RISE Embarks on Phase 2 – Addressing Semiconductor Security Challenges

NCSC has approved funding for RISE Phase 2 from 2023-2026, which is hosted under Professor Máire O’Neill at the Centre for Secure information Technology (CSIT), Queen’s University Belfast. 3 new RISE research projects have been funded by EPSRC, bolstering hardware & embedded systems security research.

The National Cyber Security Centre (NCSC) – a part of GCHQ – has approved funding for RISE Phase 2 from 2023-2026, which is hosted under Professor Máire O’Neill at the Centre for Secure Information Technologies (CSIT), Queen’s University Belfast. Three new RISE research projects have also been funded by the Engineering and Physical Sciences Research Council (EPSRC), bolstering hardware and embedded systems security research, innovation, and industry partnerships.

RISE aims to establish itself as a global hub for research and innovation in hardware security, and as part of phase 2, will have a focus on addressing crucial issues in semiconductor security. The institute’s strategy approach includes fostering close engagement with leading industry partners and stakeholders both within the UK and internationally, with a strong focus on translating research outcomes into practical products, services, and business opportunities to bolster the UK economy.

With the publication of the UK’s National Semiconductor Strategy in May 2023, a key focus of which is to build on our hardware strengths to improve cyber security and ensure that ‘cyber security is considered, and more widely prioritised, at the design stage of chips’, RISE stands poised to contribute significantly, enhancing the UK’s international research standing while augmenting economic competitiveness.

Professor Máire O’Neill summarises the key outcomes of the first phase: “We have made excellent progress across our funded research projects, we kicked-off an international collaboration between the core RISE partners and NTU and NUS in Singapore and launched a UK competition targeting final year UG/MSc students, sponsored by ARM, to help stimulate the next generation of UK hardware security experts.”

Significant research outputs to date include:

  • Plundervolt – an attack developed as part of the University of Birmingham funded project which exploited vulnerabilities with Intel’s Software Guard Extensions, leading to errors that could leak secret information such as encryption keys.
  • Thunderclap – research by the University of Cambridge team that identified vulnerabilities with USB and Thunderbolt interface standards, and which provided security recommendations for hardening systems that were incorporated into the USB 4 standard.
  • An Apple Pay vulnerability discovered by the University of Surrey’s RISE project which showed that Apple Pay in Express Transit mode if used with a Visa card could be abused to make an Apple Pay payment to any shop terminal, of any value, without the need for user authentication.
  • A Queen’s University Belfast project led to the first deep-learning based automated Hardware Trojan (HT) detection system based on gate-level netlists to effectively detect HTs without any pre-knowledge of the circuits. HTs are malicious modifications of integrated circuits.
  • A trusted FPGA environment developed by the University of Manchester team that solves two problems; firstly, it uses their FPGADefender virus scanner to help a cloud service provider (CSP) ensure a user bitstream is not malicious, and secondly, it ensures user IP protection by configuring an FPGA only with encrypted configuration bitstreams.

Phase 2 will involve annual RISE conferences; spring/summer schools; early career researcher training and innovation workshops; a UK/US Workshop on Semiconductor Security; and a UK-wide Training Roadshow. Aligned funding from EPSRC supports three new research projects addressing Trustworthy Deep-Learning based Hardware Trojan Detection at Queen’s University Belfast, Securing and Analysing Trusted Execution Beyond the CPU at the Universities of Southampton and Birmingham, and Securing composable hardware platforms at the University of Manchester.

Professor Máire O’Neill emphasizes, “RISE will continue to play its part in conducting research that addresses security throughout a device’s lifecycle, from the initial design and manufacture through to its operational environment. We will also continue to grow the skillsets and community in the UK in this strategically important area.”

Is Engineering Significant Difference the Key to Enhanced Cybersecurity?

A lively conversation about whether “Engineering Significant Difference” is the key to enhanced cybersecurity.

Contributors:

Peter Davies, Security Expert operating at the convergence of Safety and Security.
An honorary Fellow with Imperial College’s Institute for Security Science & Technology and chair of the AESIN Security Workstream. He is a leading expert on Countering Cyber Attacks targeted Supply Chain infiltration and Cyber Physical Attacks. He has led the Cyber Security aspects of 3 C-CAV research activities and has 30+ years of verifying security systems in hardware and software. Peter likes to say that he does security where it can’t afford to fail. 

Professor Kerstin Eder, University of Bristol, who researches research specification, verification and analysis techniques, allowing engineers to design a system and verify/explore its behaviour in terms of functional correctness, safety, performance, power consumption and energy efficiency. Her work includes both formal methods and traditional simulation-based approaches. She has a strong background in computational logic, especially formal verification, declarative programming languages and their implentation, abstract machines, compilation techniques and meta programming.

