RISE Embarks on Phase 2 – Addressing Semiconductor Security Challenges

NCSC has approved funding for RISE Phase 2 from 2023-2026, which is hosted under Professor Máire O’Neill at the Centre for Secure information Technology (CSIT), Queen’s University Belfast. 3 new RISE research projects have been funded by EPSRC, bolstering hardware & embedded systems security research.

The National Cyber Security Centre (NCSC) – a part of GCHQ – has approved funding for RISE Phase 2 from 2023-2026, which is hosted under Professor Máire O’Neill at the Centre for Secure Information Technologies (CSIT), Queen’s University Belfast. Three new RISE research projects have also been funded by the Engineering and Physical Sciences Research Council (EPSRC), bolstering hardware and embedded systems security research, innovation, and industry partnerships.

RISE aims to establish itself as a global hub for research and innovation in hardware security, and as part of phase 2, will have a focus on addressing crucial issues in semiconductor security. The institute’s strategy approach includes fostering close engagement with leading industry partners and stakeholders both within the UK and internationally, with a strong focus on translating research outcomes into practical products, services, and business opportunities to bolster the UK economy.

With the publication of the UK’s National Semiconductor Strategy in May 2023, a key focus of which is to build on our hardware strengths to improve cyber security and ensure that ‘cyber security is considered, and more widely prioritised, at the design stage of chips’, RISE stands poised to contribute significantly, enhancing the UK’s international research standing while augmenting economic competitiveness.

Professor Máire O’Neill summarises the key outcomes of the first phase: “We have made excellent progress across our funded research projects, we kicked-off an international collaboration between the core RISE partners and NTU and NUS in Singapore and launched a UK competition targeting final year UG/MSc students, sponsored by ARM, to help stimulate the next generation of UK hardware security experts.”

Significant research outputs to date include:

  • Plundervolt – an attack developed as part of the University of Birmingham funded project which exploited vulnerabilities with Intel’s Software Guard Extensions, leading to errors that could leak secret information such as encryption keys.
  • Thunderclap – research by the University of Cambridge team that identified vulnerabilities with USB and Thunderbolt interface standards, and which provided security recommendations for hardening systems that were incorporated into the USB 4 standard.
  • An Apple Pay vulnerability discovered by the University of Surrey’s RISE project which showed that Apple Pay in Express Transit mode if used with a Visa card could be abused to make an Apple Pay payment to any shop terminal, of any value, without the need for user authentication.
  • A Queen’s University Belfast project led to the first deep-learning based automated Hardware Trojan (HT) detection system based on gate-level netlists to effectively detect HTs without any pre-knowledge of the circuits. HTs are malicious modifications of integrated circuits.
  • A trusted FPGA environment developed by the University of Manchester team that solves two problems; firstly, it uses their FPGADefender virus scanner to help a cloud service provider (CSP) ensure a user bitstream is not malicious, and secondly, it ensures user IP protection by configuring an FPGA only with encrypted configuration bitstreams.

Phase 2 will involve annual RISE conferences; spring/summer schools; early career researcher training and innovation workshops; a UK/US Workshop on Semiconductor Security; and a UK-wide Training Roadshow. Aligned funding from EPSRC supports three new research projects addressing Trustworthy Deep-Learning based Hardware Trojan Detection at Queen’s University Belfast, Securing and Analysing Trusted Execution Beyond the CPU at the Universities of Southampton and Birmingham, and Securing composable hardware platforms at the University of Manchester.

Professor Máire O’Neill emphasizes, “RISE will continue to play its part in conducting research that addresses security throughout a device’s lifecycle, from the initial design and manufacture through to its operational environment. We will also continue to grow the skillsets and community in the UK in this strategically important area.”

RISE @ ETSI Security Week 2019

Nice Promenade

Nice to be in Nice

That is an obvious and cheap play on words for the popular South of France destination and a joke I made back in 2016 during the European Championships, but one worth re-cycling for a new audience…

RISE was invited to speak at ETSI Security week, (last week) and we gave an update on hardware security, including the latest R&D from the RISE researchers.

I have to honest with you readers, I can think of worse places to be sent away on business in late June than Nice. If there is any consolation for the readers, we were cooped up in a conference room that was just about underground, with questionable Air-Con and far away from the beaches of the French resort.


EDSI @ ETSI Security Week

ETSI stands for the European Telecommunications Standards Institute and is a not-for-profit, and one of only three bodies officially recognized by the EU as a European Standards Organization. Essentially, the Standards people. The ETSI HQ is a short drive from Nice, in Sophia Antipolis.

Tucked away in some very picturesque French hills, Sophia Antipolis, the ‘French Silicon Valley’, is celebrating its fiftieth anniversary this year.

ETSI host multiple events each year and Security Week hosts a couple of hundred people across 5 days, each year in late June. ETSI was established in 1992 and this Security Week was number 13. The great and the good from all over the globe were on site to debate and discuss all things policy related, AI, 5G, IoT and cryptography. To give you an idea of the calibre of people there, two introductions were, “The 3GPP Godfather” and “the Godfather of 3G”; both experts in their field.

RISE gave an update on each of the 8 projects that are now in-life, focusing on hardware security, more specifically on the threat of hardware Trojans and Side-channel attacks and I am delighted to report than we had interest from some major global brands about collaboration moving forward. This can only be good news for UK (and wider afield) consumers.

Les Standards > Les Algorithms (ETSI & IoT)

Earlier this year, ETIS announced a new Technical Specification (TS) for Cyber Security in Consumer IoT – TS 103 645 to be precise, the first globally applicable industry standard for consumer IoT security. This industry standard builds on the Code of Practice from DCMS, but has been designed to work for European and wider global needs. The standard is set to inform, at home and abroad, the development of regulation and industry-led certification schemes. For businesses with an international supply chain and customer base, the standard provides an avenue to pursue a harmonised approach to implementing good security practice for their products. This TS will move to become a European Standard, telecommunications series (EN) and legislation is also looming on the horizon in the UK.

Days 4 & 5 (RISE spoke on Day 5)

What does the ‘S’ stand for in IoT?

This is a good idea. I remember being at CES in 2014 & 2015. In 2014, IoT had just become mainstream, one of the new hype technologies at CES that year, but nobody was talking about security. Thankfully, 12 months later, industry was more aware of the threat landscape about ‘everything being connected’, therefore vulnerable to a range of cyber-attacks, not least botnets. However, industry wanted to promote self-regulation, which still made me concerned for the future of IoT and consumer adoption.

As consumers, we still have the choice to buy a smart gadget, or not. My preference is to avoid smart gadgets where possible. And it isn’t just the security aspects that concern me, privacy is another major aspect around the IoT, not to mention technological obsolescence. 

Fast forward to 2019, here we are with international standards and legislation imminent in the UK around basic consumer IoT security measures. The community is working together to bring more secure IoT products and services to market, meaning the things we use and need, will be secure by design.

Good job ETSI and et al (DCMS, NCSC and the State of California).

Regards from the RISE (EDSI) Rookie