In 2023, the German Research Foundation (DFG) funds a new Emmy Noether group in the field of IT security at Ruhr-Universität Bochum. Dr. Pascal Sasdrich, Chair of Security Engineering/Faculty of Computer Science is the research group leader. With his project “COMPUTER-AIDED VERIFICATION OF PHYSICAL SECURITY PROPERTIES“, CAVE for short, he wants to advance the protection of security-critical implementations, such as those used in hardware chips, against physical attacks. Within the Emmy-Noether program, CAVE is funded with 1.3 million euros over six years, which qualifies for a university professorship.
In our digital environment, we use numerous objects that contain embedded chips. These hardware elements are nowadays quite small but hold important functions. “To put it simply, a chip encrypts or decrypts data by cryptographic processes“, explains Sasdrich. From EC cards to IoT devices for the smart home: concerning sensitive data, users rely on trusting the technology. The more surprising it seems is that many chips are not verifiably secure. That means they cannot withstand all kinds of attacks, Sasdrich says. “Pen-Testing is often done in the commercial world using best practices. If the prototype can withstand the tested attacks, it might be promoted as secure“, Sasdrich said. But there are many ways to attack, and testing exhaustively is often impossible. For example, an attacker uses the power consumption of the chips to infer information about security-critical data. In IT security, this is called a side-channel attack. It could be used to break the encryption of secret information.
Implementation of security in technical components, however, costs time and money - and requires technical expertise. Tasks such as protection against side-channel analysis (SCA) or fault injection analysis (FIA) are sophisticated and error-prone, even with years of experience, Sasdrich said. In contrast, some attacks targeting these chips don't require much effort. This makes them a real threat.
That's why Sasdrich's project aims to develop methods that can be used during the design process to verify components' ability to withstand attacks. They can ease the developers' workload by enabling automated and computer-aided testing even before the prototype is created. These procedures have the potential to increase the security of future developments.
The research group's work is based on two principles. The first is based on scientifically formalizing the attacker models. By doing so, they can prove the security of their assumptions. The other is to develop tools and programs based on the formalized attacker models that can be used during the chip design process.
Initially, Sasdrich's research group will focus on cryptographic functions. The long-term goal, he says, remains to work toward provable security for an entire processor. This would be a valuable contribution by the Bochum scientists to the protection of our sensitive data.
Dr.-Ing. Pascal Sasdrich
Faculty of Computer Science
T.: (+49)(0)234 / 32 - 25734
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.