen Z.
(2021)
VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface
in Proceedings of the 30th USENIX Security Symposium
Cheng Z
(2023)
Watching your call: Breaking VoLTE Privacy in LTE/5G Networks
in Proceedings on Privacy Enhancing Technologies
Cheval V
(2023)
Automatic verification of transparency protocols
Hicks C
(2018)
Dismantling the AUT64 Automotive Cipher
Hicks C.
(2018)
Dismantling the AUT64 Automotive Cipher
in IACR Transactions on Cryptographic Hardware and Embedded Systems
Title | Cyber security awareness month campaign |
Description | Social Media campaign for Cyber security awareness month |
Type Of Art | Film/Video/Animation |
Year Produced | 2019 |
Impact | Increased engagement and awareness online. |
URL | https://www.youtube.com/watch?v=defYa77Dw8w |
Title | Cyber security awareness month campaign |
Description | Video produced for a social media campaign for cyber security awareness month. |
Type Of Art | Film/Video/Animation |
Year Produced | 2019 |
Impact | Increased engagement and awareness. |
URL | https://www.youtube.com/watch?v=lWRT_TnEQdM |
Title | Quest video campaign |
Description | A video produced for the University's quest campaign |
Type Of Art | Film/Video/Animation |
Year Produced | 2019 |
Impact | Video features researchers from the Centre for Cyber Security and Privacy talking about: How can we stay safe from hackers in the era of 'smart products'? |
URL | https://www.youtube.com/watch?v=PDCCNuAjW5s&t= |
Description | We have analysed the security of several Trusted Execution Environments (TEEs) as these can be used as a root of trust and identified several (dozens) critical vulnerabilities. Furthermore, we have developed a new type of attack, which we called Plundervolt, which is able to inject computation faults into a TEE by leveraging dynamic voltage scaling features of the processor. We have worked together with the affected manufacturers developing solutions which has led to several cooperations. We have worked on using hardware security anchors for several applications, especially the application of assisting user authentication. This is work in progress. |
Exploitation Route | We have disseminated our vulnerability discoveries to the relevant manufacturers and designers, who will use it to improve their products. We are working with companies on developing applications of hardware security anchors for user authentication. We hope they will develop products. |
Sectors | Digital/Communication/Information Technologies (including Software) Electronics Security and Diplomacy |
Description | We have disseminated our vulnerability discoveries to the relevant manufacturers and designers, who will use it to improve their products. The methodology introduced in our paper "A Tale of Two Worlds" revealed 35 vulnerabilities in 8 security-critical shielding-frameworks for Intel processors. By responsibly disclosing these vulnerabilities and working together with the affected manufacturers all of these vulnerabilities are now fixed. This resulted in numerous security patches for commercial products including the Intel SGX-SDK, Microsoft Open Enclave, Google Asylo, and the Rust compiler. In June 2019, we informed Intel about a new type of vulnerability in their processors, which we called Plundervolt. Since then, we have had an open dialog with Intel to which we facilitated proof of concept code and demonstrators. As a consequence of this disclosure process, last December, Intel has rolled out a new microcode update to all of their processors worldwide. This covers approximately 90% the of all computer processors (CPUs). This has also attracted substantial media attention. We are working with companies on developing applications of hardware security anchors for user authentication. We hope they will develop products. |
First Year Of Impact | 2019 |
Sector | Digital/Communication/Information Technologies (including Software),Electronics,Security and Diplomacy |
Impact Types | Economic |
Description | CAP-TEE: Capability Architectures for Trusted Execution |
Amount | £1,000,206 (GBP) |
Funding ID | EP/V000454/1 |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 07/2020 |
End | 06/2024 |
Description | IOTEE: Securing and analysing trusted execution beyond the CPU |
Amount | £448,286 (GBP) |
Funding ID | EP/X03738X/1 |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 08/2023 |
End | 08/2026 |
Description | SCAvenger - Attacking Machine Learning with Side Channel Attacks |
Amount | £54,000 (GBP) |
Organisation | Intel Corporation |
Sector | Private |
Country | United States |
Start | 02/2021 |
End | 02/2023 |
Description | SIPP - Secure IoT Processor Platform with Remote Attestation |
Amount | £1,294,888 (GBP) |
Funding ID | EP/S030867/1 |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 12/2019 |
End | 08/2023 |
Title | A Tale of TwoWorlds: Assessing the Vulnerability of Enclave Shielding Runtimes (Dataset) |
