How leaky is your device?

Press release issued: 7 October 2015

A new generation of digital devices that will protect consumers from cyber-attacks could be a step closer thanks to a grant of over £1 million from the Engineering and Physical Sciences Research Council (EPSRC) awarded to the University of Bristol for a research project to protect consumers’ sensitive data.

Digital devices, such as smart banking cards or smart phones, are widely used to store private and sensitive data about peoples’ digital lives. However, securing these devices is a major task for the computing industry. The research project by the University’s Cryptography Research Group hopes to address the issue of leakage-related attacks.

Information leakage via side channels is a widely recognised threat to cyber security. In particular small devices are known to leak information through physical channels, i.e. power consumption, electromagnetic radiation, and timing behaviour. In other words, the power consumed by mobile phones can reveal information about the data stored on the phone and attackers can steal this data by managing to capture the leakage. This can ultimately lead to complete security breaches in the form of data recovery.

At present, accounting for leakage requires access to a fully equipped testing lab, and skilled people to conduct side channel experiments. This makes it virtually impossible for the general developers of devices to test their implementations against leakage attacks as these labs are only available to high-end developers, such as those producing chip-and-pin cards.

The aim of the research project is to bring the skill of a testing lab to the desk of a developer of standard consumer devices, without the need for domain specific knowledge. To ensure the success of the project the research group have partnered with a leading developer of compiler toolchains, Embecosm.

Dr Elisabeth Oswald, Reader in Applied Cryptography in the Cryptography Research Group and who is leading the project, said: “Our previous research has shown that in the case of small embedded devices, the nature of the leakages can be appropriately modelled using statistical tools.

“This project's research hypothesis is that one can make meaningful statements about the leakage behaviour of new implementations on such small devices by utilising a priori derived models.”

The researchers hope the project will lead to a new generation of devices that will provide consumers with high-end security in low-end devices, and also protect consumers’ sensitive information. As the world gets even more digital, and attackers become more sophisticated, this is another important step on the arms race between the good guys and the bad guys.

Further information

The EPSRC-funded project ‘Leakage aware design automation (LADA): tools & techniques for software crypto implementations’ will run for four years from 1 January 2016 to 31 December 2019.

About the EPSRC
As the main funding agency for engineering and physical sciences research, our vision is for the UK to be the best place in the world to Research, Discover and Innovate.

By investing £800 million a year in research and postgraduate training, we are building the knowledge and skills base needed to address the scientific and technological challenges facing the nation. Our portfolio covers a vast range of fields from healthcare technologies to structural engineering, manufacturing to mathematics, advanced materials to chemistry. The research we fund has impact across all sectors. It provides a platform for future economic development in the UK and improvements for everyone’s health, lifestyle and culture.

We work collectively with our partners and other Research Councils on issues of common concern via Research Councils UK. www.epsrc.ac.uk