Dr Weiqiang Liu is currently a full Professor and the Vice Dean of College of Electronic and Information Engineering, Nanjing University of Aeronautics and Astronautics (NUAA), Nanjing, China. He received the B.Sc. degree in Information Engineering from NUAA and the Ph.D. degree in Electronic Engineering from Queen’s University Belfast (QUB), Belfast, United Kingdom, in 2006 and 2012, respectively.

Dr Daniel Page is currently a Senior Lecturer within the Department of Computer Science, University of Bristol. His current research focuses on challenges in cryptographic engineering, the implementation (in hardware and/or software) of and implementation attacks (relating to both side-channel and fault attacks) on cryptographic primitives and arithmetic in particular. 

Dr. Chongyan Gu is a Lecturer in the School of Electronic Electrical Engineering and Computer Science (EEECS) at Queen’s University Belfast, and a member of the Centre for Secure Information Technologies (CSIT) within Queen’s Global Research Institute of Electronics, Communications & Information Technology (ECIT). Her research focuses on developing advanced hardware security methodologies for enhancing the robustness, reliability, resource efficiency and resilience of hardware devices. 

PhD Studentship Opportunities at Queen’s University Belfast

The Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast is seeking motivated PhD students to work on the following research topics:

For further information and how to apply, please visit the QUB website for PhD study

All the Pieces (Alma) Matter – the ramblings of the RISE rookie

As a former QUB alumni, I am very excited to join my Alma Matter down at ECIT as Business Development Manager for RISE (you will get plenty of abbreviations in this post)!

RISE is the Research Institute for Securing Hardware and Embedded Systems with the aim to bring together industry and academia to make our more secure, in the world of connected everything (IoT).

I first heard the term “Internet of Things” in late 2012 when I was chatting to some security researchers (really smart people who wear white lab coats, brown sandals and Megadeath t-shirts) in a previous job. The reason for my meeting with them was to get a better understanding of Botnets, as we were launching a new Botnet detection and remediation product in early 2013, so I wanted some context about the threat landscape.

Ever since then, I have had an insatiable interest in IoT and view “smart” devices with equal helpings of fascination and suspicion. As consumers we have the currently have the choice to buy a smart device, or not. In time, this choice will recede and the new fridge we buy will be connected whether we like it, or not. I won’t get into the data security and privacy arguments, let alone who actually owns the ‘data’ that these connected devices collect in this blog, so may return to this topic later.

We are living through this new wave of technological revolution and sincerely, I hope that we learn from our mistakes when computers went online.

ETSI announed earlier this year, a new Consumer Code of Pratice, (TS 103 645) which is great for ordinary people. Secion 4.1, ‘No universal default passwords’ is great advice for manufacturers since weak passwords is a major cause for devices being compromised.

And in case you didn’t know, ECIT is the Institute for Electronics, Communications and Information Technology and is located at Catalyst Inc., formerly the Northern Ireland Science Park. ECIT was one of the first ‘new’ buildings with staff moving in here back in 2004; I say new, as we are right beside the Titanic Pump house which is over 100 years old. Here the infamous steam liner was fitted and kitted out before setting sail on that fateful voyage, its last touch point with the port of Belfast. Just beside the Pump House is HMS Caroline, the only surviving war ship from the brutal battle of Jutland in 1916.

Don’t worry, this isn’t a tourist post for Belfast and I promise to move on now, but as a history graduate, I do appreciate the local landmarks.

Not only do we have a view of local history from our office, we also work with many beautiful minds at ECIT/CSIT, with experts drawn from all over the world. It is an absolute privilege to work with true global experts in cyber security.

So we are surrounded by history, a proud history of Belfast with a city that is transforming with technology leading the way, from cyber security, to Fin-Tech to other local tech start-ups. Thousands of jobs have been created in this part of Belfast and many more are due to come in thanks to the great work done by Invest NI, Foreign Direct Investment (FDI) and CSIT in recent years. Belfast has a reputation for world class cyber security research and it is bringing well paid jobs to the city.

I look forward to building engagement between multiple parties and taking the RISE brand with our university partners, Cambridge, Bristol, Birmingham, Manchester and Edinburgh to the wider UK ecosystem.

The title of this blog is a play on words from a famous quote from the TV show, the Wire (my favourite show of all time) uttered by Veteran Baltimore Police Detective, Lester Freamon at the start of the special undercover detail they are working on. The full quote was actually:

 We’re building something here, detective. We’re building it from scratch. All the pieces matter.

Thankfully, I don’t have to start from scratch with RISE as Lester Freamon did, the multi-institutional research centre has been running for 18 months already. But all the pieces do matter, as in the Internet of Things world, one device or system with poor or no security in-built, will cause problems for every user. Sadly, this is inevitable and we have already seen IoT Botnets that have infected gadgets from your home router, to IP cameras to smart locks.

Therefore, we will continue to build the RISE brand, establish engagement and forge connections between the academics and the creators of our new and soon-to-be-used gadgets.  

We are here to help, securing hardware and embedded systems and securing ALL the pieces that matter.

Ed