Description | This repository contains the source code accompanying our CCS'19 paper which methodologically analyzes interface sanitization vulnerabilities for 8 different enclave shielding runtimes across the ABI and API tiers. Jo Van Bulck, David Oswald, Eduard Marin, Abdulla Aldoseri, Flavio D. Garcia, Frank Piessens. A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS'19). |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4725211 |
Title | A Tale of TwoWorlds: Assessing the Vulnerability of Enclave Shielding Runtimes (Dataset) |
Description | This repository contains the source code accompanying our CCS'19 paper which methodologically analyzes interface sanitization vulnerabilities for 8 different enclave shielding runtimes across the ABI and API tiers. Jo Van Bulck, David Oswald, Eduard Marin, Abdulla Aldoseri, Flavio D. Garcia, Frank Piessens. A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS'19). |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4725210 |
Title | Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis (Dataset) |
Description | This repository contains source code and data to reproduce results from our paper "Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis" at CHES2021 Abstract The bootloader of an embedded microcontroller is responsible for guarding the device's internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders. |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4726616 |
Title | Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis (Dataset) |
Description | This repository contains source code and data to reproduce results from our paper "Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis" at CHES2021 Abstract The bootloader of an embedded microcontroller is responsible for guarding the device's internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders. |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4726617 |
Title | Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber (Dataset) |
Description | This repository contains data to reproduce results from the paper "Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber." Abstract In this paper, we propose EM side-channel attacks with carefully constructed ciphertext on Kyber, a lattice-based key encapsulation mechanism, which is a candidate of NIST Post-Quantum Cryptography standardization project. We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis. Compared to prior research, our techniques require a lower number of traces and avoid the need for template attacks. We practically evaluate our methods using both a clean reference implementation of Kyber and the ARM-optimized pqm4 library. For the reference implementation, we target the leakage of the output of the inverse NTT computation and recover the full key with only four traces. For the pqm4 implementation, we develop a message-recovery attack that leads to extraction of the full secret-key with between eight and 960 traces (or 184 traces for recovering 98% of the secret-key), depending on the compiler optimization level. We discuss the relevance of our findings to other lattice-based schemes and explore potential countermeasures. |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4726797 |
Title | Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber (Dataset) |
Description | This repository contains data to reproduce results from the paper "Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber." Abstract In this paper, we propose EM side-channel attacks with carefully constructed ciphertext on Kyber, a lattice-based key encapsulation mechanism, which is a candidate of NIST Post-Quantum Cryptography standardization project. We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis. Compared to prior research, our techniques require a lower number of traces and avoid the need for template attacks. We practically evaluate our methods using both a clean reference implementation of Kyber and the ARM-optimized pqm4 library. For the reference implementation, we target the leakage of the output of the inverse NTT computation and recover the full key with only four traces. For the pqm4 implementation, we develop a message-recovery attack that leads to extraction of the full secret-key with between eight and 960 traces (or 184 traces for recovering 98% of the secret-key), depending on the compiler optimization level. We discuss the relevance of our findings to other lattice-based schemes and explore potential countermeasures. |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4726798 |
Description | Google Asylo |
Organisation | |
Department | Research at Google |
Country | United States |
Sector | Private |
PI Contribution | Disclosed vulnerabilities. Found instances of the problematic [user_check] attribute that lacked proper pointer validation, leaving critical vulnerabilities in the compiled enclave |
Collaborator Contribution | - |
Impact | Improved security of products. |
Start Year | 2019 |
Description | INTEL-SA-00289 |
Organisation | Intel Corporation |
Department | Intel Corporation (UK) Ltd |
Country | United Kingdom |
Sector | Private |
PI Contribution | Vulnerabilities disclosed. CVE-2019-11157 |
Collaborator Contribution | They fixed the flaw in all Intel processors via a microcode update. |
Impact | Improved security of products. |
Start Year | 2019 |
