Highlight | 05-01-2018

Two newly-discovered security flaws in computer processors, named Meltdown and Spectre, could allow unauthorised users to gain direct access to the heart of computer systems and steal personal data. The vulnerabilities were discovered by an international research team, in which Graz University of Technology’s Institute of Applied Information Processing and Communications (TU Graz, Austria) played a central role. The EU's European Research Council (ERC) has been supporting this research project since 2016, to the tune of two-million euro.

We spoke today with Professor Stefan Mangard, the ERC grantee who led the team at TU Graz involved in the Meltdown and Spectre discovery.

Are our computers safe enough?

The traditional way of designing processors places all the focus on performance and only on performance. We can compare it to cars. In the beginning, cars were just designed to be fast, but today safety is our main concern. However, when it comes to Central Processing Units (CPUs), we buy them because of their speed. In today's environment of increasing attacks on computer systems though, we need to accept security as a major design criterion. I hope the discovery of the Meltdown and Spectre flaws will trigger a new way of thinking about computer design.

And this was the whole motivation for your ERC project?

Indeed. Its main idea is that we need to design computer systems with security in mind from the beginning of the design process. We need basic research to achieve this; we need to start at the very beginning and see how we can bring security into the design of computer systems. The discovery of these flaws confirms our proposal. Actually we were very much surprised to discover these vulnerabilities in our computers and didn't expect it to be so severe. People were rather shocked - we couldn't believe that this is actually happening.

Is this just the tip of the iceberg?

It is likely that that there are more security issues. However, they are probably not as large in scale as this one. The reason is the current trade-off between performance and security. So far, all systems were optimised for performance. But each time you optimise a CPU for performance, you potentially optimise against security. There were four research groups, including us at TU Graz, that found Meltdown and Spectre independently. It has been an ongoing process from mid-2017 until today. This research is highly relevant to modern IT challenges and multiple parties are working in this area simultaneously. This is just the start, we opened the door and there is more to come.

Do these security flaws have relevance to the Internet of Things?

There a huge trend in connecting everything. On the one hand, we have the centres that store all the data and, on the other, the nodes that are in the field and collect the information. Nodes can include smart phones and IT devices in cars. They have become more and more powerful, and they have processors that now can be attacked.

Michael Schwarz, Daniel Gruss, Stefan Mangard and Moritz Lipp from TU Graz, members of ERC-funded Secure Systems Group, who were behind the recent discovery of devastating vulnerabilities in computer processors.

In what way did the ERC funding help develop your research project?

An ERC grant is a great opportunity. It provides funding that gives you a lot of freedom in the research you do. I can hire a large group of people and I don't have to write reports every month. The ERC allows scientists like myself to really focus on our topics, but also to study on an ambitious and broad scale. This makes finding something ground-breaking more likely - you are prepared for a lucky discovery. In this sense the ERC is an enabler for researchers.

Background

Some 120 ERC-funded projects mention the discipline of "cryptography" in their abstract. Some of this work, like that of Professor Elisabeth Oswald of the University of Bristol, also uses the physical properties of devices, power consumption and electromagnetic emanation, to investigate how information leaks. Other projects, such as the project SPOOC, conducted by Steve Kramer from the National Institute for Research in Computer Science and Automatic Control at France's INRIA, study how security protocols could allow us, one day, to perform delicate operations, like electing our political leaders, online. The 2013 Synergy Grant imPACT even analyses the intersection between cybersecurity, law, economics and society to develop tools to raise accountability and trust in the internet. Around 170 million euro have been awarded to ERC projects of this type.

Chart: Distribution of ERC projects that mention "cryptography" in their abstract.

About the ERC

The European Research Council, set up by the European Union in 2007, is the first European funding organisation for excellent frontier research. Every year, it selects and funds the very best, creative researchers of any nationality and age, to run projects based in Europe. The ERC has three core grant schemes: Starting Grants, Consolidator Grants and Advanced Grants. An additional funding scheme, Synergy Grants, was re-launched in 2017.

To date, the ERC has funded over 7,500 top researchers at various stages of their careers, and more than 50,000 postdocs, PhD students and other staff working in their research teams. The ERC has an annual budget of €1.8 billion for the year 2017, which is around 1% of overall spending on research in Europe. With a budget of over €13 billion for the years 2014 to 2020, the ERC is part of the EU research and innovation programme, Horizon 2020, for which European Commissioner Carlos Moedas is responsible. The ERC is led by an independent governing body, the Scientific Council, chaired by the ERC President, Professor Jean-Pierre Bourguignon, since January 2014.
 

More information

    Project: Securing Software against Physical Attacks, SOPHIA

    Grantee: Stefan Mangard 

    Host Institution: Technische Universitaet Graz

    ERC Funding: Consolidator Grant (ERC-2015-CoG)