IEEE Computer Symposium – Miami, July 2019

Wolfe Centre

We are delighted to welcome another new guest blogger to contribute to the RISE blog for August 2019. Shichao Yu is a PhD student at Queen’s University Belfast, working in the world class research centre – The Centre for Secure Information Technology (CSIT). Thank you Shichao!

Welcome to Miami – Summer is coming!

Hi, I am Shichao, I am typing this blog shortly after the closing remarks of IEEE Computer Society Annual Symposium on VLSI in Miami, which is excellent and provided me an amazing conference experience. This was my first time in Miami, and this is the first conference I have attend with a poster paper. I travelled from Belfast to Miami, from north to south, feeling like I flew into the summer from winter when I just arrived there. If I choose rainy day as the mark of the climate in Belfast, then Miami’s symbol must be sunshine.

ISVLSI 2019 @ Miami

ISVLSI is an IEEE computer society annual symposium with a history over three decades. It explores emerging trends, novel ideas and basic concepts covering a broad range of VLSI-related topics, which also include new technologies and burgeoning application areas, such as hardware security, and artificial intelligence.

This year’s ISVLSI was held at Florida International University in Wolfe University Center.

What impressed me is that more than 25% of submissions this year related to system design and security (SDS), and the submission number occupies the first in all categories. I can see that the security direction is receiving increasing attention from researchers all over the world.

“Can you trust your machine learning system?”

For Hardware Security, the papers presented in this year’s security session mainly focused on logic obfuscation, side channel susceptibility mitigation, secure zone design on NoC (Network on Chip) and Hardware Trojan. The System Design and Security group covers four sub-sessions in three days and two related special session: “Botnet of Things: Hardware Insecurity in the IoT Era” and “Secure, Smart, Connected Devices for Emergent Applications”, which talk about IoT devices and it’s security problems.

In addition, an enlightening keynote “Can you trust your machine learning system?” presented by Professor Sandip Kundu on the second day really attracted me. This presentation showed the potential security issues of machine learning (ML) and deep learning (DL) at this stage and details the possible attack methods. As the Chinese idiom goes, virtue is one foot tall, the devil ten. It always takes constant vigilance to secure new technologies. (That scares me too Shichao!)

Poster Session

The poster session was held in the afternoon of the first day. We had a big ballroom to hang all 30 posters and 4 research demonstrations. The session last nearly two hours, which is much more than the scheduled time, with continuous technical discussions and social communication.

The paper I presented on my poster was “An Improved Automatic Hardware Trojan Generation Platform”, which is a new method to generate Hardware Trojans (HTs) using a highly configurable generation platform based on transition probability. (WOW :O – great stuff Shichao! \0/)

I always enjoy the discussion with other researchers. But, as I work in hardware security, I really hope that I had explained my poster clearly to some researchers who work in software side.

Until Next Time Miami 🙂

Three days ISVLSI went by too quickly and it was super busy. My record is slightly broken, but the great keynotes and presentations are unforgettable. Miami Beach is also beautiful and relaxing.

In the evening of the last day, I took a photo when blue hour made Miami Beach a little tranquil, and said goodbye to this beautiful city. (Good you got to check out the sandy beaches 🙂 BTW where is our present?? 😀 )

Miami Beach front @ dusk

End-to-End IoT Security

Our July blog post has been written by one of our Industrial Stakeholders Advisory Board (ISAB) members. A special thanks from RISE to Ilhan Gurel from Ericsson for contributing this best practice advice. Ilhan is HW and SW security expert at Ericsson.

“Security baked in at every layer, not later”

Securing entire end to end IoT chain covers securing IoT devices, backends and everything in between as well as life cycle starting from manufacturing and deployment to disposal.

Every component in this chain may have different attack surfaces, different adversaries and may be managed by different entities. It is also important to note that securing IoT devices and their backends is not an easy task and depends on operational environments, deployment models, use cases, adversaries, assets to protect and costs. No matter what these can be, there must be an adequate level of security baked into every layer and component, starting from the very beginning e.g. design phase but not added later.

The IoT Recipe for Security

Securing IoT end to end chain starts with security threat modeling and risk assessment. This is a crucial phase to find answers to security threats, mitigations and security requirements. Then it requires the following ingredients when and where applicable:

  • Hardware (HW) and Software (SW) supply chain security:
    • vulnerability and incident management
    • HW and SW components free of trojans/malwares
    • Keeping track of 3rd party HW & SW components and their origins.
  • HW Security:
    • secure boot
    • TRNG
    • secure storage
    • HW based RoT (Root of Trust)
    • HW based security features to mitigate ROP/JOP like attacks
    • HW based crypto modules
    • HW (and SW) based mitigations for side channel attacks if applicable
  • SW Security:
    • security hardening of OS and applications
    • minimal OS (including disabling/removing unsecure services/components)
    • sandboxing
    • least privileged processes
    • code signing
    • access control
    • secure SW development
    • auditing and logging
  • Trusted identities:
    • unclonable
    • unique
    • cryptographically random and strong enough during the lifetime of devices
    • generating, provisioning and storing identities securely
  • Life Cycle & Device Management:
    • secure SW updates
    • remote attestation
    • secure disposal of user and device data
  • Anomaly detection:
    • on device and at network level
  • Identity Management:
    • managing identity life cycles
    • revocations
    • renewals
    • bootstrapping
    • integration with PKI systems
  • Secure communication:
    • data confidentiality , integrity and origin in transit
    • the use of strong ciphers and mutual authentication
    • the use of secure protocols e.g. TLS/DTLS according to the best security practices as defined in RFC 7925, RFC 7525 and RFC 7540
    • the use of TLS 1.3 when and where possible. TLS 1.3 as standardized in RFC 8446 has significant security and privacy improvements comparing to TLS 1.2

How to measure security?

Connectivity also plays a crucial role with respect to high availability, battery life, reliable communication, data transmission rates (e.g. important for SW updates and rapid patching), built-in security.

Then an important question remains: how to measure security? In-house and independent security audits and reviews, security certifications are all relevant and may be one of the answers.

Securing end to end IoT chain is a not easy task but it is achievable. It requires all the ingredients mentioned above when and where applicable, most importantly security awareness of end users, device owners, manufacturers, platform and service providers, HW and SW developers, and more.