Description | Intel SGX-SDK |
Organisation | Intel Corporation |
Department | Intel Corporation (UK) Ltd |
Country | United Kingdom |
Sector | Private |
PI Contribution | Disclosed vulnerabilities, CVE-2018-3626 and CVE-2019-14565. |
Collaborator Contribution | - |
Impact | Improved security of product. |
Start Year | 2019 |
Description | Microsoft Open Enclave |
Organisation | Microsoft Research |
Department | Microsoft Research Cambridge |
Country | United Kingdom |
Sector | Private |
PI Contribution | Disclosed Vulnerabilities. CVE-2019-0876, CVE-2019-1369,and CVE-2019-1370. |
Collaborator Contribution | - |
Impact | Improved security of products. |
Start Year | 2019 |
Title | Pandora: Tool for Principled Symbolic Validation of Intel SGX Enclave Runtimes |
Description | Pandora is a symbolic execution tool designed for truthful validation of Intel SGX enclave shielding runtimes. Pandora is based on the fabulous angr and extends it with enclave semantics such as Intel SGX instruction support, a realistic enclave memory view, attacker taint tracking, and report generation for a set of powerful vulnerability plugins. |
Type Of Technology | Software |
Year Produced | 2023 |
Open Source License? | Yes |
Impact | Pandora is the result of our research publicationat the 45th IEEE Symposium on Security and Privacy (IEEE S&P 2024) |
URL | https://github.com/pandora-tee |
Title | PoC for PMFault |
Description | This software checks and demonstrates the vulnerabilities reported in the paper "PMFault: Faulting and Bricking Server CPUs through Management Interfaces", to appear at TCHES 2023. |
Type Of Technology | Software |
Year Produced | 2023 |
Open Source License? | Yes |
Impact | Media coverage in the New Scientist |
URL | https://github.com/zt-chen/PMFault |
Title | Proof of concept code demonstrating security vulnerabilities in commercial products |
Description | A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes This github repository contains the source code accompanying our CCS'19 paper which methodologically analyzes interface sanitization vulnerabilities for 8 different enclave shielding runtimes across the ABI and API tiers. |
Type Of Technology | Software |
Year Produced | 2019 |
Open Source License? | Yes |
Impact | Affected product manufacturers have used this code to reproduce our findings and confirm the vulnerabilities in their products. These helped them to assess their severity and also to draw a mitigation plan. |
URL | https://github.com/jovanbulck/0xbadc0de |
Description | Article published in The Register |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | Article published in The Register titled: Intel's SGX cloud-server security defeated by $30 chip, electrical shenanigans |
Year(s) Of Engagement Activity | 2020 |
URL | https://www.theregister.com/2020/11/14/intel_sgx_physical_security/ |
Description | CARDIS conference including CHERI/capability architecture tutorial |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | A CHERI/capability architecture half-day tutorial was successfully held at the CARDIS conference in Nov 2022 (approx. 60 participants) hosted by Oswald in Birmingham. This allowed the project team to introduce capabilities and CHERI/Morello to a broad academic and industrial audience, serving as the project's mid-term evaluation event. Industry attendees included large employees from large semiconductor vendors and security companies |
Year(s) Of Engagement Activity | 2022 |
URL | https://events.cs.bham.ac.uk/cardis2022/ |
Description | CODASIP discussions/visit |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Industry/Business |
Results and Impact | The team invited engineers from CODASIP in Nov for a half-day meeting at the University of Birmingham. This included discussions on possible use of the research outputs in industrial applications, in particular CODASIP's CHERI RISCV cores. Possible follow-up activity will be around forming a KTP or similar. Additional, separate discussions with CODASIP revolved around forming and joining a potential CHERI alliance. |
Year(s) Of Engagement Activity | 2023 |
Description | Cutting Through the Complexity of Reverse Engineering Embedded Devices |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Presentation of our paper "Cutting Through the Complexity of Reverse Engineering Embedded Devices" and the flagship annual Conference on Cryptographic Hardware and Embedded Systems (CHES). |
Year(s) Of Engagement Activity | 2021 |
URL | https://ches.iacr.org/2021/program.php |
Description | Delivered a Talk at HP Labs |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Professional Practitioners |
Results and Impact | Co-I Ryan delivered a tutorial talk at HP Labs 22 October 2020, "Intro to Keystone (an enclave system for RISC-V)" |
Year(s) Of Engagement Activity | 2020 |
Description | Delivered a Talk at Huawei Security Advisory Board |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Co-I Ryan delivered a Talk at Huawei Security Advisory Board 27 November 2020, "An overview of hardware security anchors for IoT and embedded applications" |
Year(s) Of Engagement Activity | 2020 |
