Device and System Security

Device and system security is of utmost strategic importance to Switzerland. With IT forming the foundation for all key pillars in the society, Switzerland fundamentally relies on commodity devices, systems and/or IT services developed abroad with no verifiable or certifiable evidence of trustworthiness and not open to inspection. Moreover, most modern devices are vulnerable to a plethora of side-channel attacks in hardware due to resource sharing and have been designed with little attention or consideration to security/privacy beyond conventional approaches to program isolation. On the flipside, Switzerland is well-positioned as a promoter of a brand for trustworthiness to pioneer technologies for secure devices and systems that are open to inspection.

In this pillar, we propose to build devices and systems ground up with security and privacy as a contract between software and hardware. Modern approaches to adding ad hoc hardware mechanisms to established vendor CPU’s (e.g., x86, ARM) and patching the software stack to use the mechanisms not only do not address side-channel attacks at a fundamental level but also increase the software complexity which potentially leads to more vulnerability. Moreover, with the slowdown in silicon scaling, the emergence of a spectrum of heterogeneous accelerators in a single device and the move towards decentralized device components with potentially multiple network endpoints, CPU-centric solutions will be less effective.

We will develop software interfaces to hardware components in a device that would guarantee no window of observability for resource sharing with well-defined advertised semantics, which can be used as a building block for building systems and application software that have guaranteed (and verifiable) security properties. Such behaviour can then be inspected and verified in both software and hardware, and can be used to make sure that power and thermal management approaches are compatible with security and privacy constraints imposed by the application target. In the earlier stages of this pillar we will rely on an open-source device ecosystem (e.g., RISC-V) to test the technologies in an IoT environment. IoT devices are emerging as a prevalent substrate in cyber-physical systems with a lower barrier to deployment. These devices also have shallower stacks and software ecosystems allowing for more intrusive co-designed hardware and software solutions for trustworthiness. Moreover, our ground-up technologies (both hardware and software stack) would also be suitable for new accelerator components (in specialized ICs or mapped in reconfigurable hardware as FPGAs) as they emerge in established commodity platforms from mobiles to servers since these architectures are less dependent on the rigid software ecosystem of established CPU’s and similar to IoT’s.

EPFL’s device and system security team has had a long history of pioneering not just hardware and accelerator architectures, but also methodologies for design and verification of integrated silicon devices and operating systems, system software design and co-optimization, and virtualization with a proven track record of technology transfer.

The daily newspaper “Le Temps” interviews the Center for Digital Trust

"Many SMEs are discovering digitalization but are not armed to deal with the threats that accompany this process." The Swiss French-language daily newspaper “Le Temps” interviewed C4DT's executive director, Dr. Olivier Crochat, and academic director, Prof. Jean-Pierre Hubaux, on the mission and ambitions of this new center, based at EPFL,…
News type : Press reviews

Workshop on Security and Privacy of Wearable Devices

A growing number of wearable devices are becoming available. By their ability to measure physical activity and physiological characteristics such as heart rate, blood pressure, sleep patterns, etc., they constitute a cornerstone for the quantified self and personalized health. Yet, unavoidably, they bring a number of challenges in terms of…
News type : News

C4DT Holds First General Assembly

The founding General Assembly of C4DT was held on Friday, 2 November, in presence of the President of EPFL, Martin Vetterli, and of 50 guests. The 12 partners of the Center said they are keen to apply research to their business needs and regulatory requirements, at a time when digitalization…
News type : News