Open Source Security

Date:
Tuesday 12 February 2019

Time:
7.00pm Refreshments, 7.30pm Talk

Venue:
University of Gloucestershire in Room TC014, ‘Teaching Centre’, The Park Campus, Cheltenham, GL50 2RH.

Speakers:
Dr Daniel Page and Dr Jeremy Bennett

Details:

Joint meeting with the Gloucestershire branch of the IET and supported by the BCS Open Systems Specialist Group

This meeting comprises two talks:

Talk 1: SCARV: a side-channel hardened RISC-V platform

SCARV is an EPSRC funded research project [1], housed at the University of Bristol within the national RISE initiative [2]. At a high level, the remit of SCARV spans computer architecture and cryptography: it aims to harness RISC-V [3] as a way to address challenges in efficient, secure implementation of cryptography.

This talk will cover 2 in-progress directions within SCARV, emphasising their use of and relationship with open source software and hardware.

1. RISC-V is, by design, an easily extensible ISA: it is possible to adapt and/or extend the ISA to suit specific use-cases. We have developed an extension called XCrypto [4], which is intended to support software implementations of cryptography. By using some concrete examples, I will try to illustrate a) the design and implementation of XCrypto, and b) what value the extension provides.

2. Implementation (e.g., side-channel [5]) attacks are a persistent threat to cryptography, particularly in embedded contexts such as IoT; robust security evaluation wrt such attacks is therefore important.

For certain classes of implementation attack, the infrastructure involved can be prohibitive. I will try to outline our goals and progress regarding the development of "lab. free" infrastructure, in part based on the open source SCALE platform [6].

About the speaker:

Dr. Daniel Page, is a Lecturer within the Department of Computer Science, University of Bristol. His current research focuses on challenges in cryptographic engineering and applied cryptography, the implementation (in hardware and/or software) of implementation attacks (e.g., side-channel and fault attacks) on cryptographic primitives and arithmetic in particular.

Talk 2: Open source tools and processes for secure IoT development

Developing secure IoT software requires that good software engineering practices are used, and that an appropriate set of secure coding guidelines are followed. Much of the guidance on writing secure software is in common with that for minimising bugs and defects; however, some tasks (such as memory sanitisation, maintaining side-channel atomicity, etc.) are security-specific and are difficult even for experienced engineers to consistently implement.

The compiler is ideally placed to assist, because almost all code for any device goes through a compiler, which translates the program to binary code to run on the processor. This global view of the software can enable the compiler to detect insecure coding patterns and provide automated support for security-specific tasks.

The Innovate UK funded Security Enhancing Compilation for Use in Real Environments (SECURE) project, which ran from June 2017 - September 2018, has taken the latest academic research in security-specific programming techniques and integrated it within the two most widely used compilers, GCC and LLVM. These freely available tools will not “magically” write secure code - however, they make it much easier for engineers to follow good practice and avoid errors by automating the use of security-specific techniques and processes.

This talk will present the technology and show how it supports secure software development processes by reducing the burden placed on engineers who would otherwise have to manually implement security-specific techniques and inspect code for security issues.

This talk is an extended version of the presentation to the IoTSF Conference in December 2018, which will go into greater technical detail. It presents work carried out by Dr Graham Markall, Simon Cook, Paolo Savini and Craig Blackmore as well as the speaker.

About the speaker:

Dr Jeremy Bennett is Chief Executive of Embecosm, which provides open source compiler development, processor modeling and embedded operating system services to companies worldwide. He is author of the standard textbook “Introduction to Compiling Techniques” (McGraw Hill 1990, 1995, 2003) and serves as Chair of the BCS Open Source Specialist Group