Description | Help Net Security Article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | Article published on Help Net Security titled: 'Researchers break Intel SGX by creating $30 device to control CPU voltage' |
Year(s) Of Engagement Activity | 2020 |
URL | https://www.helpnetsecurity.com/2020/11/16/break-intel-sgx/ |
Description | Interviewed for article featured in the Chronicles of Higher Education |
Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | changing perception of offensive cyber research and demonstrating its benefits to industry. |
Year(s) Of Engagement Activity | 2019 |
URL | https://www.chronicle.com/paid-article/Hack-ademics-prepare-us/291 |
Description | Media coverage in New Scientist |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Public/other audiences |
Results and Impact | The New Scientist covered our recent work on CPU under/overvolting through the PMBus. |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.newscientist.com/article/2354844-hackers-can-make-computers-destroy-their-own-chips-with... |
Description | Phoronix Article |
Form Of Engagement Activity | A magazine, newsletter or online publication |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Media (as a channel to the public) |
Results and Impact | Article published online in Phoronix titled ' VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack' |
Year(s) Of Engagement Activity | 2021 |
URL | https://www.phoronix.com/scan.php?page=news_item&px=VoltPillager-HW-Undervolt |
Description | Talk at Blackhat Asia 2023 |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | A talk on our work on new undervolting methods, entitled "PMFault: Voltage Fault Injection on Server Platforms Through the PMBus" was presented at BlackHat Asia in May 2023. |
Year(s) Of Engagement Activity | 2023 |
URL | https://www.blackhat.com/asia-23/briefings/schedule/index.html#pmfault-voltage-fault-injection-on-se... |
Description | Visit and seminar talk at KU Leuven |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Oswald presented the work around software-induced faults on servers at a seminar in the Computer Science department in Leuven. Follow-up discussions led to a new joint research project around DRAM security. |
Year(s) Of Engagement Activity | 2023 |
Description | invited talk at STW'2021 |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Ryan had an invited talk at STW'2021 (Huawei Security and Technology Workshop, October 2021). |
Year(s) Of Engagement Activity | 2021 |
Description | invited talk at the Shonan seminar |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Ryan gave an invited talk called "Hardware technologies for making privacy violations transparent and accountable" at the Shonan seminar (Japan) on the theme of "Biggest failures in privacy" on 28 Sept. |
Year(s) Of Engagement Activity | 2021 |
Description | invited talk at workshop on the Security of Software / Hardware Interfaces (SILM 2021) |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Garcia gave an invited talk on the hardware attack aspects of our work: "Plundering and Pillaging with Voltage: Software and Hardware-based Fault-injection Attacks against SGX", 3rd edition of workshop on the Security of Software / Hardware Interfaces (SILM 2021). Co-located with EuroS&P. |
Year(s) Of Engagement Activity | 2021 |
Description | keynote talk at 14th International Conference on Security for Information Technology and Communications |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Ryan gave a keynote talk at 14th International Conference on Security for Information Technology and Communications |
Year(s) Of Engagement Activity | 2021 |
Description | panel member to "Cyber Security, Fraud & Human Error" (part of a civil servants' conference on public sector cyber security) |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Policymakers/politicians |
Results and Impact | Ryan was invited as panel member to "Cyber Security, Fraud & Human Error" (part of a civil servants' conference on public sector cyber security, 300 delegates), December 2021. |
Year(s) Of Engagement Activity | 2021 |
Description | showcase for National Cyber Strategy 2022 |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Industry/Business |
Results and Impact | Oswald and other project members (virtually) attended the National Cyber Strategy 2022 on Wednesday 15 December. We had prepared a CAP-TEE showcase for the in-person event, but due to the Covid situation the event was made virtually at short notice. |
Year(s) Of Engagement Activity | 2021 |
Description | talk at hardwear.io |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Future CAP-TEE / DsbDtech contributions to TEE security and work around hardware undervolting highlighted in Oswald's talks at hardwear.io |
Year(s) Of Engagement Activity | 2021 |
Description | virtual seminar talk at Infineon |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Industry/Business |
Results and Impact | Oswald gave a virtual seminar talk at Infineon, relating to fault injection and the hardware attack aspects of the project. |
Year(s) Of Engagement Activity | 2021 |